SUSE-IU-2025:104-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:104-1 Interim 1 1 2025-10-09T16:54:11Z current 2025-01-09T01:00:00Z 2025-01-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:104-1 / google/sle-hpc-15-sp4-byos-v20250109-x86-64 This image update for google/sle-hpc-15-sp4-byos-v20250109-x86-64 contains the following changes: Package 000release-packages:SLE_HPC-release was updated: Package aaa_base was updated: - Add patch git-50-845b509c9a005340a0455cb8a7fe084d1b8f1946.patch * Add mc helpers for both tcsh and bash resources (boo#1203617) Package bash was updated: - Add patch boo1227807.patch * Load completion file eveh if a brace expansion is in the command line included (boo#1227807) Package bind was updated: - Update to release 9.16.50 Bug Fixes: * A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. * Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. * The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. * It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features: * Added RESOLVER.ARPA to the built in empty zones. - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [bsc#1228256, bind-9.16-CVE-2024-1737.patch] * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [bsc#1228257, bind-9.16-CVE-2024-1975.patch] * When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076) [bsc#1228258, bind-9.16-CVE-2024-4076.patch] Package binutils was updated: - Update to current 2.43.1 branch [PED-10254, PED-10306]: * s390 - Add arch15 instructions * various fixes from upstream: PR32153, PR32171, PR32189, PR32196, PR32191, PR32109, PR32372, PR32387 - Adjusted binutils-2.43-branch.diff.gz. - Disable zstd-by-default again (needs adjustments in at least golang,llvm15,llvm17 first) - Add binutils-fix-branch.diff. - Check non-changing of flex/bison inputs only after applying branch and fix-branch diffs. - drop ld-relro.diff (relro is the default for some time) and it warns on avr spuriously (bsc#1233520) - Add loongarch64 as new target - Enable zstd compression algorithm (instead of zlib) for debug info sections by default. - Update to current 2.43.1 branch [PED-10474]: * PR32109 - fuzzing problem * PR32083 - LTO vs overridden common symbols * PR32067 - crash with LTO-plugin and --oformat=binary * PR31956 - LTO vs wrapper symbols * riscv - add Zimop and Zcmop extensions - Adjusted binutils-2.43-branch.diff.gz. - Update to version 2.43: * new .base64 pseudo-op, allowing base64 encoded data as strings * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF (APX_F now fully supported) * x86 Intel syntax now warns about more mnemonic suffixes * macros and .irp/.irpc/.rept bodies can use \+ to get at number of times the macro/body was executed * aarch64: support 'armv9.5-a' for -march, add support for LUT and LUT2 * s390: base register operand in D(X,B) and D(L,B) can now be omitted (ala 'D(X,)'); warn when register type doesn't match operand type (use option 'warn-regtype-mismatch=[strict|relaxed|no]' to adjust) * riscv: support various extensions: Zacas, Zcmp, Zfbfmin, Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw, XSfCease, all at version 1.0; remove support for assembly of privileged spec 1.9.1 (linking support remains) * arm: remove support for some old co-processors: Maverick and FPA * mips: '--trap' now causes either trap or breakpoint instructions to be emitted as per current ISA, instead of always using trap insn and failing when current ISA was incompatible with that * LoongArch: accept .option pseudo-op for fine-grained control of assembly code options; add support for DT_RELR * readelf: now displays RELR relocations in full detail; add -j/--display-section to show just those section(s) content according to their type * objdump/readelf now dump also .eh_frame_hdr (when present) when dumping .eh_frame * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake processors; add minimal support for riscv * linker: - put .got and .got.plt into relro segment - add -z isa-level-report=[none|all|needed|used] to the x86 ELF linker to report needed and used x86-64 ISA levels - add --rosegment option which changes the -z separate-code option so that only one read-only segment is created (instead of two) - add --section-ordering-file &lt;FILE&gt; option to add extra mapping of input sections to output sections - add -plugin-save-temps to store plugin intermediate files permanently - Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz. - Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz. - Removed upstream patch riscv-no-relax.patch. - Rebased ld-relro.diff and binutils-revert-rela.diff. - binutils-pr22868.diff: Remove obsolete patch - Undefine _FORTIFY_SOURCE when running checks - Allow to disable profiling - Use %patch -P N instead of deprecated %patchN. - riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if symbol is local when no-relax - Add binutils-disable-code-arch-error.diff to demote an error about swapped .arch/.code directives to a warning. It happens in the wild. - Update to version 2.42: * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16, RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2', '+rcpc2' and '+wfxt' * Add experimantal support for GAS to synthesize call-frame-info for some hand-written asm (--scfi=experimental) on x86-64. * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2, PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16. * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0, SiFive VCIX v1.0. * BPF assembler: ';' separates statements now, and does not introduce line comments anymore (use '#' or '//' for this). * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with dynamic tags. * risc-v ld: Add '--[no-]check-uleb128'. * New linker script directive: REVERSE, to be combined with SORT_BY_NAME or SORT_BY_INIT_PRIORITY, reverses the generated order. * New linker options --warn-execstack-objects (warn only about execstack when input object files request it), and --error-execstack plus - -error-rxw-segments to convert the existing warnings into errors. * objdump: Add -Z/--decompress to be used with -s/--full-contents to decompress section contents before displaying. * readelf: Add --extra-sym-info to be used with --symbols (currently prints section name of references section index). * objcopy: Add --set-section-flags for x86_64 to include SHF_X86_64_LARGE. * s390 disassembly: add target-specific disasm option 'insndesc', as in &quot;objdump -M insndesc&quot; to display an instruction description as comment along with the disassembly. - Add binutils-2.42-branch.diff.gz. - Rebased s390-biarch.diff. - Adjusted binutils-revert-hlasm-insns.diff, binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff for upstream changes. - Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2, binutils-2.41-branch.diff.gz. - Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff and riscv-relro.patch (all upstreamed). - Removed add-ulp-section.diff, we use a different mechanism for live patching since a long time. - Add binutils-use-less-memory.diff to be a little nicer to 32bit userspace and huge links. [bsc#1216908] - riscv-relro.patch: RISC-V: Protect .got with relro - Add libzstd-devel to Requires of binutils-devel. (bsc#1215341) Package ca-certificates-mozilla was updated: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 - remove-trustcor.patch: removed, now upstream - do a versioned obsoletes of &quot;openssl-certs&quot;. Package cloud-regionsrv-client was updated: - Update to 10.3.7 (bsc#1232770) + Fix the product triplet for LTSS, it is always SLES-LTSS, not $BASEPRODUCT-LTSS - Update to 10.3.6 (jsc#PCT-471, bsc#1230615) + Fix sudo setup ~ permissions cloudguestregistryauth ~ directory ownership /etc/sudoers.d + spec file ~ Remove traces of registry related entries on SLE 12 + Forward port ~ fix-for-sles12-disable-registry.patch ~ fix-for-sles12-no-trans_update.patch + Deregister non free extensions at registercloudguest --clean + Fix registry cleanup at registercloudguest --clean, don't remove files + Prevent duplicate search entries in registry setup - Update EC2 plugin to 1.0.5 + Switch to using the region endpoint from IMDS to determine the region instead of deriving the data from the availability zone - Update to 10.3.5 + Update spec file to build in all code streams, SLE 12, SLE 15, ALP, and SLFO and have proper dependencies - Update to 10.3.4 + Modify the message when network access over a specific IP version does not work. This is an informational message and should not look like an error + Inform the user that LTSS registration takes a little longer + Add fix-for-sles12-no-trans_update.patch + SLE 12 family has no products with transactional-update we do not need to look for this condition - From 10.3.3 (bsc#1229472) + Handle changes in process structure to properly identify the running zypper parent process and only check for 1 PID - From 10.3.2 + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream - From 10.3.1 (jsc#PCT-400) + Add support for LTSS registration + Add fix-for-sles12-disable-registry.patch ~ No container support in SLE 12 - Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137) + The entry for the update infrastructure registry mirror was written incorrectly causing docker daemon startup to fail. - Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file - Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016) + In addition to logging, write message to stderr when registration fails + Detect transactional-update system with read only setup and use the transactional-update command to register + Handle operation in a different target root directory for credentials checking Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.21&gt; Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package cups was updated: - cups-branch-2.2-commit-b643d6ba92f00752aa5e74ff86ad3974334914c1.diff is https://github.com/OpenPrinting/cups/commit/b643d6ba92f00752aa5e74ff86ad3974334914c1 which was added in CUPS 2.2.8 that fixed a parsing bug in cups_auth_find() in cups/auth.c which lead to cupsd failing to authenticate users when group membership is required by cupsd configuration like 'Require user @GROUP' which lead to CUPS related commands requesting password from group users even if it is not needed (bsc#1226227) - In cups.changes replaced one place where UTF-8 characters were used in the entry dated &quot;Sat Sep 30 08:52:42 UTC 2017&quot; for what should be ' - ' by ASCII to avoid RPMLINT warning about 'non-break-space' which &quot;can lead to obscure errors&quot;. Package curl was updated: - Security fix: [bsc#1234068, CVE-2024-11053] * curl could leak the password used for the first host to the followed-to host under certain circumstances. * netrc: address several netrc parser flaws * Add curl-CVE-2024-11053.patch - Security fix: [bsc#1232528, CVE-2024-9681] * HSTS subdomain overwrites parent cache entry * Add curl-CVE-2024-9681.patch - Make special characters in URL work with aws-sigv4 [bsc#1230516] * http_aws_sigv4: canonicalize the query [fc76a24c] * test439: verify query canonization for aws-sigv4 [65661016] * http_aws_sigv4: skip the op if the query pair is zero bytes [16bdc09e] * aws_sigv4: the query canon code miscounted URL encoded input [a1532a33] * http_aws_sigv4: canonicalise valueless query params [bbba69da] * aws-sigv4: url encode the canonical path [768909d8] * Add upstream patches: - curl-aws_sigv4-canonicalize-the-query.patch - curl-aws_sigv4-verify-query-canonization.patch - curl-aws_sigv4-skip-the-op-if-the-query-pair-is-zero-bytes.patch - curl-aws_sigv4-the-query-canon-code-miscounted-url-encoded-input.patch - curl-aws_sigv4-canonicalise-valueless-query-params.patch - curl-aws_sigv4-url-encode-the-canonical-path.patch - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch - Security fix: [bsc#1228535, CVE-2024-7264] * curl: ASN.1 date parser overread * Add curl-CVE-2024-7264.patch Package deltarpm was updated: - update to deltarpm-3.6.5 * support for archive files bigger than 2GByte [bnc#1230547] - update to deltarpm-3.6.4 * support for threaded zstd * use a tmp file instead of memory to hold the incore data [bsc#1228948] - dropped patches: * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch - deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed some C bugs ( incorrect sized memset() , memcpy instead of strcpy, unsigned int) - update to deltarpm-3.6.3 * support for threaded zstd compression - Actually enable zstd compression - update to deltarpm-3.6.2 * support for zstd compression Package dmidecode was updated: - Update to upstream version 3.6 (jsc#PED-8574): * Support for SMBIOS 3.6.0. This includes new memory device types, new processor upgrades, and Loongarch support. * Support for SMBIOS 3.7.0. This includes new port types, new processor upgrades, new slot characteristics and new fields for memory modules. * Add bash completion. * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245. * Implement options --list-strings and --list-types. * Update HPE OEM records 203, 212, 216, 221, 233 and 236. * Update Redfish support. * Bug fixes: Fix enabled slot characteristics not being printed * Minor improvements: Print slot width on its own line Use standard strings for slot width * Add a --no-quirks option. * Drop the CPUID exception list. * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch, dmidecode-fortify-entry-point-length-checks.patch, dmidecode-split-table-fetching-from-decoding.patch, dmidecode-write-the-whole-dump-file-at-once.patch, dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch, dmioem-hpe-oem-record-237-firmware-change.patch, dmioem-typo-fix-virutal-virtual.patch, ensure-dev-mem-is-a-character-device-file.patch, news-fix-typo.patch and use-read_file-to-read-from-dump.patch. Update for HPE servers from upstream: - dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in HPE type 238 records. Package docker was updated: - Update docker-buildx to v0.19.2. See upstream changelog online at &lt;https://github.com/docker/buildx/releases/tag/v0.19.2&gt;. Some notable changelogs from the last update: * &lt;https://github.com/docker/buildx/releases/tag/v0.19.0&gt; * &lt;https://github.com/docker/buildx/releases/tag/v0.18.0&gt; - Update to Go 1.22. - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 &gt; /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 &gt; /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch - Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819 - Add docker-integration-tests-devel subpackage for building and running the upstream Docker integration tests on machines to test that Docker works properly. Users should not install this package. - docker-rpmlintrc updated to include allow-list for all of the integration tests package, since it contains a bunch of stuff that wouldn't normally be allowed. - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Further merge docker and docker-stable specfiles to minimise the differences. The main thing is that we now include both halves of the Conflicts/Provides/Obsoletes dance in both specfiles. - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at &lt;https://github.com/docker/buildx/releases/tag/v0.17.1&gt; - Allow users to disable SUSE secrets support by setting DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348 bsc#1232999 - Add %{_sysconfdir}/audit/rules.d to filelist. - Mark docker-buildx as required since classic &quot;docker build&quot; has been deprecated since Docker 23.0. bsc#1230331 - Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate package, but with docker-stable it will be necessary to maintain the packages together and it makes more sense to have them live in the same OBS package. bsc#1230333 - Make some minor name macro updates to help with the docker-stable package fork. - Update to Docker 26.1.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/26.1/#2615&gt; bsc#1230294 - This update includes fixes for: * CVE-2024-41110. bsc#1228324 * CVE-2023-47108. bsc#1217070 * CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch * cli-0001-docs-include-required-tools-in-source-tree.patch Package dracut was updated: - Update to version 055+suse.359.geb85610b: * fix(convertfs): error in conditional expressions (bsc#1228847) Package e2fsprogs was updated: - resize2fs-Check-number-of-group-descriptors-only-if-.patch: resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145) Package glib2 was updated: - Add glib2-CVE-2024-52533.patch: fix a single byte buffer overflow (boo#1233282 CVE-2024-52533 glgo#GNOME/glib#3461). - Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in a dbus message. Fixes a possible use after free (boo#1224044). Package glibc was updated: - tcache-thread-shutdown.patch: malloc: Initiate tcache shutdown even without allocations (bsc#1228661, BZ #28028) - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ [#31934]) Package google-guest-agent was updated: - Update to version 20241011.01 (bsc#1231775, bsc#1231776) * SUSE no overwrite bug fix, Ubuntu 18.04 exception (#451) - from version 20241011.00 * Skip MDS setup by default for this release (#450) - from version 20241010.01 * Revert &quot;network/netplan: Adjust link-local accordingly (#443)&quot; (#448) * Set enable regardless of previous check failed or not (#447) - from version 20241009.03 * Avoid unnecessary reloads, check before overwriting configs (#446) - from version 20241009.02 * network/netplan: Do generate instead of apply (#445) - from version 20241009.01 * Skip SetupInterfaces if configs are already applied (#444) * network/netplan: Adjust link-local accordingly (#443) * Repeated logging could be mistaken for a recurring issue, log mds mtls endpoint error only once (#439) * Retry MDS PUT operation, reload netplan/networkctl only if configs are changed (#438) * Log interface state after setting up network (#437) * network: Debian 12 rollback only if default netplan is ok (#436) - from version 20240930.01 * Change mtls mds defaults, update log message to assure error is harmless (#434) - from version 20240930.00 * network: Restore Debian 12 netplan configuration. (#433) * network: Remove primary NIC left over configs. (#432) * Update VLAN interfaces format to match with MDS (#431) * Fix panics in agent when setting up VLAN with netplan (#430) * Add VLAN NIC support for NetworkManager (#429) * Fix debian12 netplan config issue, use ptr receiver (#428) * Update README to reflect new network manager changes (#427) * Introduce a configuration toggle for enabling/disabling cloud logging (#413) * Adapt and update config key to be consistent with MDS (#426) * Allow users to enable/disable the mds mtls via metadata key (#423) * Make primary nic management config consistent across all network managers (#422) * Document disabling account manager on AD (#421) * Update README with MDS MTLS docs (#418) * Avoid writing configuration files when they already exist on wicked and (#410) * Update golang.org/x/net dependencies to catch up on CVEs (#412) * Get rid of deperecated dependencies in snapshot service generate code (#411) * Fix where agent panics on nil event (#409) * Configure primary nic if only set in cfg file (#408) * Update NIC management strategy (#402) * Only release dhclient leases for an interface if the respective dhclient is still running (#407) * Disable OS Login without pruning off any extra suffix. (#400) * Skip root cert rotation if installed once (#405) * Add ipv6 support to guest agent (#404) * Update Accounts documentation (#403) * Update google-startup-scripts.service to enable logging (#399) * Network subsystem remove os rules (#396) * oslogin: Don't remove sshca watcher when oslogin is disabled (#398) * Update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * Update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * windows account: Ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * Change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: Support Debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: Only set secondary interfaces as up (#378) * address manager: Make sure we check for oldMetadata (#375) * network: Early setup network (#374) * NetworkManager: Fix ipv6 and ipv4 mode attribute (#373) * Network Manager: Make sure we clean up ifcfg files (#371) * metadata script runner: Fix script download (#370) * oslogin: Avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: Remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - Update to version 20240816.00 * Add configuration toggle to enable/disable use of OS native certificate stores (#419) * Fix dependencies in stable branch #412 (#415) * Update dep: golang.org/x/crypto to v0.17.0 * Update dep: google.golang.org/protobuf to 1.33.0 * Update dep: golang.org/x/net to 0.17.0 * Update dep: google.golang.org/grpc to v1.57.1 - from version 20240813.00 * Update README with MDS MTLS docs (#418) - from version 20240808.01 * Avoid writing configuration files when they already exist on wicked and NetworkManager (#410) - from version 20240808.00 * Update golang.org/x/net dependencies to catch up on CVEs (#412) - from version 20240805.00 * Get rid of deperecated dependencies in snapshot service generate code (#411) - Drop dont_overwrite_ifcfg.patch, fixed upstream - Update to version 20240802.00 * Fix where agent panics on nil event (#409) - from version 20240801.00 * Configure primary nic if only set in cfg file (#408) * Update NIC management strategy (#402) * Only release dhclient leases for an interface if the respective dhclient is still running (#407) * Disable OS Login without pruning off any extra suffix. (#400) * Skip root cert rotation if installed once (#405) * Add ipv6 support to guest agent (#404) * Update Accounts documentation (#403) * Update google-startup-scripts.service to enable logging (#399) * Network subsystem remove os rules (#396) * oslogin: don't remove sshca watcher when oslogin is disabled (#398) * Update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * Update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * Windows account: ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * Change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: support debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - from version 20240716.00 * Update dep: golang.org/x/crypto to v0.17.0 * Update dep: google.golang.org/protobuf to 1.33.0 * Update dep: golang.org/x/net to 0.17.0 * Update dep: google.golang.org/grpc to v1.57.1 - Update to version 20240701.00 * Update google-startup-scripts.service to enable logging (#399) - Update to version 20240611.01 * Network subsystem remove os rules (#396) * oslogin: don't remove sshca watcher when oslogin is disabled (#398) * update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * windows account: ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: support debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - from version 20240528.00 * update dep: golang.org/x/crypto to v0.17.0 * update dep: google.golang.org/protobuf to 1.33.0 * update dep: golang.org/x/net to 0.17.0 * update dep: google.golang.org/grpc to v1.57.1 Package google-guest-configs was updated: - Update to version 20241121.00 (bsc#1233625, bsc#1233626) * Temporarily revert google_set_multiqueue changes for release (#92) - from version 20241115.00 * Remove IDPF devices from renaming rules (#91) - from version 20241112.00 * Revert &quot;Revert 3 commits:&quot; (#89) - from version 20241108.00 * Revert 3 commits: (#87) - from version 20241107.00 * gce-nic-naming: Exit 1 so that udev ignores the rule on error (#86) - from version 20241106.00 * Remove Apt IPv4 only config for Debian and Ubuntu (#85) - from version 20241031.00 * Add GCE intent based NIC naming tools (#84) - from version 20241025.00 * Update google_set_multiqueue to skip set_irq if NIC is not a gvnic device (#83) - Add new binary gce-nic-naming to %{_bindir} in %files section - Update to version 20241021.00 (bsc#1231775, bsc#1231776) * Add GCE-specific config for systemd-resolved (#82) - from version 20241015.00 * Update google_set_multiqueue to enable on A3Ultra family (#79) - from version 20241013.00 * Update OWNERS (#81) - from version 20241010.00 * Depend on jq in enterprise linux (#80) - from version 20241008.00 * Always use IP from primary NIC in the networkd-dispatcher routable hook (#78) - Update to version 20240925.00 * Call google_set_hostname on openSUSE and when the agent is configured to manage hostname and FQDN, let it (#75) - from version 20240924.00 * Include systemd-networkd hook in Ubuntu packaging (#77) - from version 20240905.00 * Update packaging as of Ubuntu devel packaging (#65) - from version 20240830.00 * Fix the name for A3 Edge VMs (#76) - Update to version 20240725.00 * Fix: hostnamectl command (#74) - Update to version 20240607.00 * Update is_a3_platform to include A3-edge shape (#73) - Update to version 20240514.00 * Add systemd-networkd hostname hook (#71) - from version 20240501.00 * Add hostname hook for NetworkManager without dhclient compat script (#70) Package google-osconfig-agent was updated: - Update to version 20240926.03 (bsc#1231775, bsc#1231776) * Revert &quot;Bump go.opentelemetry.io/otel from 1.24.0 to 1.30.0 (#679)&quot; (#684) - from version 20240926.02 * Bump go.opentelemetry.io/otel from 1.24.0 to 1.30.0 (#679) * another batch of depencies upgrade (#683) - from version 20240926.01 * aggregate dependabot changes to go.mod (#677) * Revert back Source package info delivery to control-plane (#673) - from version 20240926.00 * Update OWNERS (#676) - from version 20240924.02 * Upgrade grpc and it's dependencies to latest version (#672) - from version 20240924.01 * Implement keepalive config (#671) - from version 20240924.00 * Set new version of gRPC for test (#669) - from version 20240920.00 * Revert &quot;bump version of the gRPC&quot; (#667) - from version 20240919.00 * bump version of the gRPC (#666) - from version 20240917.00 * Merge pull request #665 from GoogleCloudPlatform/revert-664-update_grpc_dependency * Revert &quot;Update grpc library and other dependencies. (#664)&quot; - from version 20240916.00 * Update grpc library and other dependencies. (#664) - from version 20240913.00 * Move packagebuild presubmit to osconfig (#662) - from version 20240912.00 * Revert &quot;update osconfig api to v1.13.0 &amp; indirect dependency update&quot; (#659) - from version 20240822.00 * Revert &quot;Source package info delivery to control-plane (#639)&quot; (#656) - from version 20240821.00 * Fix golang version format to fix builds. (#655) - from version 20240814.01 * Use gcsfuse pkg in guest-policies e2e in pkg update tests instead of old pkgs (#653) * Replace osconfig-agent-test pkg by gcsfuse in ospolicies tests and inventory-report tests (#652) - from version 20240806.00 * Disable Repository Resource test for SLES-12 (#650) - Update to version 20240801.00 * Fix Debian-12 failing test by using gcsfuse pkg * Fix fetching gpg key unit tests (#649) - from version 20240729.00 * Fix for old state file on Windows (#648) - from version 20240723.00 * Add debugging logs for repository resource config (#646) - from version 20240718.00 * Fix SLES-12 SP5 RPM package-resource e2e test (#645) - from version 20240715.01 * Fix OSPolicies e2e tests for SLES-15 SP5 by removing zypper update from VMs startup script (#644) - from version 20240715.00 * Fix GuestPolicies e2e tests for SLES-15 SP5 by removing zypper update from VMs startup script (#643) - from version 20240709.01 * Source package info delivery to control-plane (#639) - from version 20240709.00 * Enable gpgcheck flag for RPM e2e tests (#638) - from version 20240708.00 * Update osconfig api to v1.13.0 * Indirect dependency update (#637) - from version 20240705.01 * Updating Windows &amp; Linux Chrome packages to fix failing e2e tests (#636) - from version 20240705.00 * Merge pull request #635 from Gulio/patch-1 * Update OWNERS - from version 20240702.02 * Remove RHEL-7 and CentOS-7 images from e2e tests (#634) - Update to version 20240702.01 * Use Debian-11 img in googet pkg build workflow (#632) - from version 20240702.00 * Pipeline testing 00 (#631) - from version 20240701.00 * update readme file (#628) - from version 20240625.01 * Updating yum install to support multi architecture based packages * Revert &quot;Adding Architecture to the packages being installed/updated in yum repo&quot; - from version 20240625.00 * Update old SLES images urls (#627) - from version 20240620.00 * Merge pull request #626 from GoogleCloudPlatform/yum-multiarch-fix * Adding Architecture to the packages being installed/updated in yum repo - from version 20240618.01 * Extract source_name(source_rpm) for rpm packages (#624) - from version 20240618.00 * update README.md file (#625) - from version 20240615.00 * Fix(dpkg) return onlt installed items as inventory (#623) * Extract source name and version for dpkg packages. (#622) - Update to version 20240607.00 * Update e2e tests to use VMM team's GCP project for pkgs testing version (#621) - from version 20240606.00 * Disable SUSE tests to run with testing agent repo (#619) - from version 20240604.00 * Fix the logic of pick region for Artifact Registry function (#618) - from version 20240603.00 * Disable centos-stream-8 tests as it reached EOL in May 31 (#617) - from version 20240529.00 * Merge pull request #610 from savijatv/patch-3 * Update cis-level1-once-a-day-policy.yaml - from version 20240528.00 * Merge pull request #616 from MahmoudOuka/allow-windows-e2e-tests-to-\ install-testing-version-of-agent-from-private-artifact-registry-repos * Allow Windows e2e tests to pull osconfig-agent pkg from testing (private) repos from Artifact registry - from version 20240527.01 * Merge pull request #615 from MahmoudOuka/fix-SUSE-e2e-tests * fix SUSE e2e tests - from version 20240527.00 * Merge pull request #614 from MahmoudOuka/allow-apt-and-yum-\ e2e-tests-to-pull-osconfig-agent-pkg-from-testing-repos * fix golint comments * Allow Apt &amp; Yum e2e tests to pull osconfig-agent pkg from testing repos - from version 20240524.03 * Merge pull request #611 from savijatv/patch-ospolicy-samples * Update to the CIS OS policy samples - from version 20240524.00 * Merge pull request #612 from MahmoudOuka/update-apt-e2e-tests-\ to-pull-osconfig-agent-pkg-from-new-ar-repos * fix golint comment * Update Apt e2e tests to pull osconfig-agent pkg from new AR repos instead of rapture - from version 20240523.02 * bump golang.org/x/crypto version (#613) - from version 20240523.00 * update go-cmp dependency (#604) - from version 20240522.00 * rollback masive dependency update (#603) * Bump google.golang.org/api from 0.180.0 to 0.181.0 (#596) - Update to version 20240517.00 * Bump cloud.google.com/go/auth from 0.4.1 to 0.4.2 (#597) - from version 20240516.01 * Bump cloud.google.com/go/logging from 1.9.0 to 1.10.0 (#595) * Bump cloud.google.com/go/storage from 1.40.0 to 1.41.0 (#594) - from version 20240516.00 * Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#593) - Update to version 20240513.02 * E2e tests: allow passing spesific EL version number to InstallOSConfigEL func (#592) - from version 20240513.01 * Bump google.golang.org/api from 0.179.0 to 0.180.0 (#591) - from version 20240513.00 * E2e tests: Fix EL version detection logic in E2E tests (#590) * Bump google.golang.org/api from 0.178.0 to 0.179.0 (#589) - from version 20240510.02 * Bump cloud.google.com/go/auth from 0.4.0 to 0.4.1 (#588) - from version 20240510.01 * E2e tests: use family url format instead of specific version URL for head test images (#587) - from version 20240510.00 * Fix for lock location (#586) - from version 20240509.03 * Bump cloud.google.com/go from 0.112.2 to 0.113.0 (#584) - from version 20240509.02 * Remove dependabot not needed label (#576) - from version 20240509.01 * Write inventory to attributes only if enabled (#486) - from version 20240509.00 * E2e tests: install gnupg2 and run apt update in VMs startup-scripts (#583) * Add a temporary e2e test image for Ubuntu to test the latest osconfig-agent stable version (#582) * Bump google.golang.org/api from 0.177.0 to 0.178.0 (#578) * Bump github.com/googleapis/gax-go/v2 from 2.12.3 to 2.12.4 (#579) * Bump cloud.google.com/go/iam from 1.1.7 to 1.1.8 (#577) * Bump cloud.google.com/go/auth from 0.3.0 to 0.4.0 (#580) * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#581) * Bump golang.org/x/net from 0.24.0 to 0.25.0 (#575) * Bump cloud.google.com/go/osconfig from 1.12.6 to 1.12.7 (#573) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#574) * Bump cloud.google.com/go/longrunning from 0.5.6 to 0.5.7 (#571) - from version 20240508.08 * Bump github.com/golang/glog from 1.2.0 to 1.2.1 (#572) - from version 20240508.07 * Bump golang.org/x/text from 0.14.0 to 0.15.0 (#565) - from version 20240508.06 * Bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#566) * Bump golang.org/x/sys from 0.19.0 to 0.20.0 (#564) - from version 20240508.05 * Bump go.opentelemetry.io/otel/trace from 1.24.0 to 1.26.0 (#563) - from version 20240508.04 * Bump google.golang.org/protobuf from 1.34.0 to 1.34.1 (#567) * Using the default reviewer set for PR approvals (#570) - from version 20240508.03 * Adding advanced CodeQL settings to scan on PRs (#569) - from version 20240508.02 * Update Debian-12 package build workflow to use debian-cloud project (#568) - from version 20240508.01 * Dependabot dependency updates (#562) - from version 20240508.00 * Revert &quot;Initial configuration of the dependabot for the direct and indirect d…&quot; (#561) * Initial configuration of the dependabot for the direct and indirect dependency scanning (#560) - from version 20240507.00 * Fix Debian-12 package build workflow typo (#559) - from version 20240506.00 * Use signed-by keyring approach for apt repos in Debian 12+ and Ubuntu 24+ (#558) - from version 20240501.03 * Logrus dependency update (#557) - from version 20240501.02 * Updating dependencies and respective checksums (#556) - from version 20240501.01 * Update go.mod (#554) - from version 20240501.00 * Bump golang.org/x/net from 0.17.0 to 0.23.0 (#542) - from version 20240430.01 * Remove SBOM generation logic from package build workflows (#553) - from version 20240425.00 * Fix e2e tests for exec-output size limit (#552) - from version 20240424.00 * Disabled some images which are either past EoL or broken (#549) - from version 20240423.01 * Copy packagebuild folder from guest-test-infra repo to osconfig repo (#545) * OS Config windows state file location changed (#544) - from version 20240423.00 * Removed debian-10 from e2e tests (#548) - from version 20240422.00 * Merge pull request #541 from GoogleCloudPlatform/michaljankowiak-patch-1 * Update OWNERS - from version 20240409.00 * Bump output size limit to 500KB (#538) Package grub2 was updated: - grub2.spec: Add ofnet to signed grub.elf to support powerpc net boot installation when secure boot is enabled (bsc#1217761) (bsc#1228866) - Improved check for disk device when looking for PReP partition * 0004-Introduce-prep_load_env-command.patch - Fix btrfs subvolume for platform modules not mounting at runtime when the default subvolume is the topmost root tree (bsc#1228124) * grub2-btrfs-06-subvol-mount.patch - Rediff * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch - Fix error in grub-install when root is on tmpfs (bsc#1226100) * 0001-grub-install-bailout-root-device-probing.patch - Fix input handling in ppc64le grub2 has high latency (bsc#1223535) * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch - Fix PowerPC grub loads 5 to 10 minutes slower on SLE-15-SP5 compared to SLE-15-SP2 (bsc#1217102) * add 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch * add 0002-ofdisk-add-early_log-support.patch - Enhancement to PPC secure boot's root device discovery config (bsc#1207230) - Fix regex for Open Firmware device specifier with encoded commas * 0002-prep_loadenv-Fix-regex-for-Open-Firmware-device-spec.patch - Fix regular expression in PPC secure boot config to prevent escaped commas from being treated as delimiters when retrieving partition substrings. - Use prep_load_env in PPC secure boot config to handle unset host-specific environment variables and ensure successful command execution. * 0004-Introduce-prep_load_env-command.patch - Refreshed * 0005-export-environment-at-start-up.patch Package kernel-default was updated: - idpf: fix UAFs when destroying the queues (CVE-2024-44932 bsc#1229808). - idpf: fix memory leaks and crashes while performing a soft reset (CVE-2024-44964 bsc#1230220). - commit 4316b61 - USB: serial: io_edgeport: fix use after free in debug printk (CVE-2024-50267 bsc#1233456) - commit 5a7c927 - tcp: Fix use-after-free of nreq in reqsk_timer_handler() (CVE-2024-50154 bsc#1233070). - commit 9c54dc2 - README.BRANCH: Remove bouncing e-mail address. - commit 9d57d70 - netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() (CVE-2024-50259 bsc#1233214). - commit 3b589d0 - Update patches.suse/can-bcm-Fix-UAF-in-bcm_proc_show.patch (git-fixes CVE-2023-52922 bsc#1233977). - commit 624f722 - security/keys: fix slab-out-of-bounds in key_task_permission (CVE-2024-50301 bsc#1233490). - commit b8c1415 - media: cx24116: prevent overflows on SNR calculus (CVE-2024-50290 bsc#1233479). - commit c59cd01 - dm cache: fix out-of-bounds access to the dirty bitset when resizing (CVE-2024-50279 bsc#1233468). - commit 6c88f14 - Update config files. Enabled IDPF for ARM64 (bsc#1221309) - commit 8dd2b1c - HID: core: zero-initialize the report buffer (CVE-2024-50302 bsc#1233491). - commit 086ff16 - vsock/virtio: Initialization of the dangling pointer occurring in vsk-&gt;trans (CVE-2024-50264 bsc#1233453). - commit 008fbbf - Bluetooth: SCO: Fix UAF on sco_sock_timeout (CVE-2024-50125 bsc#1232928). - commit f9d799e - Update patches.suse/0002-x86-mm-ident_map-Use-gbpages-only-where-full-GB-page.patch (bsc#1220382 CVE-2024-50017 bsc#1232312). - commit 02ff322 - Update patches.suse/can-bcm-Fix-UAF-in-bcm_proc_show.patch (git-fixes CVE-2023-52922 bsc#1233977). - commit 82c5a0a - Refresh patches.suse/initramfs-avoid-filename-buffer-overrun.patch. - commit 145c949 - idpf: avoid vport access in idpf_get_link_ksettings (CVE-2024-50274 bsc#1233463). - commit 8971b65 - nilfs2: fix potential oob read in nilfs_btree_check_delete() (bsc#1232187 CVE-2024-47757). - commit d813a1d - media: dvbdev: prevent the risk of out of memory access (CVE-2024-53063 bsc#1233557). - commit 52a90e5 - media: s5p-jpeg: prevent buffer overflows (CVE-2024-53061 bsc#1233555). - commit aef5475 - firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() (CVE-2024-53068 bsc#1233561). - commit e507b37 - kernel-binary: Enable livepatch package only when livepatch is enabled Otherwise the filelist may be empty failing the build (bsc#1218644). - commit f730eec - Update config files (bsc#1218644). LIVEPATCH_IPA_CLONES=n =&gt; LIVEPATCH=n - commit 9c28790 - ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() (CVE-2024-50205 bsc#1233293). - commit d31c5c9 - tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink() (CVE-2024-50154 bsc#1233070). - commit 2430e1b - unicode: Don't special case ignorable code points (CVE-2024-50089 bsc#1232860). - commit ba47e72 - mm/memory: add non-anonymous page check in the copy_present_page() (bsc#1231646). - commit 9f5cb06 - README.BRANCH: drop explicit maintainers kbuild already recognizes all downstream branch maintainers an merge their PRs so we do not need explicit maintainers for the cve branch itself. - commit cd6f8fb - KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (CVE-2024-50115 bsc#1232919). - commit 4c6b1da - mptcp: fix double-free on socket dismantle (CVE-2024-26782 bsc#1222590). (cherry picked from commit 03ac3f085c702ef308481c09b021887b5a01d52b) - commit 7f40404 - net/ncsi: Disable the ncsi work before freeing the associated structure (CVE-2024-49945 bsc#1232165). - commit 0369bdb - net: sched: fix use-after-free in taprio_change() (CVE-2024-50127 bsc#1232907). - commit 88b0d06 - RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (bsc#1233117 CVE-2024-50208) - commit da4098a - block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854 bsc#1229345). - commit 2fc5adb - x86/mm/ident_map: Use gbpages only where full GB page should be mapped (bsc#1220382). - x86/kexec: Add EFI config table identity mapping for kexec kernel (bsc#1220382). - commit c11660d - initramfs: avoid filename buffer overrun (bsc#1232436). - commit 6855778 - fbdev: efifb: Register sysfs groups through driver core (bsc#1232224 CVE-2024-49925). - commit ed25954 - net: hisilicon: Fix potential use-after-free in hix5hd2_rx() (bsc#1231979 CVE-2022-48960) - commit e22014e - ipv6: avoid use-after-free in ip6_fragment() (CVE-2022-48956 bsc#1231893). - commit c192a62 - drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer (CVE-2024-49991 bsc#1232282). - commit 6ba5342 - vhost_vdpa: assign irq bypass producer token correctly (bsc#1232174 CVE-2024-47748). - commit 51b6257 - ext4: fix timer use-after-free on failed mount (CVE-2024-49960 bsc#1232395). - tipc: guard against string buffer overrun (CVE-2024-49995 bsc#1232432). - commit 7dec126 - net/xen-netback: prevent UAF in xenvif_flush_hash() (CVE-2024-49936 bsc#1232424). - commit 05a71d8 - Update patches.suse/IB-core-Implement-a-limit-on-UMAD-receive-List.patch (bsc#1228743 CVE-2024-42145 bsc#1223384). - Update patches.suse/aoe-fix-the-potential-use-after-free-problem-in-more.patch (bsc#1218562 CVE-2023-6270 CVE-2024-49982 bsc#1232097). - Update patches.suse/fuse-Initialize-beyond-EOF-page-contents-before-setti.patch (bsc#1229454 CVE-2024-44947 bsc#1229456). - Update patches.suse/media-edia-dvbdev-fix-a-use-after-free.patch (CVE-2024-27043 bsc#1223824 bsc#1218562). - commit 1967352 - Update patches.suse/i3c-mipi-i3c-hci-Fix-out-of-bounds-access-in-hci_dma.patch (git-fixes CVE-2023-52766 bsc#1230620). - Update patches.suse/nfc-nci-fix-possible-NULL-pointer-dereference-in-sen.patch (git-fixes CVE-2023-52919 bsc#1231988). - Update patches.suse/tcp-do-not-accept-ACK-of-bytes-we-never-sent.patch (CVE-2023-52881 bsc#1225611 bsc#1223384). - Update patches.suse/wifi-ath11k-fix-htt-pktlog-locking.patch (git-fixes CVE-2023-52800 bsc#1230600). - commit 4af6b80 - Update patches.suse/0001-af_unix-Get-user_ns-from-in_skb-in-unix_diag_get_exa.patch (bsc#1209290 CVE-2023-28327 CVE-2022-48970 bsc#1231887). - Update patches.suse/ALSA-seq-Fix-function-prototype-mismatch-in-snd_seq_.patch (git-fixes CVE-2022-48994 bsc#1232119). - Update patches.suse/ASoC-ops-Check-bounds-for-second-channel-in-snd_soc_.patch (git-fixes CVE-2022-48951 bsc#1231929). - Update patches.suse/ASoC-ops-Fix-bounds-check-for-_sx-controls.patch (git-fixes CVE-2022-49005 bsc#1232150). - Update patches.suse/ASoC-soc-pcm-Add-NULL-check-in-BE-reparenting.patch (git-fixes CVE-2022-48992 bsc#1232071). - Update patches.suse/Bluetooth-Fix-not-cleanup-led-when-bt_init-fails.patch (git-fixes CVE-2022-48971 bsc#1232037). - Update patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch (CVE-2022-45934 bsc#1205796 CVE-2022-48947 bsc#1231895). - Update patches.suse/HID-core-fix-shift-out-of-bounds-in-hid_report_raw_e.patch (git-fixes CVE-2022-48978 bsc#1232038). - Update patches.suse/Input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_.patch (git-fixes CVE-2022-48995 bsc#1232120). - Update patches.suse/NFC-nci-Bounds-check-struct-nfc_target-arrays.patch (git-fixes CVE-2022-48967 bsc#1232304). - Update patches.suse/afs-Fix-server-active-leak-in-afs_put_server.patch (git-fixes CVE-2022-49012 bsc#1232005). - Update patches.suse/btrfs-fix-hang-during-unmount-when-stopping-a-space-.patch (bsc#1232262 CVE-2024-49867 CVE-2022-48664 bsc#1223524). - Update patches.suse/can-af_can-fix-NULL-pointer-dereference-in-can_rcv_f.patch (bsc#1210627 CVE-2023-2166 CVE-2022-48977 bsc#1231883). - Update patches.suse/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch (git-fixes CVE-2022-49024 bsc#1232001). - Update patches.suse/char-tpm-Protect-tpm_pm_suspend-with-locks.patch (git-fixes CVE-2022-48997 bsc#1232035). - Update patches.suse/drm-shmem-helper-Remove-errant-put-in-error-path.patch (git-fixes CVE-2022-48981 bsc#1232229). - Update patches.suse/e100-Fix-possible-use-after-free-in-e100_xmit_prepar.patch (git-fixes CVE-2022-49026 bsc#1231997). - Update patches.suse/gpio-amd8111-Fix-PCI-device-reference-count-leak.patch (git-fixes CVE-2022-48973 bsc#1232039). - Update patches.suse/gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch (git-fixes CVE-2022-48975 bsc#1231885). - Update patches.suse/hwmon-coretemp-Check-for-null-before-removing-sysfs-.patch (git-fixes CVE-2022-49010 bsc#1232172). - Update patches.suse/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch (git-fixes CVE-2022-49011 bsc#1232006). - Update patches.suse/hwmon-ibmpex-Fix-possible-UAF-when-ibmpex_register_b.patch (git-fixes CVE-2022-49029 bsc#1231995). - Update patches.suse/iavf-Fix-error-handling-in-iavf_init_module.patch (jsc#SLE-18385 CVE-2022-49027 bsc#1232007). - Update patches.suse/igb-Initialize-mailbox-message-for-VF-reset.patch (jsc#SLE-18379 CVE-2022-48949 bsc#1231897). - Update patches.suse/iio-health-afe4403-Fix-oob-read-in-afe4403_read_raw.patch (git-fixes CVE-2022-49031 bsc#1231992). - Update patches.suse/iio-health-afe4404-Fix-oob-read-in-afe4404_-read-wri.patch (git-fixes CVE-2022-49032 bsc#1231991). - Update patches.suse/iommu-vt-d-Fix-PCI-device-refcount-leak-in-dmar_dev_scope_init (git-fixes CVE-2022-49002 bsc#1232133). - Update patches.suse/iommu-vt-d-Fix-PCI-device-refcount-leak-in-has_external_pci (git-fixes CVE-2022-49000 bsc#1232123). - Update patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch (bsc#1204171 CVE-2022-3435 CVE-2022-48999 bsc#1231936). - Update patches.suse/ixgbevf-Fix-resource-leak-in-ixgbevf_init_module.patch (git-fixes CVE-2022-49028 bsc#1231996). - Update patches.suse/mac802154-fix-missing-INIT_LIST_HEAD-in-ieee802154_i.patch (git-fixes CVE-2022-48972 bsc#1232025). - Update patches.suse/media-v4l2-dv-timings.c-fix-too-strict-blanking-sani.patch (git-fixes CVE-2022-48987 bsc#1232067). - Update patches.suse/msft-hv-2684-net-mana-Fix-race-on-per-CQ-variable-napi-work_done.patch (git-fixes bsc#1206188 CVE-2022-48985 bsc#1231958). - Update patches.suse/net-ethernet-nixge-fix-NULL-dereference.patch (git-fixes CVE-2022-49019 bsc#1231940). - Update patches.suse/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch (git-fixes CVE-2022-48961 bsc#1232108). - Update patches.suse/net-mdiobus-fix-unbalanced-node-reference-count.patch (git-fixes CVE-2022-49016 bsc#1231937). - Update patches.suse/net-mlx5e-Fix-use-after-free-when-reverting-terminat.patch (jsc#SLE-19253 CVE-2022-49025 bsc#1231960). - Update patches.suse/net-phy-fix-null-ptr-deref-while-probe-failed.patch (git-fixes CVE-2022-49021 bsc#1231939). - Update patches.suse/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch (git-fixes CVE-2022-48955 bsc#1231892). - Update patches.suse/net-tun-Fix-use-after-free-in-tun_detach.patch (git-fixes CVE-2022-49014 bsc#1231890). - Update patches.suse/nilfs2-fix-NULL-pointer-dereference-in-nilfs_palloc_.patch (git-fixes CVE-2022-49007 bsc#1232170). - Update patches.suse/nvme-fix-SRCU-protection-of-nvme_ns_head-list.patch (git-fixes CVE-2022-49003 bsc#1232136). - Update patches.suse/octeontx2-pf-Fix-potential-memory-leak-in-otx2_init_.patch (jsc#SLE-24682 CVE-2022-48968 bsc#1232237). - Update patches.suse/rtc-cmos-Fix-event-handler-registration-ordering-iss.patch (git-fixes CVE-2022-48953 bsc#1231941). - Update patches.suse/s390-qeth-fix-use-after-free-in-hsci.patch (bsc#1210449 git-fixes CVE-2022-48954 bsc#1231972). - Update patches.suse/tracing-Free-buffers-when-a-used-dynamic-event-is-removed.patch (git-fixes CVE-2022-49006 bsc#1232163). - Update patches.suse/udf-Fix-preallocation-discarding-at-indirect-extent-.patch (bsc#1213034 CVE-2022-48946 bsc#1231888). - Update patches.suse/usb-gadget-uvc-Prevent-buffer-overflow-in-setup-hand.patch (git-fixes CVE-2022-48948 bsc#1231896). - Update patches.suse/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch (git-fixes CVE-2022-49023 bsc#1231961). - Update patches.suse/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch (git-fixes CVE-2022-49022 bsc#1231962). - Update patches.suse/xen-netfront-Fix-NULL-sring-after-live-migration.patch (git-fixes CVE-2022-48969 bsc#1232026). - commit 2377658 - Update patches.suse/drm-vc4-kms-Add-missing-drm_crtc_commit_put.patch (git-fixes CVE-2021-47534 bsc#1230903). - Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes stable-5.14.12 CVE-2021-47416 bsc#1225336 bsc#1225189). - commit d4160e3 - NFSD: Force all NFSv4.2 COPY requests to be synchronous (CVE-2024-49974 bsc#1232383). - commit e488dd4 - ACPI: sysfs: validate return type of _STR method (bsc#1231861 CVE-2024-49860). - commit 1bb3615 - Delete patches.suse/scsi-Update-max_hw_sectors-on-rescan.patch (bsc#1216223) - commit c6f8315 - Refresh patches.suse/scsi-ibmvfc-Add-max_sectors-module-parameter.patch. - commit 707c768 - drm/amd/display: Fix index out of bounds in DCN30 color transformation (CVE-2024-49969 bsc#1232519). - commit a2392a3 - smb: client: fix UAF in async decryption (bsc#1232418 CVE-2024-50047). - commit dcba7ec - net: hisilicon: Fix potential use-after-free in hisi_femac_rx() (CVE-2022-48962 bsc#1232286). - commit 0f23f49 - btrfs: wait for fixup workers before stopping cleaner kthread during umount (bsc#1232262 CVE-2024-49867). - btrfs: fix hang during unmount when stopping a space reclaim worker (bsc#1232262 CVE-2024-49867). - commit b603fa4 - mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma (CVE-2022-48991 bsc#1232070 prerequisity git-fix). - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths (CVE-2022-48991 bsc#1232070). - commit 3ab8533 - mm/khugepaged: fix GUP-fast interaction by sending IPI (CVE-2022-48991 bsc#1232070 prerequisity). - commit 327d525 - mm/khugepaged: take the right locks for page table retraction (CVE-2022-48991 bsc#1232070 prerequisity). - commit e43adf4 - mm: gup: fix the fast GUP race against THP collapse (CVE-2022-48991 bsc#1232070 prerequisity). - commit 262192e - s390/dasd: fix error recovery leading to data corruption on ESE devices (git-fixes bsc#1229452 CVE-2024-45026 bsc#1230454 bsc#1232281). - commit fc1d054 - net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition (CVE-2024-47747 bsc#1232145). - commit a1020b1 - drm/amd/display: Check msg_id before processing transcation (CVE-2024-46814 bsc#1231193). - commit 81681a2 - RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page (bsc#1232036). - net: mana: Fix the extra HZ in mana_hwc_send_request (bsc#1232033). - commit 8c14fb0 - block, bfq: fix possible UAF for bfqq-&gt;bic with merge chain (CVE-2024-47706 bsc#1231942) - commit c5d0bc0 - tcp: check skb is non-NULL in tcp_rto_delta_us() (CVE-2024-47684 bsc#1231987) - commit 569d856 - net: hsr: Fix potential use-after-free (CVE-2022-49015 bsc#1231938) - commit 5883d13 - wifi: ath11k: fix array out-of-bound access in SoC stats (CVE-2024-49930 bsc#1232260). - commit e11de4c - Update patches.suse/memcg-Fix-possible-use-after-free-in-memcg_write_event_control.patch (bsc#1206344, CVE-2022-48988, bsc#1232069). - commit e7eaea8 - net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() (CVE-2022-48959 bsc#1231976). - commit ec81f5f - mm: avoid leaving partial pfn mappings around in error case (CVE-2024-47674 bsc#1231673). - commit 9910e8f - netem: fix return value if duplicate enqueue fails (CVE-2024-45016 bsc#1230429). - commit 2e9108a - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (CVE-2024-47668 bsc#1231502) - commit 45aa8b3 - dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). - commit 673d32f - xfrm: set dst dev to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). - commit 0e5b278 - ipv6: blackhole_netdev needs snmp6 counters (bsc#1216813). - commit 0c7762c - ipv6: give an IPv6 dev to blackhole_netdev (bsc#1216813). - commit 5d1a23a - aoe: fix the potential use-after-free problem in more places (bsc#1218562 CVE-2023-6270). - commit e949a45 - efi: fix NULL-deref in init error path (bsc#1229556 CVE-2022-48879). - commit 41e1770 - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor (bsc#1230715 CVE-2024-46716). - commit 92074a5 - bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (bsc#1231375). - commit fd93435 - drm/amd/display: Check gpio_id before used as array index (CVE-2024-46818 bsc#1231203). - commit 53caf4b - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets (CVE-2024-46815 bsc#1231195). - commit ad18f86 - drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links (CVE-2024-46816 bsc#1231197). - commit 1eea356 - Delete some more obsolete scripts - commit 0d4cf12 - drm/amd/display: Check link_index before accessing dc-&gt;links (CVE-2024-46813 bsc#1231191). - commit a97e1a4 - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (CVE-2024-46817 bsc#1231200). - commit 18cf241 - rpm/release-projects: Add SLFO projects (bsc#1231293). - commit 9f2c584 - NFSv3: only use NFS timeout for MOUNT when protocols are compatible (bsc#1231016). - commit 2b5943c - ASoC: meson: axg-card: fix 'use-after-free' (CVE-2024-46849 bsc#1231073) - commit a395e2d - rpm/check-for-config-changes: add HAVE_RUST and RUSTC_SUPPORTS_ to IGNORED_CONFIGS_RE They depend on SHADOW_CALL_STACK. - commit 65fa52b - usb: dwc3: st: fix probed platform device ref count on probe error path (bsc#1230507 CVE-2024-46674). - commit ffd5693 - scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223). Delete patches.suse/ibmvfc-make-max_sectors-a-module-option.patch. - commit 13d3e25 - nvme: move stopping keep-alive into nvme_uninit_ctrl() (CVE-2024-45013 bsc#1230442) - commit 75bf6d9 - Update patches.suse/media-vivid-fix-compose-size-exceed-boundary.patch (git-fixes CVE-2022-48945 bsc#1230398). - Update patches.suse/powerpc-rtas-Prevent-Spectre-v1-gadget-construction-.patch (bsc#1227487 CVE-2024-46774 bsc#1230767). - Update patches.suse/sched-Fix-yet-more-sched_fork-races.patch (git fixes (sched/core) CVE-2022-48944 bsc#1229947). - commit be5b46d - SUNRPC: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272 bsc#1231016). - commit d8ddf61 - kabi: add __nf_queue_get_refs() for kabi compliance. - netfilter: nf_queue: fix possible use-after-free (bsc#1229633, CVE-2022-48911). - commit 09526c9 - btrfs: prevent copying too big compressed lzo segment (CVE-2022-48923 bsc#1229662) - commit 9c5b30e - dev/parport: fix the array out-of-bounds risk (CVE-2024-42301 bsc#1229407). - commit 0515c56 - KABI: kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946 bsc#1230015). - commit 4220de4 - kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946 bsc#1230015). - commit 195f676 - Refresh patches.suse/Bluetooth-hci_ldisc-check-HCI_UART_PROTO_READY-flag-.patch. Update upstream status and move to the sorted section. - commit 43dbf50 - memcg_write_event_control(): fix a user-triggerable oops (CVE-2024-45021 bsc#1230434). - commit f5c92ca - Revert &quot;mm/sparsemem: fix race in accessing memory_section-&gt;usage&quot; This reverts commit 606bd9b8228bfe004cf6ab930ffb673a535e3c55. - commit 532bbfe - Revert &quot;mm, kmsan: fix infinite recursion due to RCU critical section&quot; This reverts commit 1702784a5db6b26695f0bc2c6b0cbe973db5c0f3. - commit e220e83 - Revert &quot;mm: prevent derefencing NULL ptr in pfn_section_valid()&quot; This reverts commit d77caa16c18115f0c470ecf5cdd3cdb6f9865aeb. - commit b38d226 - blk-mq: add helper for checking if one CPU is mapped to specified hctx (bsc#1223600). - blk-mq: don't schedule block kworker on isolated CPUs (bsc#1223600). - commit 4537dc0 - vfs: Don't evict inode under the inode lru traversing context (CVE-2024-45003 bsc#1230245). - commit 82e6e44 - Bluetooth: L2CAP: Fix deadlock (git-fixes). - commit 9438e54 - bluetooth/l2cap: sync sock recv cb and release (bsc#1228576 CVE-2024-41062). - commit 5b1f743 - Update references - commit a096907 - fuse: Initialize beyond-EOF page contents before setting uptodate (bsc#1229454 CVE-2024-44947). - commit ddfd2d7 - usb: vhci-hcd: Do not drop references before new references are gained (CVE-2024-43883 bsc#1229707). - commit 44d7bae - net: usb: qmi_wwan: fix memory leak for not ip packets (CVE-2024-43861 bsc#1229500). - commit 3e796c3 - PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666). - commit 95da232 - Update patches.suse/ASoC-ops-Shift-tested-values-in-snd_soc_put_volsw-by.patch (git-fixes CVE-2022-48917 bsc#1229637). - Update patches.suse/Bluetooth-hci_qca-Fix-driver-shutdown-on-closed-serd.patch (git-fixes CVE-2022-48878 bsc#1229554). - Update patches.suse/CDC-NCM-avoid-overflow-in-sanity-checking.patch (git-fixes CVE-2022-48938 bsc#1229664). - Update patches.suse/KVM-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch (git-fixes CVE-2022-48943 bsc#1229645). - Update patches.suse/RDMA-cma-Do-not-change-route.addr.src_addr-outside-s.patch (git-fixes CVE-2022-48925 bsc#1229630). - Update patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch (git-fixes CVE-2022-48930 bsc#1229624). - Update patches.suse/USB-gadgetfs-Fix-race-between-mounting-and-unmountin.patch (CVE-2022-4382 bsc#1206258 CVE-2022-48869 bsc#1229507). - Update patches.suse/auxdisplay-lcd2s-Fix-memory-leak-in-remove.patch (git-fixes CVE-2022-48907 bsc#1229608). - Update patches.suse/blktrace-fix-use-after-free-for-struct-blk_trace.patch (bsc#1198017 CVE-2022-48913 bsc#1229643). - Update patches.suse/bpf-Fix-crash-due-to-out-of-bounds-access-into-reg2b.patch (git-fixes bsc#1194111 bsc#1194765 bsc#1196261 CVE-2021-4204 CVE-2022-0500 CVE-2022-23222 CVE-2022-48929 bsc#1229625). - Update patches.suse/btrfs-fix-race-between-quota-rescan-and-disable-lead.patch (bsc#1207158 CVE-2023-52896 bsc#1229533). - Update patches.suse/btrfs-fix-relocation-crash-due-to-premature-return-f.patch (bsc#1203360 CVE-2022-48903 bsc#1229613). - Update patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch (bsc#1228801 CVE-2024-43853 bsc#1229292). - Update patches.suse/cifs-fix-double-free-race-when-mount-fails-in-cifs_get_root-.patch (bsc#1193629 CVE-2022-48919 bsc#1229657). - Update patches.suse/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch (git-fixes CVE-2022-48931 bsc#1229623). - Update patches.suse/dmaengine-idxd-Let-probe-fail-when-workqueue-cannot-.patch (git-fixes CVE-2022-48868 bsc#1229506). - Update patches.suse/drm-msm-another-fix-for-the-headless-Adreno-GPU.patch (git-fixes CVE-2023-52911 bsc#1229522). - Update patches.suse/drm-msm-dp-do-not-complete-dp_aux_cmd_fifo_tx-if-irq.patch (git-fixes CVE-2022-48898 bsc#1229537). - Update patches.suse/drm-virtio-Fix-GEM-handle-creation-UAF.patch (git-fixes CVE-2022-48899 bsc#1229536). - Update patches.suse/gsmi-fix-null-deref-in-gsmi_get_variable.patch (git-fixes CVE-2023-52893 bsc#1229535). - Update patches.suse/hwmon-Handle-failure-to-register-sensor-with-thermal.patch (git-fixes CVE-2022-48942 bsc#1229612). - Update patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch (bsc#1196516 ltc#196391 CVE-2022-48905 bsc#1229604). - Update patches.suse/ice-fix-concurrent-reset-and-removal-of-VFs.patch (git-fixes CVE-2022-48941 bsc#1229614). - Update patches.suse/iio-adc-men_z188_adc-Fix-a-resource-leak-in-an-error.patch (git-fixes CVE-2022-48928 bsc#1229626). - Update patches.suse/iio-adc-tsc2046-fix-memory-corruption-by-preventing-.patch (git-fixes CVE-2022-48927 bsc#1229628). - Update patches.suse/io_uring-add-a-schedule-point-in-io_add_buffers.patch (git-fixes CVE-2022-48937 bsc#1229617). - Update patches.suse/iommu-amd-Fix-I-O-page-table-memory-leak (git-fixes CVE-2022-48904 bsc#1229603). - Update patches.suse/iommu-vt-d-fix-double-list_add-when-enabling-vmd-in-scalable-mode (bsc#1196894 CVE-2022-48916 bsc#1229638). - Update patches.suse/iwlwifi-mvm-check-debugfs_dir-ptr-before-use.patch (git-fixes CVE-2022-48918 bsc#1229636). - Update patches.suse/ixgbe-fix-pci-device-refcount-leak.patch (jsc#SLE-18384 CVE-2022-48896 bsc#1229540). - Update patches.suse/misc-fastrpc-Don-t-remove-map-on-creater_process-and.patch (git-fixes CVE-2022-48873 bsc#1229512). - Update patches.suse/misc-fastrpc-Fix-use-after-free-race-condition-for-m.patch (git-fixes CVE-2022-48872 bsc#1229510). - Update patches.suse/net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch (jsc#SLE-19253 CVE-2022-48932 bsc#1229622). - Update patches.suse/net-smc-fix-connection-leak (git-fixes CVE-2022-48909 bsc#1229611). - Update patches.suse/nfc-pn533-Wait-for-out_urb-s-completion-in-pn533_usb.patch (git-fixes CVE-2023-52907 bsc#1229526). - Update patches.suse/nfp-flower-Fix-a-potential-leak-in-nfp_tunnel_add_sh.patch (git-fixes CVE-2022-48934 bsc#1229620). - Update patches.suse/nilfs2-fix-general-protection-fault-in-nilfs_btree_i.patch (git-fixes CVE-2023-52900 bsc#1229581). - Update patches.suse/octeontx2-pf-Fix-resource-leakage-in-VF-driver-unbin.patch (git-fixes CVE-2023-52905 bsc#1229528). - Update patches.suse/platform-surface-aggregator-Add-missing-call-to-ssam.patch (git-fixes CVE-2022-48880 bsc#1229557). - Update patches.suse/regulator-da9211-Use-irq-handler-when-ready.patch (git-fixes CVE-2022-48891 bsc#1229565). - Update patches.suse/sched-fair-Fix-fault-in-reweight_entity.patch (git fixes (sched/core) CVE-2022-48921 bsc#1229635). - Update patches.suse/scsi-storvsc-Fix-swiotlb-bounce-buffer-leak-in-confi.patch (bsc#1206006 CVE-2022-48890 bsc#1229544). - Update patches.suse/spi-spi-zynq-qspi-Fix-a-NULL-pointer-dereference-in-.patch (git-fixes CVE-2021-4441 bsc#1229598). - Update patches.suse/thermal-core-Fix-TZ_GET_TRIP-NULL-pointer-dereferenc.patch (git-fixes CVE-2022-48915 bsc#1229639). - Update patches.suse/thermal-int340x-fix-memory-leak-in-int3400_notify.patch (git-fixes CVE-2022-48924 bsc#1229631). - Update patches.suse/tty-fix-possible-null-ptr-defer-in-spk_ttyio_release.patch (git-fixes CVE-2022-48870 bsc#1229508). - Update patches.suse/tty-serial-qcom-geni-serial-fix-slab-out-of-bounds-o.patch (git-fixes CVE-2022-48871 bsc#1229509). - Update patches.suse/usb-gadget-f_ncm-fix-potential-NULL-ptr-deref-in-ncm.patch (git-fixes CVE-2023-52894 bsc#1229566). - Update patches.suse/usb-gadget-rndis-add-spinlock-for-rndis-response-lis.patch (git-fixes CVE-2022-48926 bsc#1229629). - Update patches.suse/usb-xhci-Check-endpoint-is-valid-before-dereferencin.patch (git-fixes CVE-2023-52901 bsc#1229531). - Update patches.suse/wifi-mac80211-sdata-can-be-NULL-during-AMPDU-start.patch (git-fixes CVE-2022-48875 bsc#1229516). - Update patches.suse/xen-netfront-destroy-queues-before-real_num_tx_queue.patch (git-fixes CVE-2022-48914 bsc#1229642). - Update patches.suse/xhci-Fix-null-pointer-dereference-when-host-dies.patch (git-fixes CVE-2023-52898 bsc#1229568). - commit 5c5e4d7 - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - commit d77caa1 - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - commit 1702784 - mm/sparsemem: fix race in accessing memory_section-&gt;usage (bsc#1221326 CVE-2023-52489). - commit 606bd9b - jfs: Fix shift-out-of-bounds in dbDiscardAG (bsc#1229792 CVE-2024-44938). - commit 8003b7e - ata: libata-core: Fix double free on error (CVE-2024-41087,bsc#1228466). - commit b5892ca - exec: Fix ToCToU between perm check and set-uid/gid usage (CVE-2024-43882 bsc#1229503). - commit 83a7456 - netfilter: nf_tables: unregister flowtable hooks on netns exit (CVE-2022-48935 bsc#1229619) - commit 3e33f70 - netfilter: fix use-after-free in __nf_register_net_hook() (CVE-2022-48912 bsc#1229641) - commit f8f42c3 - rpm/check-for-config-changes: Exclude ARCH_USING_PATCHABLE_FUNCTION_ENTRY gcc version dependent, at least on ppc - commit 16da158 - scsi: smartpqi: Expose SAS address for SATA drives (bsc#1223958). - commit 6711c21 - net/iucv: fix use after free in iucv_sock_close() (CVE-2024-42271 bsc#1229400 bsc#1228974). - commit 82bb6f3 - Update patches.suse/drm-amdkfd-don-t-allow-mapping-the-MMIO-HDP-page-wit.patch (CVE-2024-41011 bsc#1228115 bsc#1228114). - Update patches.suse/powerpc-pseries-Fix-scv-instruction-crash-with-kexec.patch (bsc#1194869 CVE-2024-42230 bsc#1228489). - commit f6019c1 - libceph: fix race between delayed_work() and ceph_monc_stop() (bsc#1228959 CVE-2024-42232). - commit 27160c2 - rpm/kernel-binary.spec.in: fix klp_symbols macro The commit below removed openSUSE filter from %ifs of the klp_symbols definition. But it removed -c of grep too and that causes: error: syntax error in expression: 01 &amp;&amp; ( || 1 ) error: ^ error: unmatched (: 01 &amp;&amp; ( || 1 ) error: ^ error: kernel-default.spec:137: bad %if condition: 01 &amp;&amp; ( || 1 ) So reintroduce -c to the PTF's grep. Fixes: fd0b293bebaf (kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042).) - commit 4a36fe3 - kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042). After the Jump project the kernel used by SLE and openSUSE Leap are the same. As consequence the klp_symbols variable is set, enabling kernel-default-livepatch-devel on both SLE and openSUSE. The current rules to avoid enabling the package exclude openSUSE Tumbleweed alone, which doesn't makes sense for now. Enabling kernel-default-livepatch-devel on TW makes it easier to test the creation of kernel livepatches of the next SLE versions. - commit fd0b293 - Update patches.suse/powerpc-Avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch (bsc#1221645 ltc#205739 bsc#1223191 CVE-2024-42126 bsc#1228718). Add CVE references. - commit 637c320 - Update patches.suse/0001-ocfs2-fix-DIO-failure-due-to-insufficient-transactio.patch (bsc#1216834 CVE-2024-42077 bsc#1228516). Add CVE references. - commit 8360e90 - ax25: Fix refcount imbalance on inbound connections (CVE-2024-40910 bsc#1227832). - commit 12cb329 - config.sh: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - kernel-binary: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - commit 314f719 - packaging: Add case-sensitive perl option parsing A recent change in Getopt::Long [1]: Changes in version 2.55 - ---------------------- * Fix long standing bug that duplicate options were not detected when the options differ in case while ignore_case is in effect. This will now yield a warning and become a fatal error in a future release. perl defaults to ignore_case by default, switch it off to avoid accidental misparsing of options. This was suggested after similar change in scripts/. - commit e978477 - btrfs: sysfs: update fs features directory asynchronously (bsc#1226168). - commit 97cd90c - ima: Fix use-after-free on a dentry's dname.name (bsc#1227716 CVE-2024-39494). - commit 81484ec - ASoC: topology: Fix route memory corruption (CVE-2024-41069 bsc#1228644). - commit 586db1a - net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808) - commit 8f44f81 - check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN Mainline commit f2f6a8e88717 (&quot;init/Kconfig: remove CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND&quot;) replaced GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both when checking config changes. - commit b60be3e - IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145) - commit 810053d - ptp: fix integer overflow in max_vclocks_store (bsc#1227829 CVE-2024-40994). - commit 205cc4c - filelock: Remove locks reliably when fcntl/close race is detected (CVE-2024-41012 bsc#1228247). - commit e2c5917 - Update patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-being-des.patch (bsc#1223635 (CVE-2024-26976) CVE-2024-26976). - Update patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch (bsc#1227383 CVE-2024-40902 bsc#1227764). - Update patches.suse/vfio-fsl-mc-Block-calling-interrupt-handler-without-trigge.patch (bsc#1222810 (CVE-2024-26814) CVE-2024-26814). - Update patches.suse/vfio-platform-Create-persistent-IRQ-handlers.patch (bsc#1222809 (CVE-2024-26813) CVE-2024-26813). - commit 39eeeb9 - Update patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch (git-fixes CVE-2023-52885 bsc#1227750). - Update patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981). - Update patches.suse/virtio-blk-fix-implicit-overflow-on-virtio_max_dma_size.patch (bsc#1225573 (CVE-2023-52762) CVE-2023-52762). - commit 3784f34 - Update patches.suse/HID-hid-thrustmaster-fix-OOB-read-in-thrustmaster_in.patch (git-fixes CVE-2022-48866 bsc#1228014). - Update patches.suse/Input-aiptek-properly-check-endpoint-type.patch (git-fixes CVE-2022-48836 bsc#1227989). - Update patches.suse/KVM-x86-nSVM-fix-potential-NULL-derefernce-on-nested.patch (git-fixes CVE-2022-48793 bsc#1228019). - Update patches.suse/NFC-port100-fix-use-after-free-in-port100_send_compl.patch (git-fixes CVE-2022-48857 bsc#1228005). - Update patches.suse/NFSD-Fix-NFSv3-SETATTR-CREATE-s-handling-of-large-fi.patch (git-fixes CVE-2022-48829 bsc#1228055). - Update patches.suse/NFSD-Fix-ia_size-underflow.patch (git-fixes CVE-2022-48828 bsc#1228054). - Update patches.suse/NFSD-Fix-the-behavior-of-READ-near-OFFSET_MAX.patch (bsc#1195957 CVE-2022-48827 bsc#1228037). - Update patches.suse/SUNRPC-lock-against-sock-changing-during-sysfs-read.patch (bsc#1194324 CVE-2022-48816 bsc#1228038). - Update patches.suse/can-isotp-fix-potential-CAN-frame-reception-race-in-.patch (git-fixes CVE-2022-48830 bsc#1227982). - Update patches.suse/cfg80211-fix-race-in-netlink-owner-interface-destruc.patch (git-fixes CVE-2022-48784 bsc#1227938). - Update patches.suse/dmaengine-ptdma-Fix-the-error-handling-path-in-pt_co.patch (git-fixes CVE-2022-48774 bsc#1227923). - Update patches.suse/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch (git-fixes CVE-2022-48849 bsc#1228061). - Update patches.suse/drm-vc4-Fix-deadlock-on-DSI-device-attach-error.patch (git-fixes CVE-2022-48826 bsc#1227975). - Update patches.suse/drm-vrr-Set-VRR-capable-prop-only-if-it-is-attached-.patch (git-fixes CVE-2022-48843 bsc#1228066). - Update patches.suse/eeprom-ee1004-limit-i2c-reads-to-I2C_SMBUS_BLOCK_MAX.patch (git-fixes CVE-2022-48806 bsc#1227948). - Update patches.suse/ethernet-Fix-error-handling-in-xemaclite_of_probe.patch (git-fixes CVE-2022-48860 bsc#1228008). - Update patches.suse/fs-proc-task_mmu.c-don-t-read-mapcount-for-migration-entry.patch (CVE-2023-1582 bsc#1209636 CVE-2022-48802 bsc#1227942). - Update patches.suse/gianfar-ethtool-Fix-refcount-leak-in-gfar_get_ts_inf.patch (git-fixes CVE-2022-48856 bsc#1228004). - Update patches.suse/iavf-Fix-hang-during-reboot-shutdown.patch (jsc#SLE-18385 CVE-2022-48840 bsc#1227990). - Update patches.suse/ibmvnic-don-t-release-napi-in-__ibmvnic_open.patch (bsc#1195668 ltc#195811 CVE-2022-48811 bsc#1227928). - Update patches.suse/ice-Fix-KASAN-error-in-LAG-NETDEV_UNREGISTER-handler.patch (git-fixes CVE-2022-48807 bsc#1227970). - Update patches.suse/ice-Fix-race-condition-during-interface-enslave.patch (git-fixes CVE-2022-48842 bsc#1228064). - Update patches.suse/ice-fix-NULL-pointer-dereference-in-ice_update_vsi_t.patch (jsc#SLE-18375 CVE-2022-48841 bsc#1227991). - Update patches.suse/iio-buffer-Fix-file-related-error-handling-in-IIO_BU.patch (git-fixes CVE-2022-48801 bsc#1227956). - Update patches.suse/ima-fix-reference-leak-in-asymmetric_verify.patch (git-fixes CVE-2022-48831 bsc#1227986). - Update patches.suse/iommu-Fix-potential-use-after-free-during-probe (git-fixes CVE-2022-48796 bsc#1228028). - Update patches.suse/iwlwifi-fix-use-after-free.patch (bsc#1197762 git-fixes CVE-2022-48787 bsc#1227932). - Update patches.suse/mISDN-Fix-memory-leak-in-dsp_pipeline_build.patch (git-fixes CVE-2022-48863 bsc#1228063). - Update patches.suse/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch (git-fixes CVE-2022-48821 bsc#1227976). - Update patches.suse/mm-don-t-try-to-NUMA-migrate-COW-pages-that-have-other-uses.patch (git fixes (mm/numa) CVE-2022-48797 bsc#1228035). - Update patches.suse/mm-vmscan-remove-deadlock-due-to-throttling.patch (bsc#1195357 CVE-2022-48800 bsc#1227954). - Update patches.suse/msft-hv-2515-Drivers-hv-vmbus-Fix-memory-leak-in-vmbus_add_channe.patch (git-fixes CVE-2022-48775 bsc#1227924). - Update patches.suse/mtd-parsers-qcom-Fix-kernel-panic-on-skipped-partiti.patch (git-fixes CVE-2022-48777 bsc#1227922). - Update patches.suse/mtd-parsers-qcom-Fix-missing-free-for-pparts-in-clea.patch (git-fixes CVE-2022-48776 bsc#1227925). - Update patches.suse/mtd-rawnand-gpmi-don-t-leak-PM-reference-in-error-pa.patch (git-fixes CVE-2022-48778 bsc#1227935). - Update patches.suse/net-dsa-ar9331-register-the-mdiobus-under-devres.patch (git-fixes CVE-2022-48817 bsc#1227931). - Update patches.suse/net-dsa-bcm_sf2-don-t-use-devres-for-mdiobus.patch (git-fixes CVE-2022-48815 bsc#1227933). - Update patches.suse/net-dsa-felix-don-t-use-devres-for-mdiobus.patch (git-fixes CVE-2022-48813 bsc#1227963). - Update patches.suse/net-dsa-lantiq_gswip-don-t-use-devres-for-mdiobus.patch (git-fixes CVE-2022-48812 bsc#1227971). - Update patches.suse/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_rem.patch (git-fixes CVE-2022-48783 bsc#1227949). - Update patches.suse/net-dsa-mv88e6xxx-don-t-use-devres-for-mdiobus.patch (git-fixes CVE-2022-48818 bsc#1228039). - Update patches.suse/net-dsa-seville-register-the-mdiobus-under-devres.patch (git-fixes CVE-2022-48814 bsc#1227944). - Update patches.suse/net-ieee802154-at86rf230-Stop-leaking-skb-s.patch (git-fixes CVE-2022-48794 bsc#1228025). - Update patches.suse/net-marvell-prestera-Add-missing-of_node_put-in-pres.patch (git-fixes CVE-2022-48859 bsc#1228007). - Update patches.suse/net-mlx5-Fix-a-race-on-command-flush-flow.patch (git-fixes CVE-2022-48858 bsc#1228006). - Update patches.suse/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch (CVE-2022-20368 bsc#1202346 CVE-2022-48839 bsc#1227985). - Update patches.suse/net-smc-Avoid-overwriting-the-copies-of-clcsock-callback-functions (git-fixes CVE-2022-48780 bsc#1227995). - Update patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch (bsc#1196018 CVE-2022-28748 bsc#1202686 CVE-2022-2964 CVE-2022-48805 bsc#1227969). - Update patches.suse/nvme-fix-a-possible-use-after-free-in-controller-res.patch (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48790 bsc#1227941). - Update patches.suse/nvme-rdma-fix-possible-use-after-free-in-transport-e.patch (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48788 bsc#1227952). - Update patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48789 bsc#1228000). - Update patches.suse/perf-Fix-list-corruption-in-perf_cgroup_switch.patch (git fixes CVE-2022-48799 bsc#1227953). - Update patches.suse/phy-stm32-fix-a-refcount-leak-in-stm32_usbphyc_pll_e.patch (git-fixes CVE-2022-48820 bsc#1227972). - Update patches.suse/phy-ti-Fix-missing-sentinel-for-clk_div_table.patch (git-fixes CVE-2022-48803 bsc#1227965). - Update patches.suse/s390-cio-verify-the-driver-availability-for-path_event-call (bsc#1195927 LTC#196420 CVE-2022-48798 bsc#1227945). - Update patches.suse/scsi-mpt3sas-Page-fault-in-reply-q-processing.patch (git-fixes CVE-2022-48835 bsc#1228060). - Update patches.suse/scsi-myrs-Fix-crash-in-error-case.patch (git-fixes CVE-2022-48824 bsc#1227964). - Update patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-SSP-STP-sas_task.patch (git-fixes CVE-2022-48792 bsc#1228013). - Update patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-TMF-sas_task.patch (git-fixes CVE-2022-48791 bsc#1228002). - Update patches.suse/scsi-qedf-Add-stag_work-to-all-the-vports.patch (git-fixes CVE-2022-48825 bsc#1228056). - Update patches.suse/scsi-qedf-Fix-refcount-issue-when-LOGO-is-received-during-TMF.patch (git-fixes CVE-2022-48823 bsc#1228045). - Update patches.suse/staging-gdm724x-fix-use-after-free-in-gdm_lte_rx.patch (git-fixes CVE-2022-48851 bsc#1227997). - Update patches.suse/swiotlb-fix-info-leak-with-DMA_FROM_DEVICE.patch (CVE-2022-0854 bsc#1196823 CVE-2022-48853 bsc#1228015). - Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch (git-fixes CVE-2022-48822 bsc#1228040). - Update patches.suse/usb-gadget-Fix-use-after-free-bug-by-not-setting-udc.patch (git-fixes CVE-2022-48838 bsc#1227988). - Update patches.suse/usb-gadget-rndis-prevent-integer-overflow-in-rndis_s.patch (git-fixes CVE-2022-48837 bsc#1227987). - Update patches.suse/usb-usbtmc-Fix-bug-in-pipe-direction-for-control-tra.patch (git-fixes CVE-2022-48834 bsc#1228062). - Update patches.suse/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch (git-fixes CVE-2022-48861 bsc#1228009). - Update patches.suse/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch (git-fixes CVE-2022-48862 bsc#1228010). - Update patches.suse/vsock-remove-vsock-from-connected-table-when-connect.patch (git-fixes CVE-2022-48786 bsc#1227996). - Update patches.suse/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch (git-fixes CVE-2022-48804 bsc#1227968). - Update patches.suse/watch_queue-Fix-filter-limit-check.patch (CVE-2022-0995 bsc#1197246 CVE-2022-48847 bsc#1227993). - Update patches.suse/xprtrdma-fix-pointer-derefs-in-error-cases-of-rpcrdm.patch (git-fixes CVE-2022-48773 bsc#1227921). - commit e328ee7 - Update patches.suse/net-sunrpc-fix-reference-count-leaks-in-rpc_sysfs_xp.patch (git-fixes CVE-2021-47624 bsc#1227920). - Update patches.suse/scsi-ufs-Fix-a-deadlock-in-the-error-handler.patch (git-fixes CVE-2021-47622 bsc#1227917). - commit f2d923e - nvme_core: scan namespaces asynchronously (bsc#1224105). - commit c8086f4 - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801). - commit 8837200 - net/dpaa2: Avoid explicit cpumask var allocation on stack (CVE-2024-42093 bsc#1228680). - commit e2a1614 - workqueue: Improve scalability of workqueue watchdog touch (bsc#1193454). - commit 51a7eb4 - workqueue: wq_watchdog_touch is always called with valid CPU (bsc#1193454). - commit 10bbd80 - KVM: arm64: Disassociate vcpus from redistributor region on teardown (CVE-2024-40989 bsc#1227823). - commit 724dd5c - ASoC: topology: Fix references to freed memory (CVE-2024-41069 bsc#1228644). - commit 44dd0c7 - Update patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch (bsc#1221044 CVE-2023-52591 bsc#1228440). - commit d21f810 - hfsplus: fix uninit-value in copy_name (bsc#1228561 CVE-2024-41059). - commit cfc2db1 - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (CVE-2024-40956 bsc#1227810). - commit 3632d87 - ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834). - commit edabc6f - tap: add missing verification for short frame (CVE-2024-41090 bsc#1228328). - commit e64bcfc - bpf: Fix overrunning reservations in ringbuf (bsc#1228020 CVE-2024-41009). - commit e559e61 - rpm/guards: fix precedence issue with control flow operator With perl 5.40 it report the following error on rpm/guards script: Possible precedence issue with control flow operator (exit) at scripts/guards line 208. Fix the issue by adding parenthesis around ternary operator. - commit 07b8b4e - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages (CVE-2024-41011 bsc#1228115). - commit ff8f843 - 9p: add missing locking around taking dentry fid list (bsc#1227090, CVE-2024-39463). - commit c58a66f - sch_cake: do not call cake_destroy() from cake_init() (CVE-2021-47598 bsc#1226574). - commit d533b8e - gve: Clear napi-&gt;skb before dev_kfree_skb_any() (CVE-2024-40937 bsc#1227836). - commit 610d469 - Update patches.suse/powerpc-pseries-iommu-LPAR-panics-during-boot-up-wit.patch (bsc#1222011 ltc#205900 CVE-2024-36926 bsc#1225829). - commit 1ec0d1e - Update patches.suse/perf-x86-intel-pt-Fix-crash-with-stop-filters-in-single-range-mode.patch (git fixes CVE-2022-48713 bsc#1227549). - Update patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch (bsc#1226758 CVE-2024-38559 bsc#1226785). - Update patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186 CVE-2024-26800 bsc#1222728). - commit 329a684 - vfio/fsl-mc: Block calling interrupt handler without trigger (bsc#1222810 CVE-2024-26814). - commit 520ae3c - KVM: Always flush async #PF workqueue when vCPU is being destroyed (bsc#1223635 CVE-2024-26976). - commit c5ed396 - virtio-blk: fix implicit overflow on virtio_max_dma_size (bsc#1225573 CVE-2023-52762). - commit 4296dc1 - vfio/platform: Create persistent IRQ handlers (bsc#1222809 CVE-2024-26813). - commit a8290e8 - net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes CVE-2024-35901 bsc#1224495). - commit 9db7ad0 - Update patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch. - fix build warning - commit 01715f7 - powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869 CVE-2024-42230). - powerpc/kasan: Disable address sanitization in kexec paths (bsc#1194869 CVE-2024-42230). - commit c9d175f - kernel-binary: vdso: Own module_dir - commit ff69986 - Update patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch (bsc#1226785 CVE-2024-38559). Fixed incorrect bug reference. - commit e3b8fb6 - net/dcb: check for detached device before executing callbacks (bsc#1215587). - commit 9c27e1c - kABI: rtas: Workaround false positive due to lost definition (bsc#1227487). - commit fb8a8f3 - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487). - commit 9648fb4 - tls: fix use-after-free on failed backlog decryption (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: separate no-async decryption request handling from async (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: decrement decrypt_pending if no async completion will be called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - net: tls: handle backlogging of crypto requests (CVE-2024-26584 bsc#1220186). - tls: fix race between tx work scheduling and socket close (CVE-2024-26585 bsc#1220187). - tls: fix race between async notify and socket close (CVE-2024-26583 bsc#1220185). - net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - net: tls: fix async vs NIC crypto offload (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: use async as an in-out argument (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: assume crypto always calls our callback (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: don't track the async count (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: wrap decryption arguments in a structure (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: don't report text length from the bowels of decrypt (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: drop unnecessary arguments from tls_setup_from_iter() (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - commit 63dd4a4 - Delete patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch. Will be replaced with a refreshed version once all conflicting new patches are in. - commit a0fa0a3 - NFS: Reduce use of uncached readdir (bsc#1226662). - NFS: Don't re-read the entire page cache to find the next cookie (bsc#1226662). - commit a10cc0e - jfs: xattr: fix buffer overflow for invalid xattr (bsc#1227383). - commit 33e2d96 Package avahi was updated: - prerequire avahi in avahi-autipd as we user &quot;user avahi&quot; - Add avahi-CVE-2024-52616.patch: Backporting 1dade81c from upstream: Properly randomize query id of DNS packets. (CVE-2024-52616, bsc#1233420) - Add avahi-filter-bogus-services.patch: no longer supply bogus services to callbacks (bsc#1226586). Package util-linux was updated: - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). Package expat was updated: - security update- added patches fix CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser + expat-CVE-2024-50602.patch - Security fix (bsc#1229932, CVE-2024-45492): detect integer overflow in function nextScaffoldPart * Added expat-CVE-2024-45492.patch - Security fix (bsc#1229931, CVE-2024-45491): detect integer overflow in dtdCopy * Added expat-CVE-2024-45491.patch - Security fix (bsc#1229930, CVE-2024-45490): reject negative len for XML_ParseBuffer * Added expat-CVE-2024-45490.patch Package ncurses was updated: - Add patch ncurses-6.1-boo1229028.patch (boo#1229028) * Allow that terminal description based on static fallback entries can be freed. Package openssl-1_1 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch - Build with no-afalgeng [bsc#1226463] - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch Package libpcap was updated: - enable rdma support (bsc#1230894) - Security fix: [bsc#1230034, CVE-2024-8006] * libpcap: NULL pointer derefence in pcap_findalldevs_ex() * Add libpcap-CVE-2024-8006.patch - Security fix: [bsc#1230020, CVE-2023-7256] * libpcap: double free via addrinfo in sock_initaddress() * Add libpcap-CVE-2023-7256.patch Package python3 was updated: - Remove -IVendor/ from python-config boo#1231795- Fix CVE-2024-11168-validation-IPv6-addrs.patch - PGO run of build freezes with parallel processing, switch to -j1 - Add CVE-2024-11168-validation-IPv6-addrs.patch fixing bsc#1233307 (CVE-2024-11168, gh#python/cpython#103848): Improper validation of IPv6 and IPvFuture addresses. - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). - Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent ReDos via excessive backtracking while parsing header values (bsc#1230227, CVE-2024-6232). - Add CVE-2024-5642-switch-off-NPN.patch switching off the NPN support eliminating bsc#1227233 (CVE-2024-5642). - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). - Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic complexity in parsing cookies with backslashes (bsc#1229596, CVE-2024-7592) - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) - Remove %suse_update_desktop_file macro as it is not useful any more. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). Package ruby2.5 was updated: - backport REXML from 3.3 - fix denial of service when parsing a XML that has many deep elements with the same local name attributes (boo#1229673 CVE-2024-43398) - fix denial of service when parsing an XML that contains many specific characters such as whitespaces, &gt;] and ]&gt; (boo#1228794 CVE-2024-41123) - fix denial of service when parsing an XML that has many entity expansions with SAX2 or pull parser API (boo#1228799 CVE-2024-41946) - fix denial of service when parsing an XML that has many left angled brackets in an attribute value (boo#1224390 CVE-2024-35176) - fix ReDoS when parsing an XML that has many specific characters (boo#1228072 CVE-2024-39908) Package libsolv was updated: - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's &quot;orderwithrequires&quot; dependency - bump version to 0.7.31 - removed dependency on external find program in the repo2solv tool - bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package suseconnect-ng was updated: - Update version to 1.13: - Integrating uptime-tracker - Honor auto-import-gpg-keys flag on migration (bsc#1231328) - Only send labels if targetting SCC - Skip the docker auth generation on RMT (bsc#1231185) - Add --set-labels to register command to set labels at registration time on SCC - Add a new function to display suse-uptime-tracker version - Integrate with uptime-tracker ( https://github.com/SUSE/uptime-tracker/ ) - Add a command to show the info being gathered - Update version to 1.12: - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014) Package systemd was updated: - Import commit cba472567893618e15b4ab95a3cb0a762ad3ed10 0e8c003e1f core/unit: increase the NameOwnerChanged/GetNameOwner timeout to the unit's start timeout (bsc#1230272) 621e16c0b8 core/unit: add get_timeout_start_usec in UnitVTable and define it for service b4140d888a sd-bus: make bus_add_match_full accept timeout 81cb3a4fb5 udev-builtin-path_id: SAS wide ports must have num_phys &gt; 1 (bsc#1231610) 533e98fc6b sd-device: add helper to read a unsigned int attribute - Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1 cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414) e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks a85d211874 man: Document ranges for distributions config files and local config files - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091) Otherwise pesign-obs-integration ends up re-packaging systemd with all macros inside comments unescaped leading to unpredictable behavior. Now why rpm expands rpm macros inside comments is the question... - Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch Really skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (noticed in bsc#1221479). Package libzypp was updated: - Url: queryparams without value should not have a trailing &quot;=&quot;.- version 17.35.16 (35) - Url query part: `=` is a safe char in value (bsc#1234304) - RpmDb: Recognize rpmdb.sqlite as database file (#593) - Fix typo (fixes #592) - cmake: check location of fcgi header and adjust include accordingly. On Debian and derivatives the fcgi headers are not stored in a fastcgi/ subdirectory.(#590) - version 17.35.15 (35) - The 20MB download limit must not apply to non-metadata files like package URLs provided via the CLI (bsc#1233393). - version 17.35.14 (35) - BuildCache: Don't try to retrieve missing raw metadata if no permission to write the cache (bsc#1225451) - RepoManager: throw RepoNoPermissionException if the user has no permission to update(write) the caches (bsc#1225451) - version 17.35.13 (35) - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a &quot;https\c//&quot; which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - version 17.35.12 (35) - Deprecate librpmDb::db_const_iterator default ctor (bsc#1230267) It's preferred to explicitly tell the root directory of the system whose database you want to query. - version 17.35.11 (35) - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - Conflicts: zypper &lt;= 1.14.76 - version 17.35.10 (35) - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - version 17.35.9 (35) - Make sure not to statically linked installed tools (bsc#1228787) - version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin &lt; 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package shadow was updated: - bsc#1230972: Add useradd warnings when requested UID is outside the default range - add shadow-bsc1230972-useradd-warning.patch - bsc#1228337: chage -d date vs passwd -S output is off by one Remove shadow-bsc1176006-chage-date.patch Package logrotate was updated: - Backport 'ignoreduplicates' configuration flag (jsc#PED-10366) * Added patch logrotate-ignore-duplicates.patch * Allows log processing with duplicate logfile matches Package mozilla-nss was updated: - Updated nss-fips-approved-crypto-non-ec.patch to enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Package pam-config was updated: - Change check for existence of modules. If we have a biarch architecture, we check that the 64bit PAM module is there and report an error if not. For the 32bit variant, we only issue a warning. [pam-config-change-check-for-existence-of-modules.patch, bsc#1227216] Package pam was updated: - Prevent cursor escape from the login prompt [bsc#1194818] * Added: pam-bsc1194818-cursor-escape.patch Package python-Jinja2 was updated: Package python-PyYAML was updated: Package salt was updated: - Fix failing x509 tests with OpenSSL &lt; 1.1- Avoid explicit reading of /etc/salt/minion (bsc#1220357) - Allow NamedLoaderContexts to be returned from loader - Revert the change making reactor less blocking (bsc#1230322) - Use --cachedir for extension_modules in salt-call (bsc#1226141) - Prevent using SyncWrapper with no reason - Fix the SELinux context for Salt Minion service (bsc#1219041) - Set contextvars as a build requirement for package - Increase warn_until_date date for code we still support - The test_debian test now uses port 80 for ubuntu keyserver - Fix too frequent systemd service restart in test_system test - Avoid crash on wrong output of systemctl version (bsc#1229539) - Improve error handling with different OpenSSL versions - Remove redundant run_func from salt.master.MWorker._handle_aes - Fix cloud minion configuration for multiple masters (bsc#1229109) - Use Pygit2 id instead of deprecated oid in gitfs - Fix few failing tests to work with both Salt and Salt bundle - Skip testing unsupported OpenSSL crypto algorithms - Added: * join-masters-if-it-is-a-list-671.patch * fix-deprecated-code-677.patch * fix-x509-test-fails-on-old-openssl-systems-682.patch * replace-use-of-pygit2-deprecated-and-removed-1.15.0-.patch * fix-the-selinux-context-for-salt-minion-service-bsc-.patch * avoid-crash-on-wrong-output-of-systemctl-version-bsc.patch * use-cachedir-for-extension_modules-in-salt-call-bsc-.patch * allow-namedloadercontexts-to-be-returned-from-loader.patch * prevent-using-syncwrapper-with-no-reason.patch * make-tests-compatible-with-venv-bundle.patch * fix-test_debian-to-work-in-our-infrastructure-676.patch * skip-more-tests-related-to-old-openssl-algorithms.patch * fix-test_system-flaky-setup_teardown-fn.patch * remove-redundant-run_func-from-salt.master.mworker._.patch * improve-error-handling-with-different-openssl-versio.patch * avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch * revert-the-change-making-reactor-less-blocking-bsc-1.patch - Fix rich rule comparison in firewalld module (bsc#1222684) - test_vultrpy: adjust test expectation to prevent failure after Debian 10 EOL - Make auth.pam more robust with Salt Bundle and fix tests - Fix performance of user.list_groups with many remote groups - Fix &quot;status.diskusage&quot; function and exclude some tests for Salt Bundle - Skip certain tests if necessary for some OSes and set flaky ones - Add a timer to delete old env post update for venv-minion - Several fixes for tests to avoid errors and failures in some OSes - Added: * test_vultrpy-adjust-test-expectation-to-prevent-fail.patch * skip-certain-tests-if-necessary-and-mark-some-flaky-.patch * some-more-small-tests-fixes-enhancements-661.patch * firewalld-normalize-new-rich-rules-before-comparing-.patch * several-fixes-for-tests-to-avoid-errors-and-failures.patch * provide-systemd-timer-unit.patch * fix-user.list_groups-omits-remote-groups.patch * fix-status.diskusage-and-exclude-some-tests-to-run-w.patch Package python3-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package zypp-plugin was updated: - Fix stomp header regex to include '-' (bsc#1227793)- version 0.6.4 - singlespec in Tumbleweed must support multiple python3 flavors in the future gh#openSUSE/python-rpm-macros#66 - Provide python3-zypp-plugin down to SLE12 (bsc#1081596) - Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596) Package regionServiceClientConfigGCE was updated: - Version 4.2.0 (jsc#PCT-361) + Add IPv6 certs to supprt access of the update infrastructure via IPv6 on GCE instances. - Update to version 4.1.0 (bsc#1217538) + Replace 162.222.182.90 and 35.187.193.56 (length 4096): rgnsrv-gce-asia-northeast1 -&gt; 162.222.182.90 expires in 9 years rgnsrv-gce-us-central1 -&gt; 35.187.193.56 expires in 10 years Package rsyslog was updated: - fix PreserveFQDN option before daemon is restarted (bsc#1231229) add 0001-core-bugfix-rsyslog-messages-may-not-always-have-FQD.patch - restart daemon after update at the end of the transaction (bsc#1230984) Package rubygem-nokogiri was updated: - added only-complain-about-version-diff-if-it-is-older.patch: make nokogiri only complain about mismatching libxml2 version if the runtime version is older than the build version as we assume newer versions should be ABI compatible (boo#1213999) Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.14&gt;. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package shim was updated: - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) fixed by Gary. * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) fixed by Gary. * 433cc4e Always use the removable way for SL-Micro Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-hpc-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package strace was updated: - Change the license to the correct LGPL-2.1-or-later (bsc#1228216). Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc - ensure key2rpmname is called using bash. - make the per-project inclusion optional, default off. - Also include the GPG key from the current build project to allow Staging testing without production keys. (bsc#1231829) Package unzip was updated: - Use %patch -P N instead of deprecated %patchN. - Build unzip-rcc using multibuild and update unzip-rcc.spec file Package util-linux-systemd was updated: - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). Package vim was updated: - Provide latest 9.1.0836 release.- Fix for bsc#1230625 and bsc#1231846. - update to 9.1.0836 * 9.1.0836: The vimtutor can be improved * 9.1.0835: :setglobal doesn't work properly for 'ffu' and 'tsrfu' * 9.1.0834: tests: 2html test fails * 9.1.0833: CI: recent ASAN changes do not work for indent tests * 9.1.0832: :set doesn't work for 'cot' and 'bkc' after :setlocal * runtime(doc): update help-toc description * runtime(2html): Make links use color scheme colors in TOhtml * 9.1.0831: 'findexpr' can't be used as lambad or Funcref * Filelist: include helptoc package * runtime(doc): include a TOC Vim9 plugin * Filelist: ignore .git-blame-ignore-revs * 9.1.0830: using wrong highlight group for spaces for popupmenu * runtime(typst): synchronize updates from the upstream typst.vim * git: ignore reformatting commit for git-blame (after v9.1.0829) * 9.1.0829: Vim source code uses a mix of tabs and spaces * 9.1.0828: string_T struct could be used more often * 9.1.0827: CI: tests can be improved * runtime(doc): remove stray sentence in pi_netrw.txt * 9.1.0826: filetype: sway files are not recognized * runtime(doc): Include netrw-gp in TOC * runtime(doc): mention 'iskeyword' at :h charclass() * runtime(doc): update help tags * 9.1.0825: compile error for non-diff builds * runtime(netrw): fix E874 when browsing remote directory which contains `~` character * runtime(doc): update coding style documentation * runtime(debversions): Add plucky (25.04) as Ubuntu release name * 9.1.0824: too many strlen() calls in register.c * 9.1.0823: filetype: Zephyr overlay files not recognized * runtime(doc): Clean up minor formatting issues for builtin functions * runtime(netrw): make :Launch/Open autoloadable * runtime(netrw): fix regression with x mapping on Cygwin * runtime(netrw): fix filetype detection for remote files * 9.1.0822: topline might be changed in diff mode unexpectedly * CI: huge linux builds should also run syntax &amp; indent tests * 9.1.0821: 'findexpr' completion doesn't set v:fname to cmdline argument * 9.1.0820: tests: Mac OS tests are too flaky * runtime(awk): Highlight more awk comments in syntax script * runtime(netrw): add missing change for s:redir() * 9.1.0819: tests: using findexpr and imported func not tested * runtime(netrw): improve netrw's open-handling further * runtime(netrw): fix syntax error in netrwPlugin.vim * runtime(netrw): simplify gx file handling * 9.1.0818: some global functions are only used in single files * 9.1.0817: termdebug: cannot evaluate expr in a popup * runtime(defaults): Detect putty terminal and switch to dark background * 9.1.0816: tests: not clear what tests cause asan failures * runtime(doc): Remove some completed items from todo.txt * 9.1.0815: &quot;above&quot; virtual text causes wrong 'colorcolumn' position * runtime(syntax-tests): tiny vim fails because of line-continuation * 9.1.0814: mapset() may remove unrelated mapping * 9.1.0813: no error handling with setglobal and number types * 9.1.0812: Coverity warns about dereferencing NULL ptr * 9.1.0811: :find expansion does not consider 'findexpr' * 9.1.0810: cannot easily adjust the |:find| command * 9.1.0809: filetype: petalinux config files not recognized * 9.1.0808: Terminal scrollback doesn't shrink when decreasing 'termwinscroll' * 9.1.0807: tests: having 'nolist' in modelines isn't always desired * 9.1.0806: tests: no error check when setting global 'briopt' * 9.1.0805: tests: minor issues in gen_opt_test.vim * 9.1.0804: tests: no error check when setting global 'cc' * 9.1.0803: tests: no error check when setting global 'isk' * 9.1.0802: tests: no error check when setting global 'fdm' to empty value * 9.1.0801: tests: no error check when setting global 'termwinkey' * 9.1.0800: tests: no error check when setting global 'termwinsize' * runtime(doc): :ownsyntax also resets 'spelloptions' * 9.1.0799: tests: gettwinvar()/gettabwinvar() tests are not comprehensive * runtime(doc): Fix wrong Mac default options * 9.1.0798: too many strlen() calls in cmdhist.c * 9.1.0797: testing of options can be further improved * 9.1.0796: filetype: libtool files are not recognized * (typst): add folding to typst ftplugin * runtime(netrw): deprecate and remove netrwFileHandlers#Invoke() * 9.1.0795: filetype: Vivado memory info file are not recognized * 9.1.0794: tests: tests may fail on Windows environment * runtime(doc): improve the :colorscheme documentation * 9.1.0793: xxd: -e does add one extra space * 9.1.0792: tests: Test_set_values() is not comprehensive enough * runtime(swayconfig): add flag for bindsym/bindcode to syntax script * 9.1.0791: tests: errors in gen_opt_test.vim are not shown * runtime(compiler): check for compile_commands in build dirs for cppcheck * 9.1.0790: Amiga: AmigaOS4 build should use default runtime (newlib) * runtime(help): Update help syntax * runtime(help): fix end of sentence highlight in code examples * runtime(jinja): Support jinja syntax as secondary filetype * 9.1.0789: tests: ':resize + 5' has invalid space after '+' * 9.1.0788: &lt;CSI&gt;27;&lt;mod&gt;u is not decoded to literal Escape in kitty/foot * 9.1.0787: cursor position changed when using hidden terminal * 9.1.0786: tests: quickfix update test does not test location list * runtime(doc): add some docs for file-watcher programs * CI: uploading failed screendumps still fails on Cirrus CI * 9.1.0785: cannot preserve error position when setting quickfix list * 9.1.0784: there are several problems with python 3.13 * 9.1.0783: 'spell' option setting has problems * 9.1.0782: tests: using wrong neomuttlog file name * runtime(doc): add preview flag to statusline example * 9.1.0781: tests: test_filetype fails * 9.1.0780: MS-Windows: incorrect Win32 error checking * 9.1.0779: filetype: neomuttlog files are not recognized * 9.1.0778: filetype: lf config files are not recognized * runtime(comment): fix commment toggle with mixed tabs &amp; spaces * runtime(misc): Use consistent &quot;Vim script&quot; spelling * runtime(gleam): add ftplugin for gleam files * runtime(doc): link help-writing from write-local-help * 9.1.0777: filetype: Some upstream php files are not recognized * runtime(java): Define javaBlockStart and javaBlockOtherStart hl groups * runtime(doc): mention conversion rules for remote_expr() * runtime(tutor): Fix missing :s command in spanish translation section 4.4 * 9.1.0776: test_strftime may fail because of missing TZ data * translation(am): Add Armenian language translation * 9.1.0775: tests: not enough tests for setting options * 9.1.0774: &quot;shellcmdline&quot; doesn't work with getcompletion() * 9.1.0773: filetype: some Apache files are not recognized * 9.1.0772: some missing changes from v9.1.0771 * 9.1.0771: completion attribute hl_group is confusing * 9.1.0770: current command line completion is a bit limited * 9.1.0769: filetype: MLIR files are not recognized * 9.1.0768: MS-Windows: incorrect cursor position when restoring screen * runtime(nasm): Update nasm syntax script * 9.1.0767: A condition is always true in ex_getln.c * runtime(skill): Update syntax file to fix string escapes * runtime(help): highlight CTRL-&lt;Key&gt; correctly * runtime(doc): add missing usr_52 entry to toc * 9.1.0766: too many strlen() calls in ex_getln.c * runtime(doc): correct `vi` registers 1-9 documentation error * 9.1.0765: No test for patches 6.2.418 and 7.3.489 * runtime(spec): set comments and commentstring options * NSIS: Include libgcc_s_sjlj-1.dll again * runtime(doc): clarify the effect of 'startofline' option * 9.1.0764: [security]: use-after-free when closing a buffer * runtime(vim): Update base-syntax file, improve class, enum and interface highlighting * 9.1.0763: tests: cannot run single syntax tests * 9.1.0762: 'cedit', 'termwinkey' and 'wildchar' may not be parsed correctly * 9.1.0761: :cd completion fails on Windows with backslash in path * 9.1.0760: tests: no error reported, if gen_opt_test.vim fails * 9.1.0759: screenpos() may return invalid position * runtime(misc): unset compiler in various ftplugins * runtime(doc): update formatting and syntax * runtime(compiler): add cppcheck linter compiler plugin * runtime(doc): Fix style in documents * runtime(doc): Fix to two-space convention in user manual * runtime(comment): consider &amp;tabstop in lines after whitespace indent * 9.1.0758: it's possible to set an invalid key to 'wildcharm' * runtime(java): Manage circularity for every :syn-included syntax file * 9.1.0757: tests: messages files contains ANSI escape sequences * 9.1.0756: missing change from patch v9.1.0754 * 9.1.0755: quickfix list does not handle hardlinks well * runtime(doc): 'filetype', 'syntax' and 'keymap' only allow alphanumeric + some characters * runtime(systemd): small fixes to &amp;keywordprg in ftplugin * CI: macos-12 runner is being sunset, switch to 13 * 9.1.0754: fixed order of items in insert-mode completion menu * runtime(comment): commenting might be off by one column * 9.1.0753: Wrong display when typing in diff mode with 'smoothscroll' * 9.1.0752: can set 'cedit' to an invalid value * runtime(doc): add `usr` tag to usr_toc.txt * 9.1.0751: Error callback for term_start() not used * 9.1.0750: there are some Win9x legacy references * runtime(java): Recognise the CommonMark form (///) of Javadoc comments * 9.1.0749: filetype: http files not recognized * runtime(comment): fix syntax error * CI: uploading failed screendump tests does not work Cirrus * 9.1.0748: :keep* commmands are sometimes misidentified as :k * runtime(indent): allow matching negative numbers for gnu indent config file * runtime(comment): add gC mapping to (un)comment rest of line * 9.1.0747: various typos in repo found * 9.1.0746: tests: Test_halfpage_longline() fails on large terminals * runtime(doc): reformat gnat example * runtime(doc): reformat ada_standard_types section * 9.1.0745: filetype: bun and deno history files not recognized * runtime(glvs): Correct the tag name of glvs-autoinstal * runtime(doc): include short form for :earlier/:later * runtime(doc): remove completed TODO * 9.1.0744: filetype: notmuch configs are not recognised * 9.1.0743: diff mode does not handle overlapping diffs correctly * runtime(glvs): fix a few issues * runtime(doc): Fix typo in :help :command-modifiers * 9.1.0742: getcmdprompt() implementation can be improved * runtime(docs): update `:set?` command behavior table * runtime(doc): update vim90 to vim91 in docs * runtime(doc): fix typo in :h dos-colors * 9.1.0741: No way to get prompt for input()/confirm() * runtime(doc): fix typo in version9.txt nrformat -&gt; nrformats * runtime(rmd,rrst): 'fex' option not properly restored * runtime(netrw): remove extraneous closing bracket * 9.1.0740: incorrect internal diff with empty file * 9.1.0739: [security]: use-after-free in ex_getln.c * runtime(filetype): tests: Test_filetype_detection() fails * runtime(dist): do not output a message if executable is not found * 9.1.0738: filetype: rapid files are not recognized * runtime(modconf): remove erroneous :endif in ftplugin * runtime(lyrics): support multiple timestamps in syntax script * runtime(java): Optionally recognise _module_ import declarations * runtime(vim): Update base-syntax, improve folding function matches * CI: upload failed screendump tests also for Cirrus * 9.1.0737: tests: screendump tests may require a bit more time * runtime(misc): simplify keywordprg in various ftplugins * runtime(java): Optionally recognise all primitive constants in _switch-case_ labels * runtime(zsh,sh): set and unset compiler in ftplugin * runtime(netrw): using inefficient highlight pattern for 'mf' * 9.1.0736: Unicode tables are outdated * 9.1.0735: filetype: salt files are not recognized * 9.1.0734: filetype: jinja files are not recognized * runtime(zathurarc): add double-click-follow to syntax script * translation(ru): Updated messages translation * translation(it): updated xxd man page * translation(ru): updated xxd man page * 9.1.0733: keyword completion does not work with fuzzy * 9.1.0732: xxd: cannot use -b and -i together * runtime(java): Highlight javaConceptKind modifiers with StorageClass * runtime(doc): reword and reformat how to use defaults.vim * 9.1.0731: inconsistent case sensitive extension matching * runtime(vim): Update base-syntax, match Vim9 bool/null literal args to :if/:while/:return * runtime(netrw): delete confirmation not strict enough * 9.1.0730: Crash with cursor-screenline and narrow window * 9.1.0729: Wrong cursor-screenline when resizing window * 9.1.0728: [security]: heap-use-after-free in garbage collection with location list user data * runtime(doc): clarify the effect of the timeout for search()-functions * runtime(idlang): update syntax script * runtime(spec): Recognize epoch when making spec changelog in ftplugin * runtime(spec): add file triggers to syntax script * 9.1.0727: too many strlen() calls in option.c * runtime(make): add compiler/make.vim to reset compiler plugin settings * runtime(java): Recognise all available standard doclet tags * 9.1.0726: not using correct python3 API with dynamic linking * runtime(dosini): Update syntax script, spellcheck comments only * runtime(doc): Revert outdated comment in completeopt's fuzzy documentation * 9.1.0725: filetype: swiftinterface files are not recognized * runtime(pandoc): Update compiler plugin to use actual 'spelllang' * runtime(groff): Add compiler plugin for groff * 9.1.0724: if_python: link error with python 3.13 and stable ABI * 9.1.0723: if_python: dynamic linking fails with python3 &gt;= 3.13 * 9.1.0722: crash with large id in text_prop interface * 9.1.0721: tests: test_mksession does not consider XDG_CONFIG_HOME * runtime(glvs): update GetLatestVimScripts plugin * runtime(doc): Fix typo in :help :hide text * runtime(doc): buffers can be re-used * 9.1.0720: Wrong breakindentopt=list:-1 with multibyte or TABs * 9.1.0719: Resetting cell widths can make 'listchars' or 'fillchars' invalid * runtime(doc): Update version9.txt and mention $MYVIMDIR - Update to 9.1.0718: * v9.1.0718: hard to know the users personal Vim Runtime Directory * v9.1.0717: Unnecessary nextcmd NULL checks in parse_command_modifiers() Maintainers: fix typo in author name * v9.1.0716: resetting setcellwidth( doesn't update the screen runtime(hcl,terraform): Add runtime files for HCL and Terraform runtime(tmux): Update syntax script * v9.1.0715: Not correctly parsing color names (after v9.1.0709) * v9.1.0714: GuiEnter_Turkish test may fail * v9.1.0713: Newline causes E749 in Ex mode * v9.1.0712: missing dependency of Test_gettext_makefile * v9.1.0711: test_xxd may file when using different xxd * v9.1.0710: popup window may hide part of Command line runtime(vim): Update syntax, improve user-command matching * v9.1.0709: GUIEnter event not found in Turkish locale runtime(sudoers): improve recognized Runas_Spec and Tag_Spec items * v9.1.0708: Recursive window update does not account for reset skipcol runtime(nu): include filetype plugin * v9.1.0707: invalid cursor position may cause a crash * v9.1.0706: test_gettext fails when using shadow dir CI: Install locales-all package * v9.1.0705: Sorting of fuzzy filename completion is not stable translation(pt): update Portuguese/Brazilian menu translation runtime(vim): Update base-syntax, match bracket mark ranges runtime(doc): Update :help :command-complete list * v9.1.0704: inserting with a count is inefficient runtime(doc): use mkdir -p to save a command * v9.1.0703: crash with 2byte encoding and glob2regpat() runtime(hollywood): update syn highlight for If-Then statements and For-In-Loops * v9.1.0702: Patch 9.1.0700 broke CI * v9.1.0701: crash with NFA regex engine when searching for composing chars * v9.1.0700: crash with 2byte encoding and glob2regpat() * v9.1.0699: &quot;dvgo&quot; is not always an inclusive motion runtime(java): Provide support for syntax preview features * v9.1.0698: &quot;Untitled&quot; file not removed when running Test_crash1_3 alone * v9.1.0697: heap-buffer-overflow in ins_typebuf * v9.1.0696: installing runtime files fails when using SHADOWDIR runtime(doc): fix typo * v9.1.0695: test_crash leaves Untitled file around translation(br): Update Brazilian translation translation(pt): Update menu_pt_br * v9.1.0694: matchparen is slow on a long line * v9.1.0693: Configure doesn't show result when not using python3 stable abi * v9.1.0692: Wrong patlen value in ex_substitute() * v9.1.0691: stable-abi may cause segfault on Python 3.11 runtime(vim): Update base-syntax, match :loadkeymap after colon and bar runtime(mane): Improve &lt;Plug&gt;ManBS mapping * v9.1.0690: cannot set special highlight kind in popupmenu translation(pt): Revert and fix wrong Portuguese menu translation files translation(pt): revert Portuguese menu translation translation(br): Update Brazilian translations runtime(vim): Update base-syntax, improve :let-heredoc highlighting * v9.1.0689: buffer-overflow in do_search( with 'rightleft' runtime(vim): Improve heredoc handling for all embedded scripts * v9.1.0688: dereferences NULL pointer in check_type_is_value() * v9.1.0687: Makefile may not install desktop files runtime(man): Fix &lt;Plug&gt;ManBS runtime(java): Make the bundled &amp;foldtext function optional runtime(netrw): Change line on `mx` if command output exists runtime(netrw): Fix `mf`-selected entry highlighting runtime(htmlangular): add html syntax highlighting translation(it): Fix filemode of Italian manpages runtime(doc): Update outdated man.vim plugin information runtime(zip): simplify condition to detect MS-Windows * v9.1.0686: zip-plugin has problems with special characters runtime(pandoc): escape quotes in &amp;errorformat for pandoc translation(it): updated Italian manpage * v9.1.0685: too many strlen( calls in usercmd.c runtime(doc): fix grammar in :h :keeppatterns runtime(pandoc): refine pandoc compiler settings * v9.1.0684: completion is inserted on Enter with &quot;noselect&quot; translation(ru): update man pages * v9.1.0683: mode( returns wrong value with &lt;Cmd&gt; mapping runtime(doc): remove trailing whitespace in cmdline.txt * v9.1.0682: Segfault with uninitialized funcref * v9.1.0681: Analyzing failed screendumps is hard runtime(doc): more clarification for the :keeppatterns needed * v9.1.0680: VMS does not have defined uintptr_t runtime(doc): improve typedchar documentation for KeyInputPre autocmd runtime(dist): verify that executable is in $PATH translation(it): update Italian manpages runtime(doc): clarify the effect of :keeppatterns after * v9.1.0677 runtime(doc): update Makefile and make it portable between GNU and BSD * v9.1.0679: Rename from w_closing to w_locked is incomplete runtime(colors): update colorschemes runtime(vim): Update base-syntax, improve :let-heredoc highlighting runtime(doc): Updating the examples in the xxd manpage translation(ru): Updated uganda.rux runtime(yaml): do not re-indent when commenting out lines * v9.1.0678: use-after-free in alist_add() * v9.1.0677 :keepp does not retain the substitute pattern translation(ja): Update Japanese translations to latest release runtime(netrw): Drop committed trace lines runtime(netrw): Error popup not always used runtime(netrw): ErrorMsg( may throw E121 runtime(tutor): update Makefile and make it portable between GNU and BSD translation: improve the po/cleanup.vim script runtime(lang): update Makefile and make it portable between GNU and BSD * v9.1.0676: style issues with man pages * v9.1.0675: Patch v9.1.0674 causes problems runtime(dosbatch): Show %%i as an argument in syntax file runtime(dosbatch): Add syn-sync to syntax file runtime(sql, mysql): fix E169: Command too recursive with sql_type_default = &quot;mysql&quot; * v9.1.0674: compiling abstract method fails because of missing return runtime(javascript): fix a few issues with syntax higlighting runtime(mediawiki): fix typo in doc, test for b:did_ftplugin var runtime(termdebug): Fix wrong test for balloon feature runtime(doc): Remove mentioning of the voting feature runtime(doc): add help tags for json + markdown global variables * v9.1.0673: too recursive func calls when calling super-class method runtime(syntax-tests): Facilitate the viewing of rendered screendumps runtime(doc): fix a few style issues * v9.1.0672: marker folds may get corrupted on undo * v9.1.0671 Problem: crash with WinNewPre autocommand * v9.1.0670: po file encoding fails on *BSD during make translation(it): Update Italian translation translation: Stop using msgconv * v9.1.0669: stable python ABI not used by default Update .gitignore and .hgignore files * v9.1.0668: build-error with python3.12 and stable ABI translations: Update generated po files * v9.1.0667: Some other options reset curswant unnecessarily when set * v9.1.0666: assert_equal( doesn't show multibyte string correctly runtime(doc): clarify directory of Vim's executable vs CWD * v9.1.0665 :for loop runtime(proto): Add indent script for protobuf filetype * v9.1.0664: console vim did not switch back to main screen on exit runtime(zip): zip plugin does not work with Vim 9.0 * v9.1.0663: zip test still resets 'shellslash' option runtime(zip): use defer to restore old settings runtime(zip): add a generic Message function runtime(zip): increment base version of zip plugin runtime(zip): raise minimum Vim version to * v9.0 runtime(zip): refactor save and restore of options runtime(zip): remove test for fnameescape runtime(zip): use :echomsg instead of :echo runtime(zip): clean up and remove comments * v9.1.0662: filecopy( may return wrong value when readlink( fails * v9.1.0661: the zip plugin is not tested. runtime(zip): Fix for FreeBSD's unzip command runtime(doc): capitalize correctly * v9.1.0660: Shift-Insert does work on old conhost translation(it): update Italian manpage runtime(lua): add/subtract a 'shiftwidth' after '('/')' in indentexpr runtime(zip): escape '[' on Unix as well * v9.1.0659: MSVC Makefile is a bit hard to read runtime(doc): fix typo in syntax.txt runtime(doc): -x is only available when compiled with crypt feature * v9.1.0658: Coverity warns about dereferencing NULL pointer. runtime(colors): update Todo highlight in habamax colorscheme * v9.1.0657: MSVC build time can be optimized * v9.1.0656: MSVC Makefile CPU handling can be improved * v9.1.0655: goaccess config file not recognized CI: update clang compiler to version 20 runtime(netrw): honor `g:netrw_alt{o,v}` for `:{S,H,V}explore` * v9.1.0654: completion does not respect completeslash with fuzzy * v9.1.0653: Patch v9.1.0648 not completely right * v9.1.0652: too many strlen( calls in syntax.c * v9.1.0651 :append * v9.1.0650: Coverity warning in cstrncmp() * v9.1.0649: Wrong comment for &quot;len&quot; argument of call_simple_func() * v9.1.0648: [security] double-free in dialog_changed() * v9.1.0647: [security] use-after-free in tagstack_clear_entry runtime(doc): re-format tag example lines, mention ctags --list-kinds * v9.1.0646: imported function may not be found runtime(java): Document &quot;g:java_space_errors&quot; and &quot;g:java_comment_strings&quot; runtime(java): Cluster optional group definitions and their group links runtime(java): Tidy up the syntax file runtime(java): Tidy up the documentation for &quot;ft-java-syntax&quot; runtime(colors): update habamax scheme - tweak diff/search/todo colors runtime(nohlsearch): add missing loaded_hlsearch guard runtime(kivy): Updated maintainer info for syntax script Maintainers: Add maintainer for ondir ftplugin + syntax files runtime(netrw): removing trailing slash when copying files in same directory * v9.1.0645: wrong match when searching multi-byte char case-insensitive runtime(html): update syntax script to sync by 250 minlines by default * v9.1.0644: Unnecessary STRLEN( when applying mapping runtime(zip): Opening a remote zipfile don't work runtime(cuda): source c and cpp ftplugins * v9.1.0643: cursor may end up on invalid position * v9.1.0642: Check that mapping rhs starts with lhs fails if not simplified * v9.1.0641: OLE enabled in console version runtime(thrift): add ftplugin, indent and syntax scripts * v9.1.0640: Makefile can be improved * v9.1.0639: channel timeout may wrap around * v9.1.0638: E1510 may happen when formatting a message for smsg() * v9.1.0637: Style issues in MSVC Makefile - Update apparmor.vim to latest version (from AppArmor 4.0.2) - add support for &quot;all&quot; and &quot;userns&quot; rules, and new profile flags - Update to 9.1.0636: * 9.1.0636: filetype: ziggy files are not recognized * 9.1.0635: filetype: SuperHTML template files not recognized * 9.1.0634: Ctrl-P not working by default * 9.1.0633: Compilation warnings with `-Wunused-parameter` * 9.1.0632: MS-Windows: Compiler Warnings Add support for Files-Included in syntax script tweak documentation style a bit * 9.1.0631: wrong completion list displayed with non-existing dir + fuzzy completion * 9.1.0630: MS-Windows: build fails with VIMDLL and mzscheme * 9.1.0629: Rename of pum hl_group is incomplete * 9.1.0628: MinGW: coverage files are not cleaned up * 9.1.0627: MinGW: build-error when COVERAGE is enabled * 9.1.0626: Vim9: need more tests with null objects include initial filetype plugin * 9.1.0625: tests: test output all translated messages for all translations * 9.1.0624: ex command modifiers not found * 9.1.0623: Mingw: errors when trying to delete non-existing files * 9.1.0622: MS-Windows: mingw-build can be optimized * 9.1.0621: MS-Windows: startup code can be improved * 9.1.0620: Vim9: segfauls with null objects * 9.1.0619: tests: test_popup fails * 9.1.0618: cannot mark deprecated attributes in completion menu * 9.1.0617: Cursor moves beyond first line of folded end of buffer * 9.1.0616: filetype: Make syntax highlighting off for MS Makefiles * 9.1.0615: Unnecessary STRLEN() in make_percent_swname() Add single-line comment syntax Add syntax test for comments Update maintainer info * 9.1.0614: tests: screendump tests fail due to recent syntax changes * 9.1.0613: tests: termdebug test may fail and leave file around Update base-syntax, improve :set highlighting Optionally highlight the :: token for method references * 9.1.0612: filetype: deno.lock file not recognized Use delete() for deleting directory escape filename before trying to delete it * 9.1.0611: ambiguous mappings not correctly resolved with modifyOtherKeys correctly extract file from zip browser * 9.1.0610: filetype: OpenGL Shading Language files are not detected Fix endless recursion in netrw#Explore() * 9.1.0609: outdated comments in Makefile update syntax script Fix flow mapping key detection Remove orphaned YAML syntax dump files * 9.1.0608: Coverity warns about a few potential issues Update syntax script and remove syn sync * 9.1.0607: termdebug: uses inconsistent style * 9.1.0606: tests: generated files may cause failure in test_codestyle * 9.1.0605: internal error with fuzzy completion * 9.1.0604: popup_filter during Press Enter prompt seems to hang translation: Update Serbian messages translation * 9.1.0603: filetype: use correct extension for Dracula * 9.1.0602: filetype: Prolog detection can be improved fix more inconsistencies in assert function docs * 9.1.0601: Wrong cursor position with 'breakindent' when wide char doesn't fit Update base-syntax, improve :map highlighting * 9.1.0600: Unused function and unused error constants * 9.1.0599: Termdebug: still get E1023 when specifying arguments correct wrong comment options fix typo &quot;a xterm&quot; -&gt; &quot;an xterm&quot; * 9.1.0598: fuzzy completion does not work with default completion * 9.1.0597: KeyInputPre cannot get the (unmapped typed) key * 9.1.0596: filetype: devscripts config files are not recognized gdb file/folder check is now performed only in CWD. quote filename arguments using double quotes update syntax to SDC-standard 2.1 minor updates. Cleanup :match and :loadkeymap syntax test files Update base-syntax, match types in Vim9 variable declarations * 9.1.0595: make errors out with the po Makefile * 9.1.0594: Unnecessary redraw when setting 'winfixbuf' using wrong highlight for UTF-8 include simple syntax plugin * 9.1.0593: filetype: Asymptote files are not recognized add recommended indent options to ftplugin add recommended indent options to ftplugin add recommended indent options to ftplugin * 9.1.0592: filetype: Mediawiki files are not recognized * 9.1.0591: filetype: *.wl files are not recognized * 9.1.0590: Vim9: crash when accessing getregionpos() return value 'cpoptions': Include &quot;z&quot; in the documented default * 9.1.0589: vi: d{motion} and cw work differently than expected update included colorschemes grammar fixes in options.txt - Add &quot;Keywords&quot; to gvim.desktop to make searching for gvim easier - Removed patches, as they're no longer required (refreshing them deleted their contents): * vim-7.3-help_tags.patch * vim-7.4-highlight_fstab.patch - Reorganise all applied patches in the spec file. - Update to 9.1.0588: * 9.1.0588: The maze program no longer compiles on newer clang runtime(typst): Add typst runtime files * 9.1.0587: tests: Test_gui_lowlevel_keyevent is still flaky * 9.1.0586: ocaml runtime files are outdated runtime(termdebug): fix a few issues * 9.1.0585: tests: test_cpoptions leaves swapfiles around * 9.1.0584: Warning about redeclaring f_id() non-static runtime(doc): Add hint how to load termdebug from vimrc runtime(doc): document global insert behavior * 9.1.0583: filetype: *.pdf_tex files are not recognized * 9.1.0582: Printed line doesn't overwrite colon when pressing Enter in Ex mode * 9.1.0581: Various lines are indented inconsistently * 9.1.0580: :lmap mapping for keypad key not applied when typed in Select mode * 9.1.0579: Ex command is still executed after giving E1247 * 9.1.0578: no tests for :Tohtml * 9.1.0577: Unnecessary checks for v:sizeoflong in test_put.vim * 9.1.0576: tests: still an issue with test_gettext_make * 9.1.0575: Wrong comments in alt_tabpage() * 9.1.0574: ex: wrong handling of commands after bar runtime(doc): add a note for netrw bug reports * 9.1.0573: ex: no implicit print for single addresses runtime(vim): make &amp;indentexpr available from the outside * 9.1.0572: cannot specify tab page closing behaviour runtime(doc): remove obsolete Ex insert behavior * 9.1.0571: tests: Test_gui_lowlevel_keyevent is flaky runtime(logindefs): update syntax with new keywords * 9.1.0570: tests: test_gettext_make can be improved runtime(filetype): Fix Prolog file detection regex * 9.1.0569: fnamemodify() treats &quot;..&quot; and &quot;../&quot; differently runtime(mojo): include mojo ftplugin and indent script * 9.1.0568: Cannot expand paths from 'cdpath' setting * 9.1.0567: Cannot use relative paths as findfile() stop directories * 9.1.0566: Stop dir in findfile() doesn't work properly w/o trailing slash * 9.1.0565: Stop directory doesn't work properly in 'tags' * 9.1.0564: id() can be faster * 9.1.0563: Cannot process any Key event * 9.1.0562: tests: inconsistency in test_findfile.vim runtime(fstab): Add missing keywords to fstab syntax * 9.1.0561: netbeans: variable used un-initialized (Coverity) * 9.1.0560: bindtextdomain() does not indicate an error * 9.1.0559: translation of vim scripts can be improved * 9.1.0558: filetype: prolog detection can be improved * 9.1.0557: moving in the buffer list doesn't work as documented runtime(doc): fix inconsistencies in :h file-searching * 9.1.0556: :bwipe doesn't remove file from jumplist of other tabpages runtime(htmlangular): correct comment * 9.1.0555: filetype: angular ft detection is still problematic * 9.1.0554: :bw leaves jumplist and tagstack data around * 9.1.0553: filetype: *.mcmeta files are not recognized * 9.1.0552: No test for antlr4 filetype * 9.1.0551: filetype: htmlangular files are not properly detected * 9.1.0550: filetype: antlr4 files are not recognized * 9.1.0549: fuzzycollect regex based completion not working as expected runtime(doc): autocmd_add() accepts a list not a dict * 9.1.0548: it's not possible to get a unique id for some vars runtime(tmux): Update syntax script * 9.1.0547: No way to get the arity of a Vim function * 9.1.0546: vim-tiny fails on CTRL-X/CTRL-A runtime(hlsplaylist): include hlsplaylist ftplugin file runtime(doc): fix typo in :h ft-csv-syntax runtime(doc): Correct shell command to get $VIMRUNTIME into shell * 9.1.0545: MSVC conversion warning * 9.1.0544: filetype: ldapconf files are not recognized runtime(cmakecache): include cmakecache ftplugin file runtime(lex): include lex ftplugin file runtime(yacc): include yacc ftplugin file runtime(squirrel): include squirrel ftplugin file runtime(objcpp): include objcpp ftplugin file runtime(tf): include tf ftplugin file runtime(mysql): include mysql ftplugin file runtime(javacc): include javacc ftplugin file runtime(cabal): include cabal ftplugin file runtime(cuda): include CUDA ftplugin file runtime(editorconfig): include editorconfig ftplugin file runtime(kivy): update kivy syntax, include ftplugin runtime(syntax-tests): Stop generating redundant &quot;*_* 99.dump&quot; files * 9.1.0543: Behavior of CursorMovedC is strange runtime(vim): Update base-syntax, improve :match command highlighting * 9.1.0542: Vim9: confusing string() output for object functions * 9.1.0541: failing test with Vim configured without channel * 9.1.0540: Unused assignment in sign_define_cmd() runtime(doc): add page-scrolling keys to index.txt runtime(doc): add reference to xterm-focus-event from FocusGained/Lost * 9.1.0539: Not enough tests for what v9.1.0535 fixed runtime(doc): clarify how to re-init csv syntax file * 9.1.0538: not possible to assign priority when defining a sign * 9.1.0537: signed number detection for CTRL-X/A can be improved * 9.1.0536: filetype: zone files are not recognized * 9.1.0535: newline escape wrong in ex mode runtime(man): honor cmd modifiers before `g:ft_man_open_mode` runtime(man): use `nnoremap` to map to Ex commands * 9.1.0534: completion wrong with fuzzy when cycling back to original runtime(syntax-tests): Abort and report failed cursor progress runtime(syntax-tests): Introduce self tests for screen dumping runtime(syntax-tests): Clear and redraw the ruler line with the shell info runtime(syntax-tests): Allow for folded and wrapped lines in syntax test files * 9.1.0533: Vim9: need more tests for nested objects equality CI: Pre-v* 9.0.0110 versions generate bogus documentation tag entries runtime(doc): Remove wrong help tag CTRL-SHIFT-CR * 9.1.0532: filetype: Cedar files not recognized runtime(doc): document further keys that scroll page up/down * 9.1.0531: resource leak in mch_get_random() runtime(tutor): Fix wrong spanish translation runtime(netrw): fix remaining case of register clobber * 9.1.0530: xxd: MSVC warning about non-ASCII character * 9.1.0529: silent! causes following try/catch to not work runtime(rust): use shiftwidth() in indent script * 9.1.0528: spell completion message still wrong in translations * 9.1.0527: inconsistent parameter in Makefiles for Vim executable * 9.1.0526: Unwanted cursor movement with pagescroll at start of buffer runtime(doc): mention $XDG_CONFIG_HOME instead of $HOME/.config * 9.1.0525: Right release selects immediately when pum is truncated. * 9.1.0524: the recursive parameter in the *_equal functions can be removed runtime(termdebug): Add Deprecation warnings * 9.1.0523: Vim9: cannot downcast an object * 9.1.0522: Vim9: string(object) hangs for recursive references * 9.1.0521: if_py: _PyObject_CallFunction_SizeT is dropped in Python 3.13 * 9.1.0520: Vim9: incorrect type checking for modifying lists runtime(manpager): avoid readonly prompt * 9.1.0519: MS-Windows: libvterm compilation can be optimized * 9.1.0518: initialize the random buffer can be improved * 9.1.0517: MS-Windows: too long lines in Make_mvc.mak runtime(terraform): Add filetype plugin for terraform runtime(dockerfile): enable spellchecking of comments in syntax script runtime(doc): rename variable for pandoc markdown support runtime(doc): In builtin overview use {buf} as param for appendbufline/setbufline runtime(doc): clarify, that register 1-* 9 will always be shifted runtime(netrw): save and restore register 0-* 9, a and unnamed runtime(termdebug): Refactored StartDebug_term and EndDebug functions runtime(java): Compose &quot;g:java_highlight_signature&quot; and &quot;g:java_highlight_functions&quot; * 9.1.0516: need more tests for nested dicts and list comparision * 9.1.0515: Vim9: segfault in object_equal() * 9.1.0514: Vim9: issue with comparing objects recursively runtime(termdebug): Change some variables to Enums runtime(vim): Update base-syntax, fix function tail comments * 9.1.0513: Vim9: segfault with object comparison - Update to 9.1.0512: * Mode message for spell completion doesn't match allowed keys * CursorMovedC triggered wrongly with setcmdpos() * update runtime files * CI: test_gettext fails on MacOS14 + MSVC Win * not possible to translate Vim script messages * termdebug plugin can be further improved * add gomod filetype plugin * hard to detect cursor movement in the command line * Optionally highlight parameterised types * filetype: .envrc &amp; .prettierignore not recognized * filetype: Faust files are not recognized * inner-tag textobject confused about &quot;&gt;&quot; in attributes * cannot use fuzzy keyword completion * Remove the group exclusion list from @javaTop * wrong return type for execute() function * MS-Windows: too much legacy code * too complicated mapping restore in termdebug * simplify mapping * cannot switch buffer in a popup * MS-Windows: doesn't handle symlinks properly * getcmdcompltype() interferes with cmdline completion * termdebug can be further improved * update htmldjango detection * Improve Turkish documentation * include a simple csv filetype and syntax plugin * include the the simple nohlsearch package * matched text is highlighted case-sensitively * Matched text isn't highlighted in cmdline pum * Fix typos in several documents * clarify when text properties are cleared * improve the vim-shebang example * revert unintended formatting changes for termdebug * Add a config variable for commonly used compiler options * Wrong matched text highlighted in pum with 'rightleft' * bump length of character references in syntax script * properly check mapping variables using null_dict * fix KdlIndent and kdlComment in indent script * Test for patch 9.1.0489 doesn't fail without the fix * Fold multi-line comments with the syntax kind of &amp;fdm * using wrong type for PlaceSign() * filetype: Vim-script files not detected by shebang line * revert unintended change to zip#Write() * add another tag for vim-shebang feature * Cmdline pum doesn't work properly with 'rightleft' * minor style problems with patch 9.1.0487 * default completion may break with fuzzy * Wrong padding for pum &quot;kind&quot; with 'rightleft' * Update base-syntax, match shebang lines * MS-Windows: handle files with spaces properly * Restore HTML syntax file tests * completed item not update on fuzzy completion * filetype: Snakemake files are not recognized * make TermDebugSendCommand() a global function again * close all buffers in the same way * Matched text shouldn't be highlighted in &quot;kind&quot; and &quot;menu&quot; * fix wrong helptag for :defer * Update base-syntax, match :sleep arg * include Georgian keymap * Sorting of completeopt+=fuzzy is not stable * correctly test for windows in NetrwGlob() * glob() on windows fails with [] in directory name * rewrite mkdir() doc and simplify {flags} meaning * glob() not sufficiently tested * update return type for job_info() * termdebug plugin needs more love * correct return types for job_start() and job_status() * Update base-syntax, match :catch and :throw args * Include element values in non-marker annotations * Vim9: term_getjob() throws an exception on error * fuzzy string matching executed when not needed * fuzzy_match_str_with_pos() does unnecessary list operations * restore description of &quot;$&quot; in col() and virtcol() * deduplicate getpos(), line(), col(), virtcol() * Update g:vimsyn_comment_strings dump file tests * Use string interpolation instead of string concat * potential deref of NULL pointer in fuzzy_match_str_with_pos * block_editing errors out when using &lt;enter&gt; * Update base-syntax, configurable comment string highlighting * fix typos in syntax.txt * Cannot see matched text in popup menu * Update base-syntax, match multiline continued comments * clarify documentation for &quot;v&quot; position at line() * cmod_split modifier is always reset in term_start() * remove line-continuation characters * use shiftwidth() instead of &amp;tabstop in indent script * Remove orphaned screen dump files * include syntax, indent and ftplugin files * CI: Test_ColonEight() fails on github runners * add missing Enabled field in syntax script * basic svelte ftplugin file * term_start() does not clear vertical modifier * fix mousemodel restoration by comparing against null_string * Added definitions of Vim scripts and plugins * Exclude lambda expressions from _when_ _switch-case_ label clauses * Fix saved_mousemodel check * Inconsistencies between functions for option flags * Crash when using autocmd_get() after removing event inside autocmd * Fix small style issues * add return type info for Vim function descriptions * Update Italian Vim manpage * disable the q mapping * Change 'cms' for C++ to '// %s' * fix type mismatch error * Fix wrong email address * convert termdebug plugin to Vim9 script - Update to 9.1.0470: * tests Test_ColonEight_MultiByte() fails sporadically * Cannot have buffer-local value for 'completeopt' * GvimExt does not consult HKEY_CURRENT_USER * typos in some comments * runtime(vim): Update base-syntax, allow whitespace before :substitute pattern * Missing comments for fuzzy completion * runtime(man): update Vim manpage * runtime(comment): clarify the usage of 'commentstring' option value * runtime(doc): clarify how fuzzy 'completeopt' should work * runtime(netrw): prevent accidental data loss * missing filecopy() function * no whitespace padding in commentstring option in ftplugins * no fuzzy-matching support for insert-completion * eval5() and eval7 are too complex * too many strlen() calls in drawline.c * filetype lintstagedrc files are not recognized * Vim9 import autoload does not work with symlink * Coverity complains about division by zero * tests test_gui fails on Wayland * Left shift is incorrect with vartabstop and shiftwidth=0 * runtime(doc): clarify 'shortmess' flag &quot;S&quot; * MS-Windows compiler warning for size_t to int conversion * runtime(doc): include some vim9 script examples in the help * minor issues in test_filetype with rasi test * filetype rasi files are not recognized * runtime(java): Improve the matching of lambda expressions * Configure checks for libelf unnecessarily * No test for escaping '&lt;' with shellescape() * check.vim complains about overlong comment lines * translation(it): Update Italian translation * evalc. code too complex * MS-Windows Compiler warnings - Update to 9.1.0448: * compiler warning in eval.c * remove remaining css code * Add ft_hare.txt to Reference Manual TOC * re-generate vim syntax from generator * fix syntax vim bug * completion may be wrong when deleting all chars * getregionpos() inconsistent for partly-selected multibyte char * fix highlighting nested and escaped quotes in string props * remove the indent plugin since it has too many issues * update Debian runtime files * Coverity warning after 9.1.0440 * Not enough tests for getregion() with multibyte chars * Can't use blockwise selection with width for getregion() * update outdated syntax files * fix floating_modifier highlight * hare runtime files outdated * getregionpos() can't properly indicate positions beyond eol * function get_lval() is too long * Cannot filter the history * Wrong Ex command executed when :g uses '?' as delimiter * support floating_modifier none; revert broken highlighting * Motif requires non-const char pointer for XPM data * Crash when using '?' as separator for :s * filetype: cygport files are not recognized * make errors trying to access autoload/zig * Wrong yanking with exclusive selection and ve=all * add missing help tags file * Ancient XPM preprocessor hack may cause build errors * include basic rescript ftplugin file * eval.c is too long * getregionpos() doesn't handle one char selection * check for gdb file/dir before using as buffer name * refactor zig ftplugin, remove auto format * Coverity complains about eval.c refactor * Tag guessing leaves wrong search history with very short names * some issues with termdebug mapping test * update matchit plugin to v1.20 * too many strlen() calls in search.c * set commentstring option * update vb indent plugin as vim9script * filetype: purescript files are not recognized * filetype: slint files are not recognized * basic nim ftplugin file for comments * Add Arduino ftplugin and indent files * include basic typst ftplugin file * include basic prisma ftplugin file * include basic v ftplugin for comment support * getregionpos() wrong with blockwise mode and multibyte * function echo_string_core() is too long * hyprlang files are not recognized * add basic dart ftplugin file * basic ftplugin file for graphql * mention comment plugin at :h 'commentstring' * set commentstring for sql files in ftplugin * :browse oldfiles prompts even with single entry * eval.c not sufficiently tested * clarify why E195 is returned * clarify temporary file clean up * fix :NoMatchParen not working * Cannot move to previous/next rare word * add basic ftplugin file for sshdconfig * if_py: find_module has been removed in Python 3.12.0a7 * some screen dump tests can be improved * Some functions are not tested * clarify instal instructions for comment package * Unable to leave long line with 'smoothscroll' and 'scrolloff' * fix typo in vim9script help file * Remove trailing spaces * clarify {special} argument for shellescape() - update to 9.1.0413 * smoothscroll may cause infinite loop * add missing entries for the keys CTRL-W g&lt;Tab&gt; and &lt;C-Tab&gt; * update vi_diff.txt: add default value for 'flash' * typo in regexp_bt.c in DEBUG code * allow indented commands * Fix wrong define regex in ftplugin * Filter out non-Latin-1 characters for syntax tests * prefer scp over pscp * fix typo in usr_52.txt * too long functions in eval.c * warning about uninitialized variable * too many strlen() calls in the regexp engine * E16 fix, async keyword support for define * Stuck with long line and half-page scrolling * Divide by zero with getmousepos() and 'smoothscroll' * update and remove some invalid links * update translation of xxd manpage * Recursively delete directories by default with netrw delete command * Strive to remain compatible for at least Vim 7.0 * tests: xxd buffer overflow fails on 32-bit * Stop handpicking syntax groups for @javaTop * [security] xxd: buffer-overflow with specific flags * Vim9: not able to import file from start dir * filetype: mdd files detected as zsh filetype * filetype: zsh module files are not recognized * Remove hardcoded private.ppk logic from netrw * Vim9: confusing error message for unknown type * block_editing errors out when using del * add new items to scripts section in syntax plugin * Vim9: imported vars are not properly type checked * Wrong display with 'smoothscroll' when changing quickfix list * filetype: jj files are not recognized * getregionpos() may leak memory on error * The CODEOWNERS File is not useful * Remove and cleanup Win9x legacy from netrw * add MsgArea to 'highlight' option description * Cannot get a list of positions describing a region * Fix digit separator in syntax script for octals and floats * Update link to Wikipedia Vi page * clear $MANPAGER in ftplugin before shelling out * Fix typos in help documents * 'viewdir' not respecting $XDG_CONFIG_HOME * tests: Vim9 debug tests may be flaky * correct getscriptinfo() example * Vim9: could improve testing * test_sound fails on macos-12 * update Serbian menu * update Slovak menu * update Slovenian menu * update Portuguese menu * update Dutch menu * update Korean menu * update Icelandic menu * update Czech menu * update Afrikaans menu * update German menu * filetype: inko files are not recognized * filetype: templ files are not recognized * cursor() and getregion() don't handle v:maxcol well * Vim9: null value tests not sufficient * update Catalan menu * filetype: stylus files not recognized * update spanish menu localization * regenerate helptags * Vim9: crash with null_class and null_object * Add tags about lazyloading of menu * tests: vt420 terminfo entry may not be found * filetype: .out files recognized as tex files * filetype: Kbuild files are not recognized * cbuffer and similar commands don't accept a range * Improve the recognition of the &quot;indent&quot; method declarations * Fix a typo in usr_30.txt * remove undefined var s:save_cpoptions and add include setting * missing setlocal in indent plugin * Calculating line height for unnecessary amount of lines * improve syntax file performance * There are a few typos * Vim9: no comments allowed after class vars * CI: remove trailing white space in documentation * Formatting text wrong when 'breakindent' is set * Add oracular (24.10) as Ubuntu release name * Vim9: Trailing commands after class/enum keywords ignored * tests: 1-second delay after Test_BufEnter_botline() * update helptags for jq syntax * include syntax, ftplugin and compiler plugin * fix typo synconcealend -&gt; synconcealed * include a simple comment toggling plugin * wrong botline in BufEnter * clarify syntax vs matching mechanism * fix undefined variable in indent plugin * ops.c code uses too many strlen() calls * Calling CLEAR_FIELD() on the same struct twice * Vim9: compile_def_function() still too long * Update Serbian messages * clarify the effect of setting the shell to powershell * Improve the recognition of the &quot;style&quot; method declarations * Vim9: problem when importing autoloaded scripts * compile_def_function is too long * filetype: ondir files are not recognized * Crash when typing many keys with D- modifier * tests: test_vim9_builtin is a bit slow * update documentation * change the download URL of &quot;libsodium&quot; * tests: test_winfixbuf is a bit slow * Add filetype, syntax and indent plugin for Astro * expanding rc config files does not work well * Vim9: vim9type.c is too complicated * Vim9: does not handle autoloaded variables well * minor spell fix in starting.txt * wrong drawing in GUI with setcellwidth() * Add include and suffixesadd * Page scrolling should place cursor at window boundaries * align command line table * minor fixes to starting.txt * fix comment definition in filetype plugin * filetype: flake.lock files are not recognized * runtime(uci): No support for uci file types * Support &quot;g:ftplugin_java_source_path&quot; with archived files * tests: Test_autoload_import_relative_compiled fails on Windows * Finding cmd modifiers and cmdline-specials is inefficient * No test that completing a partial mapping clears 'showcmd' * tests: test_vim9_dissamble may fail * Vim9: need static type for typealias * X11 does not ignore smooth scroll event * A few typos in test_xdg when testing gvimrc * Patch v9.1.0338 fixed sourcing a script with import * Problem: gvimrc not sourced from XDG_CONFIG_HOME * Cursor wrong after using setcellwidth() in terminal * 'showcmd' wrong for partial mapping with multibyte * tests: test_taglist fails when 'helplang' contains non-english * Problem: a few memory leaks are found * Problem: Error with matchaddpos() and empty list * tests: xdg test uses screen dumps * Vim9: import through symlinks not correctly handled * Missing entry for XDG vimrc file in :version * tests: typo in test_xdg * runtime(i3config/swayconfig): update syntax scripts * document pandoc compiler and enable configuring arguments * String interpolation fails for List type * No test for highlight behavior with 'ambiwidth' * tests: test_xdg fails on the appimage repo * tests: some assert_equal() calls have wrong order of args * make install does not install all files * runtime(doc): fix typos in starting.txt Package wget was updated: - Drop support for shorthand URLs * Breaking change to fix CVE-2024-10524. [+ drop-support-for-shorthand-URLs.patch, bsc#1233773] - Update 0001-possibly-truncate-pathname-components.patch * Take the patch from savannah repository where the checking of the file length doesn't include path length. * [bsc#1204720, bsc#1231661] Package wicked was updated: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911, gh#openSUSE/wicked#1043) - Always generate the ipv4/ipv6 &lt;enabled&gt;true|false&lt;/enabled&gt; node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad. - Consider only interface specific accept_redirects sysctl settings. - Adopt ifsysctl(5) manual page with wicked specific behavior. - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description (gh#openSUSE/wicked#1039) - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option (jsc#PED-10855, gh#openSUSE/wicked#1038) - team: set arp link watcher interval default to 1s (gh#openSUSE/wicked#1037) - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (boo#1229555) - arp: don't set target broadcast hardware address (gh#openSUSE/wicked#1036) - dbus: don't memcpy empty/NULL array value (gh#openSUSE/wicked#1035) - ethtool: fix leak and free pause data in ethtool_free (gh#openSUSE/wicked#1030) - Removed patches included in the source archive: [- 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] - compat-suse: fix dummy interfaces configuration with INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031) [+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] Package xen was updated: - bsc#1232622 - VUL-0: CVE-2024-45818: xen: Deadlock in x86 HVM standard VGA handling (XSA-463) xsa463-01.patch xsa463-02.patch xsa463-03.patch xsa463-04.patch xsa463-05.patch xsa463-06.patch xsa463-07.patch xsa463-08.patch xsa463-09.patch xsa463-10.patch - bsc#1232624 - VUL-0: CVE-2024-45819: xen: libxl leaks data to PVH guests via ACPI tables (XSA-464) xsa464.patch - Drop the following patches stdvga-cache.patch - bsc#1232542 - remove usage of net-tools-deprecated from supportconfig plugin - bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in vlapic_error() (XSA-462) xsa462.patch - bsc#1228201 - [Baremetal][sles15sp4][guest migration] xl migration fail , guest not shutdown. This also fixes, bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) 661d00b8-VMX-prevent-fallthrough-in-vmx_set_reg.patch - bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86 IOMMU identity mapping (XSA-460) 66bb7316-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch - bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through with shared resources (XSA-461) 66bb6fa5-x86-pass-through-document-as-security-unsupported.patch - Drop xsa458.patch in favor of upstream version (bsc#1227355) 669662ea-x86-IRQ-avoid-double-unlock-in-map_domain_pirq.patch - bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458) xsa458.patch - bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch Package zypper was updated: - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) - man: Update 'search' command description. Hint to &quot;se -v&quot; showing the matches within the packages metadata. Explain that search strings starting with a &quot;/&quot; will implicitly look into the filelist as well. Otherfise an explicit &quot;-f&quot; is needed. - version 1.14.78 - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - BuildRequires: libzypp-devel &gt;= 17.35.10. - Fix wrong numbers used in CommitSummary skipped/failed messages. - version 1.14.77 - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sle-hpc-15-sp4-byos-v20250109-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 aaa_base-84.87+git20180409.04c9dae-150300.10.23.1 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.23.1 bash-4.4-150400.27.3.2 bash-sh-4.4-150400.27.3.2 bind-utils-9.16.50-150400.5.43.1 binutils-2.43-150100.7.52.1 ca-certificates-mozilla-2.68-150200.33.1 cloud-regionsrv-client-10.3.7-150300.13.14.1 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.14.1 containerd-1.7.21-150000.117.1 crypto-policies-20210917.c9d86d1-150400.3.8.1 cups-config-2.2.7-150000.3.65.1 curl-8.0.1-150400.5.59.1 deltarpm-3.6.5-150000.5.6.3 dmidecode-3.6-150400.16.11.2 docker-26.1.5_ce-150000.212.1 dracut-055+suse.359.geb85610b-150400.3.37.2 e2fsprogs-1.46.4-150400.3.9.2 glib2-tools-2.70.5-150400.3.17.1 glibc-2.31-150300.89.2 glibc-32bit-2.31-150300.89.1 glibc-devel-2.31-150300.89.2 glibc-i18ndata-2.31-150300.89.2 glibc-locale-2.31-150300.89.2 glibc-locale-base-2.31-150300.89.2 google-guest-agent-20241011.01-150000.1.51.1 google-guest-configs-20241121.00-150400.13.14.1 google-osconfig-agent-20240926.03-150000.1.38.1 grub2-2.06-150400.11.49.1 grub2-i386-pc-2.06-150400.11.49.1 grub2-x86_64-efi-2.06-150400.11.49.1 kernel-default-5.14.21-150400.24.144.1 libatomic1-14.2.0+git10526-150000.1.6.1 libavahi-client3-0.8-150400.7.20.1 libavahi-common3-0.8-150400.7.20.1 libblkid1-2.37.2-150400.8.35.2 libcom_err2-1.46.4-150400.3.9.2 libctf-nobfd0-2.43-150100.7.52.1 libctf0-2.43-150100.7.52.1 libcups2-2.2.7-150000.3.65.1 libcurl4-8.0.1-150400.5.59.1 libexpat1-2.4.4-150400.3.25.1 libext2fs2-1.46.4-150400.3.9.2 libfdisk1-2.37.2-150400.8.35.2 libgcc_s1-14.2.0+git10526-150000.1.6.1 libgfortran5-14.2.0+git10526-150000.1.6.1 libgio-2_0-0-2.70.5-150400.3.17.1 libglib-2_0-0-2.70.5-150400.3.17.1 libgmodule-2_0-0-2.70.5-150400.3.17.1 libgobject-2_0-0-2.70.5-150400.3.17.1 libgomp1-14.2.0+git10526-150000.1.6.1 libitm1-14.2.0+git10526-150000.1.6.1 liblsan0-14.2.0+git10526-150000.1.6.1 libmount1-2.37.2-150400.8.35.2 libncurses6-6.1-150000.5.27.1 libopenssl1_1-1.1.1l-150400.7.75.1 libpcap1-1.10.1-150400.3.6.2 libpython3_6m1_0-3.6.15-150300.10.78.1 libquadmath0-14.2.0+git10526-150000.1.6.1 libreadline7-7.0-150400.27.3.2 libruby2_5-2_5-2.5.9-150000.4.32.1 libsmartcols1-2.37.2-150400.8.35.2 libsodium23-1.0.18-150000.4.8.1 libsolv-tools-0.7.31-150400.3.32.2 libsolv-tools-base-0.7.31-150400.3.32.2 libstdc++6-14.2.0+git10526-150000.1.6.1 libsuseconnect-1.13.0-150400.3.42.1 libsystemd0-249.17-150400.8.46.1 libubsan1-14.2.0+git10526-150000.1.6.1 libudev1-249.17-150400.8.46.1 libuuid-devel-2.37.2-150400.8.35.2 libuuid1-2.37.2-150400.8.35.2 libyaml-0-2-0.1.7-150000.3.2.1 libyui-ncurses-pkg16-4.3.7-150400.3.12.1 libyui-ncurses16-4.3.7-150400.3.12.1 libyui16-4.3.7-150400.3.12.1 libzypp-17.35.16-150400.3.105.1 login_defs-4.8.1-150400.10.24.1 logrotate-3.18.1-150400.3.10.1 mailx-12.5-150000.3.5.1 mozilla-nss-certs-3.101.2-150400.3.51.1 ncurses-utils-6.1-150000.5.27.1 nscd-2.31-150300.89.2 openssl-1_1-1.1.1l-150400.7.75.1 pam-1.3.0-150000.6.71.2 pam-config-1.1-150200.3.9.1 python3-3.6.15-150300.10.78.1 python3-Jinja2-2.10.1-150000.3.18.1 python3-PyYAML-5.4.1-150300.3.3.1 python3-base-3.6.15-150300.10.78.1 python3-bind-9.16.50-150400.5.43.1 python3-curses-3.6.15-150300.10.78.1 python3-salt-3006.0-150400.8.69.2 python3-setuptools-44.1.1-150400.9.9.1 python3-solv-0.7.31-150400.3.32.2 python3-zypp-plugin-0.6.4-150400.13.4.1 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 rsyslog-8.2306.0-150400.5.33.1 ruby-solv-0.7.31-150400.3.32.2 ruby2.5-2.5.9-150000.4.32.1 ruby2.5-rubygem-nokogiri-1.8.5-150400.14.6.1 ruby2.5-stdlib-2.5.9-150000.4.32.1 runc-1.1.14-150000.70.1 salt-3006.0-150400.8.69.2 salt-minion-3006.0-150400.8.69.2 shadow-4.8.1-150400.10.24.1 shim-15.8-150300.4.23.1 strace-5.14-150400.3.3.2 supportutils-3.2.8-150300.7.35.33.1 suse-build-key-12.0-150000.8.55.1 suseconnect-ng-1.13.0-150400.3.42.1 suseconnect-ruby-bindings-1.13.0-150400.3.42.1 systemd-249.17-150400.8.46.1 systemd-sysvinit-249.17-150400.8.46.1 terminfo-6.1-150000.5.27.1 terminfo-base-6.1-150000.5.27.1 udev-249.17-150400.8.46.1 unzip-6.00-150000.4.14.1 util-linux-2.37.2-150400.8.35.2 util-linux-systemd-2.37.2-150400.8.35.2 vim-9.1.0836-150000.5.66.1 vim-data-common-9.1.0836-150000.5.66.1 wget-1.20.3-150000.3.26.1 wicked-0.6.77-150400.3.36.1 wicked-service-0.6.77-150400.3.36.1 xen-libs-4.16.6_06-150400.4.65.1 yast2-pkg-bindings-4.4.7-150400.3.16.1 zypper-1.14.78-150400.3.67.3 aaa_base-84.87+git20180409.04c9dae-150300.10.23.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.23.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 bash-4.4-150400.27.3.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 bash-sh-4.4-150400.27.3.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 bind-utils-9.16.50-150400.5.43.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 binutils-2.43-150100.7.52.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ca-certificates-mozilla-2.68-150200.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 cloud-regionsrv-client-10.3.7-150300.13.14.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.14.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 crypto-policies-20210917.c9d86d1-150400.3.8.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 cups-config-2.2.7-150000.3.65.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 curl-8.0.1-150400.5.59.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 deltarpm-3.6.5-150000.5.6.3 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 dmidecode-3.6-150400.16.11.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 docker-26.1.5_ce-150000.212.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 dracut-055+suse.359.geb85610b-150400.3.37.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 e2fsprogs-1.46.4-150400.3.9.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glib2-tools-2.70.5-150400.3.17.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-32bit-2.31-150300.89.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-devel-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-i18ndata-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-locale-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 glibc-locale-base-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 google-guest-agent-20241011.01-150000.1.51.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 google-guest-configs-20241121.00-150400.13.14.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 google-osconfig-agent-20240926.03-150000.1.38.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 grub2-2.06-150400.11.49.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 grub2-i386-pc-2.06-150400.11.49.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 grub2-x86_64-efi-2.06-150400.11.49.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 kernel-default-5.14.21-150400.24.144.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libatomic1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libavahi-client3-0.8-150400.7.20.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libavahi-common3-0.8-150400.7.20.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libblkid1-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libcom_err2-1.46.4-150400.3.9.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libctf-nobfd0-2.43-150100.7.52.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libctf0-2.43-150100.7.52.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libcups2-2.2.7-150000.3.65.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libcurl4-8.0.1-150400.5.59.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libexpat1-2.4.4-150400.3.25.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libext2fs2-1.46.4-150400.3.9.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libfdisk1-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgcc_s1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgfortran5-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgio-2_0-0-2.70.5-150400.3.17.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libglib-2_0-0-2.70.5-150400.3.17.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgmodule-2_0-0-2.70.5-150400.3.17.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgobject-2_0-0-2.70.5-150400.3.17.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libgomp1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libitm1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 liblsan0-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libmount1-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libncurses6-6.1-150000.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libopenssl1_1-1.1.1l-150400.7.75.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libpcap1-1.10.1-150400.3.6.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libpython3_6m1_0-3.6.15-150300.10.78.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libquadmath0-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libreadline7-7.0-150400.27.3.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libruby2_5-2_5-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsmartcols1-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsodium23-1.0.18-150000.4.8.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsolv-tools-0.7.31-150400.3.32.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsolv-tools-base-0.7.31-150400.3.32.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libstdc++6-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsuseconnect-1.13.0-150400.3.42.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libsystemd0-249.17-150400.8.46.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libubsan1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libudev1-249.17-150400.8.46.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libuuid-devel-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libuuid1-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libyaml-0-2-0.1.7-150000.3.2.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libyui-ncurses-pkg16-4.3.7-150400.3.12.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libyui-ncurses16-4.3.7-150400.3.12.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libyui16-4.3.7-150400.3.12.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 libzypp-17.35.16-150400.3.105.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 login_defs-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 logrotate-3.18.1-150400.3.10.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 mailx-12.5-150000.3.5.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 mozilla-nss-certs-3.101.2-150400.3.51.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ncurses-utils-6.1-150000.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 nscd-2.31-150300.89.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 openssl-1_1-1.1.1l-150400.7.75.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 pam-1.3.0-150000.6.71.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 pam-config-1.1-150200.3.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-3.6.15-150300.10.78.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-Jinja2-2.10.1-150000.3.18.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-PyYAML-5.4.1-150300.3.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-base-3.6.15-150300.10.78.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-bind-9.16.50-150400.5.43.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-curses-3.6.15-150300.10.78.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-salt-3006.0-150400.8.69.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-setuptools-44.1.1-150400.9.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-solv-0.7.31-150400.3.32.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 python3-zypp-plugin-0.6.4-150400.13.4.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 rsyslog-8.2306.0-150400.5.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ruby-solv-0.7.31-150400.3.32.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ruby2.5-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ruby2.5-rubygem-nokogiri-1.8.5-150400.14.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 ruby2.5-stdlib-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 salt-3006.0-150400.8.69.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 salt-minion-3006.0-150400.8.69.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 shadow-4.8.1-150400.10.24.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 shim-15.8-150300.4.23.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 strace-5.14-150400.3.3.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 supportutils-3.2.8-150300.7.35.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 suse-build-key-12.0-150000.8.55.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 suseconnect-ng-1.13.0-150400.3.42.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 suseconnect-ruby-bindings-1.13.0-150400.3.42.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 systemd-249.17-150400.8.46.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 systemd-sysvinit-249.17-150400.8.46.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 terminfo-6.1-150000.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 terminfo-base-6.1-150000.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 udev-249.17-150400.8.46.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 unzip-6.00-150000.4.14.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 util-linux-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 util-linux-systemd-2.37.2-150400.8.35.2 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 vim-9.1.0836-150000.5.66.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 vim-data-common-9.1.0836-150000.5.66.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 wget-1.20.3-150000.3.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 wicked-0.6.77-150400.3.36.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 wicked-service-0.6.77-150400.3.36.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 xen-libs-4.16.6_06-150400.4.65.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 yast2-pkg-bindings-4.4.7-150400.3.16.1 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 zypper-1.14.78-150400.3.67.3 as a component of Public Cloud Image google/sle-hpc-15-sp4-byos-v20250109-x86-64 An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information. CVE-2021-4204 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(), which could lead to a NULL pointer dereference on failure of kzalloc(). Fix this bug by adding a check of tmpbuf. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings, and our static analyzer no longer warns about this code. CVE-2021-4441 moderate In the Linux kernel, the following vulnerability has been resolved: phy: mdio: fix memory leak Syzbot reported memory leak in MDIO bus interface, the problem was in wrong state logic. MDIOBUS_ALLOCATED indicates 2 states: 1. Bus is only allocated 2. Bus allocated and __mdiobus_register() fails, but device_register() was called In case of device_register() has been called we should call put_device() to correctly free the memory allocated for this device, but mdiobus_free() calls just kfree(dev) in case of MDIOBUS_ALLOCATED state To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED _before_ calling device_register(), because put_device() should be called even in case of device_register() failure. CVE-2021-47416 low In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a global state for the HVS, with each FIFO storing the current CRTC commit so that we can properly synchronize commits. However, the refcounting was off and we thus ended up leaking the drm_crtc_commit structure every commit. Add a drm_crtc_commit_put to prevent the leakage. CVE-2021-47534 moderate In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK> CVE-2021-47598 important In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: Fix a deadlock in the error handler The following deadlock has been observed on a test setup: - All tags allocated - The SCSI error handler calls ufshcd_eh_host_reset_handler() - ufshcd_eh_host_reset_handler() queues work that calls ufshcd_err_handler() - ufshcd_err_handler() locks up as follows: Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt Call trace: __switch_to+0x298/0x5d8 __schedule+0x6cc/0xa94 schedule+0x12c/0x298 blk_mq_get_tag+0x210/0x480 __blk_mq_alloc_request+0x1c8/0x284 blk_get_request+0x74/0x134 ufshcd_exec_dev_cmd+0x68/0x640 ufshcd_verify_dev_init+0x68/0x35c ufshcd_probe_hba+0x12c/0x1cb8 ufshcd_host_reset_and_restore+0x88/0x254 ufshcd_reset_and_restore+0xd0/0x354 ufshcd_err_handler+0x408/0xc58 process_one_work+0x24c/0x66c worker_thread+0x3e8/0xa4c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved request. CVE-2021-47622 moderate In the Linux kernel, the following vulnerability has been resolved: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change The refcount leak issues take place in an error handling path. When the 3rd argument buf doesn't match with "offline", "online" or "remove", the function simply returns -EINVAL and forgets to decrease the reference count of a rpc_xprt object and a rpc_xprt_switch object increased by rpc_sysfs_xprt_kobj_get_xprt() and rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of both unused objects. Fix this issue by jumping to the error handling path labelled with out_put when buf matches none of "offline", "online" or "remove". CVE-2021-47624 low A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel's BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system. CVE-2022-0500 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A memory leak flaw was found in the Linux kernel's DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space. CVE-2022-0854 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N An out-of-bounds (OOB) memory write flaw was found in the Linux kernel's watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system. CVE-2022-0995 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel CVE-2022-20368 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-2964. Reason: This candidate is a reservation duplicate of CVE-2022-2964. Notes: All CVE users should reference CVE-2022-2964 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2022-28748 moderate A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability. CVE-2022-3435 moderate A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. CVE-2022-4382 important An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. CVE-2022-45934 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fix crash with stop filters in single-range mode Add a check for !buf->single before calling pt_buffer_region_size in a place where a missing check can cause a kernel crash. Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt: Opportunistically use single range output mode"), which added a support for PT single-range output mode. Since that commit if a PT stop filter range is hit while tracing, the kernel will crash because of a null pointer dereference in pt_handle_status due to calling pt_buffer_region_size without a ToPA configured. The commit which introduced single-range mode guarded almost all uses of the ToPA buffer variables with checks of the buf->single variable, but missed the case where tracing was stopped by the PT hardware, which happens when execution hits a configured stop filter. Tested that hitting a stop filter while PT recording successfully records a trace with this patch but crashes without this patch. CVE-2022-48713 moderate In the Linux kernel, the following vulnerability has been resolved: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create If there are failures then we must not leave the non-NULL pointers with the error value, otherwise `rpcrdma_ep_destroy` gets confused and tries free them, resulting in an Oops. CVE-2022-48773 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: Fix the error handling path in pt_core_init() In order to free resources correctly in the error handling path of pt_core_init(), 2 goto's have to be switched. Otherwise, some resources will leak and we will try to release things that have not been allocated yet. Also move a dev_err() to a place where it is more meaningful. CVE-2022-48774 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). CVE-2022-48775 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix missing free for pparts in cleanup Mtdpart doesn't free pparts when a cleanup function is declared. Add missing free for pparts in cleanup function for smem to fix the leak. CVE-2022-48776 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix kernel panic on skipped partition In the event of a skipped partition (case when the entry name is empty) the kernel panics in the cleanup function as the name entry is NULL. Rework the parser logic by first checking the real partition number and then allocate the space and set the data for the valid partitions. The logic was also fundamentally wrong as with a skipped partition, the parts number returned was incorrect by not decreasing it for the skipped partitions. CVE-2022-48777 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: gpmi: don't leak PM reference in error path If gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be dropped. CVE-2022-48778 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: Avoid overwriting the copies of clcsock callback functions The callback functions of clcsock will be saved and replaced during the fallback. But if the fallback happens more than once, then the copies of these callback functions will be overwritten incorrectly, resulting in a loop call issue: clcsk->sk_error_report |- smc_fback_error_report() <------------------------------| |- smc_fback_forward_wakeup() | (loop) |- clcsock_callback() (incorrectly overwritten) | |- smc->clcsk_error_report() ------------------| So this patch fixes the issue by saving these function pointers only once in the fallback and avoiding overwriting. CVE-2022-48780 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: fix use after free in gswip_remove() of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be done before mdiobus_free(priv->ds->slave_mii_bus). CVE-2022-48783 moderate In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix race in netlink owner interface destruction My previous fix here to fix the deadlock left a race where the exact same deadlock (see the original commit referenced below) can still happen if cfg80211_destroy_ifaces() already runs while nl80211_netlink_notify() is still marking some interfaces as nl_owner_dead. The race happens because we have two loops here - first we dev_close() all the netdevs, and then we destroy them. If we also have two netdevs (first one need only be a wdev though) then we can find one during the first iteration, close it, and go to the second iteration -- but then find two, and try to destroy also the one we didn't close yet. Fix this by only iterating once. CVE-2022-48784 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: remove vsock from connected table when connect is interrupted by a signal vsock_connect() expects that the socket could already be in the TCP_ESTABLISHED state when the connecting task wakes up with a signal pending. If this happens the socket will be in the connected table, and it is not removed when the socket state is reset. In this situation it's common for the process to retry connect(), and if the connection is successful the socket will be added to the connected table a second time, corrupting the list. Prevent this by calling vsock_remove_connected() if a signal is received while waiting for a connection. This is harmless if the socket is not in the connected table, and if it is in the table then removing it will prevent list corruption from a double add. Note for backporting: this patch requires d5afa82c977e ("vsock: correct removal of socket from the list"), which is in all current stable trees except 4.9.y. CVE-2022-48786 moderate In the Linux kernel, the following vulnerability has been resolved: iwlwifi: fix use-after-free If no firmware was present at all (or, presumably, all of the firmware files failed to parse), we end up unbinding by calling device_release_driver(), which calls remove(), which then in iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However the new code I added will still erroneously access it after it was freed. Set 'failure=false' in this case to avoid the access, all data was already freed anyway. CVE-2022-48787 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: fix possible use-after-free in transport error_recovery work While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. CVE-2022-48788 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. CVE-2022-48789 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: fix a possible use-after-free in controller reset during load Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp. The race condition may happen in the following scenario: 1. driver executes its reset_ctrl_work 2. -> nvme_stop_ctrl - flushes ctrl async_event_work 3. ctrl sends AEN which is received by the host, which in turn schedules AEN handling 4. teardown admin queue (which releases the queue socket) 5. AEN processed, submits another AER, calling the driver to submit 6. driver attempts to send the cmd ==> use-after-free In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission. This addresses the above race in controller resets because the driver during teardown should: 1. change ctrl state to RESETTING 2. flush async_event_work (as well as other async work elements) So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER. CVE-2022-48790 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared. CVE-2022-48791 important In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task in pm8001_ccb_task_free() call. When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call. Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering. CVE-2022-48792 important In the Linux kernel, the following vulnerability has been resolved: KVM: x86: nSVM: fix potential NULL derefernce on nested migration Turns out that due to review feedback and/or rebases I accidentally moved the call to nested_svm_load_cr3 to be too early, before the NPT is enabled, which is very wrong to do. KVM can't even access guest memory at that point as nested NPT is needed for that, and of course it won't initialize the walk_mmu, which is main issue the patch was addressing. Fix this for real. CVE-2022-48793 moderate In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introduce an intermediate 'was_tx' boolean just for this purpose. There is no Fixes tag applying here, many changes have been made on this area and the issue kind of always existed. CVE-2022-48794 moderate In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function. CVE-2022-48796 moderate In the Linux kernel, the following vulnerability has been resolved: mm: don't try to NUMA-migrate COW pages that have other uses Oded Gabbay reports that enabling NUMA balancing causes corruption with his Gaudi accelerator test load: "All the details are in the bug, but the bottom line is that somehow, this patch causes corruption when the numa balancing feature is enabled AND we don't use process affinity AND we use GUP to pin pages so our accelerator can DMA to/from system memory. Either disabling numa balancing, using process affinity to bind to specific numa-node or reverting this patch causes the bug to disappear" and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page() simplification"). Now, the NUMA balancing shouldn't actually be changing the writability of a page, and as such shouldn't matter for COW. But it appears it does. Suspicious. However, regardless of that, the condition for enabling NUMA faults in change_pte_range() is nonsensical. It uses "page_mapcount(page)" to decide if a COW page should be NUMA-protected or not, and that makes absolutely no sense. The number of mappings a page has is irrelevant: not only does GUP get a reference to a page as in Oded's case, but the other mappings migth be paged out and the only reference to them would be in the page count. Since we should never try to NUMA-balance a page that we can't move anyway due to other references, just fix the code to use 'page_count()'. Oded confirms that that fixes his issue. Now, this does imply that something in NUMA balancing ends up changing page protections (other than the obvious one of making the page inaccessible to get the NUMA faulting information). Otherwise the COW simplification wouldn't matter - since doing the GUP on the page would make sure it's writable. The cause of that permission change would be good to figure out too, since it clearly results in spurious COW events - but fixing the nonsensical test that just happened to work before is obviously the CorrectThing(tm) to do regardless. CVE-2022-48797 moderate In the Linux kernel, the following vulnerability has been resolved: s390/cio: verify the driver availability for path_event call If no driver is attached to a device or the driver does not provide the path_event function, an FCES path-event on this device could end up in a kernel-panic. Verify the driver availability before the path_event function call. CVE-2022-48798 moderate In the Linux kernel, the following vulnerability has been resolved: perf: Fix list corruption in perf_cgroup_switch() There's list corruption on cgrp_cpuctx_list. This happens on the following path: perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list) cpu_ctx_sched_in ctx_sched_in ctx_pinned_sched_in merge_sched_in perf_cgroup_event_disable: remove the event from the list Use list_for_each_entry_safe() to allow removing an entry during iteration. CVE-2022-48799 moderate In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: remove deadlock due to throttling failing to make progress A soft lockup bug in kcompactd was reported in a private bugzilla with the following visible in dmesg; watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479] The machine had 256G of RAM with no swap and an earlier failed allocation indicated that node 0 where kcompactd was run was potentially unreclaimable; Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes Vlastimil Babka investigated a crash dump and found that a task migrating pages was trying to drain PCP lists; PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: "kworker/u128:3" Call Trace: __schedule schedule schedule_timeout wait_for_completion __flush_work __drain_all_pages __alloc_pages_slowpath.constprop.114 __alloc_pages alloc_migration_target migrate_pages migrate_to_node do_migrate_pages cpuset_migrate_mm_workfn process_one_work worker_thread kthread ret_from_fork This failure is specific to CONFIG_PREEMPT=n builds. The root of the problem is that kcompact0 is not rescheduling on a CPU while a task that has isolated a large number of the pages from the LRU is waiting on kcompact0 to reschedule so the pages can be released. While shrink_inactive_list() only loops once around too_many_isolated, reclaim can continue without rescheduling if sc->skipped_deactivate == 1 which could happen if there was no file LRU and the inactive anon list was not low. CVE-2022-48800 low In the Linux kernel, the following vulnerability has been resolved: iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL If we fail to copy the just created file descriptor to userland, we try to clean up by putting back 'fd' and freeing 'ib'. The code uses put_unused_fd() for the former which is wrong, as the file descriptor was already published by fd_install() which gets called internally by anon_inode_getfd(). This makes the error handling code leaving a half cleaned up file descriptor table around and a partially destructed 'file' object, allowing userland to play use-after-free tricks on us, by abusing the still usable fd and making the code operate on a dangling 'file->private_data' pointer. Instead of leaving the kernel in a partially corrupted state, don't attempt to explicitly clean up and leave this to the process exit path that'll release any still valid fds, including the one created by the previous call to anon_inode_getfd(). Simply return -EFAULT to indicate the error. CVE-2022-48801 important In the Linux kernel, the following vulnerability has been resolved: phy: ti: Fix missing sentinel for clk_div_table _get_table_maxdiv() tries to access "clk_div_table" array out of bound defined in phy-j721e-wiz.c. Add a sentinel entry to prevent the following global-out-of-bounds error reported by enabling KASAN. [ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148 [ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38 [ 9.565926] [ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360 [ 9.576242] Hardware name: Texas Instruments J721e EVM (DT) [ 9.581832] Workqueue: events_unbound deferred_probe_work_func [ 9.587708] Call trace: [ 9.590174] dump_backtrace+0x20c/0x218 [ 9.594038] show_stack+0x18/0x68 [ 9.597375] dump_stack_lvl+0x9c/0xd8 [ 9.601062] print_address_description.constprop.0+0x78/0x334 [ 9.606830] kasan_report+0x1f0/0x260 [ 9.610517] __asan_load4+0x9c/0xd8 [ 9.614030] _get_maxdiv+0xc0/0x148 [ 9.617540] divider_determine_rate+0x88/0x488 [ 9.622005] divider_round_rate_parent+0xc8/0x124 [ 9.626729] wiz_clk_div_round_rate+0x54/0x68 [ 9.631113] clk_core_determine_round_nolock+0x124/0x158 [ 9.636448] clk_core_round_rate_nolock+0x68/0x138 [ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8 [ 9.645987] clk_set_rate+0x50/0xa8 [ 9.649499] cdns_sierra_phy_init+0x88/0x248 [ 9.653794] phy_init+0x98/0x108 [ 9.657046] cdns_pcie_enable_phy+0xa0/0x170 [ 9.661340] cdns_pcie_init_phy+0x250/0x2b0 [ 9.665546] j721e_pcie_probe+0x4b8/0x798 [ 9.669579] platform_probe+0x8c/0x108 [ 9.673350] really_probe+0x114/0x630 [ 9.677037] __driver_probe_device+0x18c/0x220 [ 9.681505] driver_probe_device+0xac/0x150 [ 9.685712] __device_attach_driver+0xec/0x170 [ 9.690178] bus_for_each_drv+0xf0/0x158 [ 9.694124] __device_attach+0x184/0x210 [ 9.698070] device_initial_probe+0x14/0x20 [ 9.702277] bus_probe_device+0xec/0x100 [ 9.706223] deferred_probe_work_func+0x124/0x180 [ 9.710951] process_one_work+0x4b0/0xbc0 [ 9.714983] worker_thread+0x74/0x5d0 [ 9.718668] kthread+0x214/0x230 [ 9.721919] ret_from_fork+0x10/0x20 [ 9.725520] [ 9.727032] The buggy address belongs to the variable: [ 9.732183] clk_div_table+0x24/0x440 CVE-2022-48803 moderate In the Linux kernel, the following vulnerability has been resolved: vt_ioctl: fix array_index_nospec in vt_setactivate array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. CVE-2022-48804 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. I have tested that this can be used by a malicious USB device to send a bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response that contains random kernel heap data. It's probably also possible to get OOB writes from this on a little-endian system somehow - maybe by triggering skb_cow() via IP options processing -, but I haven't tested that. CVE-2022-48805 moderate In the Linux kernel, the following vulnerability has been resolved: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. CVE-2022-48806 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler Currently, the same handler is called for both a NETDEV_BONDING_INFO LAG unlink notification as for a NETDEV_UNREGISTER call. This is causing a problem though, since the netdev_notifier_info passed has a different structure depending on which event is passed. The problem manifests as a call trace from a BUG: KASAN stack-out-of-bounds error. Fix this by creating a handler specific to NETDEV_UNREGISTER that only is passed valid elements in the netdev_notifier_info struct for the NETDEV_UNREGISTER event. Also included is the removal of an unbalanced dev_put on the peer_netdev and related braces. CVE-2022-48807 important In the Linux kernel, the following vulnerability has been resolved: ibmvnic: don't release napi in __ibmvnic_open() If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers. If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset. This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface: [102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq [102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq [102056] ibmvnic 30000003 env3: Replenished 8 pools Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic] NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0 LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic] Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable) [c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic] [c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic] [c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570 [c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660 [c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0 [c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]--- CVE-2022-48811 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The GSWIP switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the GSWIP switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The gswip driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48812 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Felix VSC9959 switch is a PCI device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the felix switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The felix driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc_size() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48813 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: seville: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none). CVE-2022-48814 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: bcm_sf2: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Starfighter 2 is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the bcm_sf2 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The bcm_sf2 driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48815 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: lock against ->sock changing during sysfs read ->sock can be set to NULL asynchronously unless ->recv_mutex is held. So it is important to hold that mutex. Otherwise a sysfs read can trigger an oops. Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") appears to attempt to fix this problem, but it only narrows the race window. CVE-2022-48816 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: ar9331: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus. CVE-2022-48817 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The mv88e6xxx is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the Marvell switch driver on shutdown. systemd-shutdown[1]: Powering off. mv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down fsl-mc dpbp.9: Removing from iommu group 7 fsl-mc dpbp.8: Removing from iommu group 7 ------------[ cut here ]------------ kernel BUG at drivers/net/phy/mdio_bus.c:677! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15 pc : mdiobus_free+0x44/0x50 lr : devm_mdiobus_free+0x10/0x20 Call trace: mdiobus_free+0x44/0x50 devm_mdiobus_free+0x10/0x20 devres_release_all+0xa0/0x100 __device_release_driver+0x190/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x4c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 kernel_power_off+0x34/0x6c __do_sys_reboot+0x15c/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The Marvell driver already has a good structure for mdiobus removal, so just plug in mdiobus_free and get rid of devres. CVE-2022-48818 moderate In the Linux kernel, the following vulnerability has been resolved: phy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable() This error path needs to decrement "usbphyc->n_pll_cons.counter" before returning. CVE-2022-48820 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: avoid double fput() on failed usercopy If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, leaving us with none. Calling dma_buf_put() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free. Simply avoid calling dma_buf_put() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid. CVE-2022-48821 important In the Linux kernel, the following vulnerability has been resolved: usb: f_fs: Fix use-after-free for epfile Consider a case where ffs_func_eps_disable is called from ffs_func_disable as part of composition switch and at the same time ffs_epfile_release get called from userspace. ffs_epfile_release will free up the read buffer and call ffs_data_closed which in turn destroys ffs->epfiles and mark it as NULL. While this was happening the driver has already initialized the local epfile in ffs_func_eps_disable which is now freed and waiting to acquire the spinlock. Once spinlock is acquired the driver proceeds with the stale value of epfile and tries to free the already freed read buffer causing use-after-free. Following is the illustration of the race: CPU1 CPU2 ffs_func_eps_disable epfiles (local copy) ffs_epfile_release ffs_data_closed if (last file closed) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock dereference epfiles Fix this races by taking epfiles local copy & assigning it under spinlock and if epfiles(local) is null then update it in ffs->epfiles then finally destroy it. Extending the scope further from the race, protecting the ep related structures, and concurrent accesses. CVE-2022-48822 important In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix refcount issue when LOGO is received during TMF Hung task call trace was seen during LOGO processing. [ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued... [ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0 [ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET [ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1. [ 974.309625] host1: rport 016900: Received LOGO request while in state Ready [ 974.309627] host1: rport 016900: Delete port [ 974.309642] host1: rport 016900: work event 3 [ 974.309644] host1: rport 016900: lld callback ev 3 [ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush. [ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success... [ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds. [ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1 [ 984.031166] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080 [ 984.031212] Call Trace: [ 984.031222] __schedule+0x2c4/0x700 [ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0 [ 984.031233] ? bit_wait_timeout+0x90/0x90 [ 984.031235] schedule+0x38/0xa0 [ 984.031238] io_schedule+0x12/0x40 [ 984.031240] bit_wait_io+0xd/0x50 [ 984.031243] __wait_on_bit+0x6c/0x80 [ 984.031248] ? free_buffer_head+0x21/0x50 [ 984.031251] out_of_line_wait_on_bit+0x91/0xb0 [ 984.031257] ? init_wait_var_entry+0x50/0x50 [ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2] [ 984.031280] kjournald2+0xbd/0x270 [jbd2] [ 984.031284] ? finish_wait+0x80/0x80 [ 984.031291] ? commit_timeout+0x10/0x10 [jbd2] [ 984.031294] kthread+0x116/0x130 [ 984.031300] ? kthread_flush_work_fn+0x10/0x10 [ 984.031305] ret_from_fork+0x1f/0x40 There was a ref count issue when LOGO is received during TMF. This leads to one of the I/Os hanging with the driver. Fix the ref count. CVE-2022-48823 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: myrs: Fix crash in error case In myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails with non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and crash the kernel. [ 1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A [ 1.105872] myrs 0000:00:03.0: Failed to initialize Controller [ 1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.110774] Call Trace: [ 1.110950] myrs_cleanup+0xe4/0x150 [myrs] [ 1.111135] myrs_probe.cold+0x91/0x56a [myrs] [ 1.111302] ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs] [ 1.111500] local_pci_probe+0x48/0x90 CVE-2022-48824 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add stag_work to all the vports Call trace seen when creating NPIV ports, only 32 out of 64 show online. stag work was not initialized for vport, hence initialize the stag work. WARNING: CPU: 8 PID: 645 at kernel/workqueue.c:1635 __queue_delayed_work+0x68/0x80 CPU: 8 PID: 645 Comm: kworker/8:1 Kdump: loaded Tainted: G IOE --------- -- 4.18.0-348.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge MX740c/0177V9, BIOS 2.12.2 07/09/2021 Workqueue: events fc_lport_timeout [libfc] RIP: 0010:__queue_delayed_work+0x68/0x80 Code: 89 b2 88 00 00 00 44 89 82 90 00 00 00 48 01 c8 48 89 42 50 41 81 f8 00 20 00 00 75 1d e9 60 24 07 00 44 89 c7 e9 98 f6 ff ff <0f> 0b eb c5 0f 0b eb a1 0f 0b eb a7 0f 0b eb ac 44 89 c6 e9 40 23 RSP: 0018:ffffae514bc3be40 EFLAGS: 00010006 RAX: ffff8d25d6143750 RBX: 0000000000000202 RCX: 0000000000000002 RDX: ffff8d2e31383748 RSI: ffff8d25c000d600 RDI: ffff8d2e31383788 RBP: ffff8d2e31380de0 R08: 0000000000002000 R09: ffff8d2e31383750 R10: ffffffffc0c957e0 R11: ffff8d2624800000 R12: ffff8d2e31380a58 R13: ffff8d2d915eb000 R14: ffff8d25c499b5c0 R15: ffff8d2e31380e18 FS: 0000000000000000(0000) GS:ffff8d2d1fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fd0484b8b8 CR3: 00000008ffc10006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: queue_delayed_work_on+0x36/0x40 qedf_elsct_send+0x57/0x60 [qedf] fc_lport_enter_flogi+0x90/0xc0 [libfc] fc_lport_timeout+0xb7/0x140 [libfc] process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x35/0x40 ---[ end trace 008f00f722f2c2ff ]-- Initialize stag work for all the vports. CVE-2022-48825 low In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix deadlock on DSI device attach error DSI device attach to DSI host will be done with host device's lock held. Un-registering host in "device attach" error path (ex: probe retry) will result in deadlock with below call trace and non operational DSI display. Startup Call trace: [ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8 [ 35.043048] mutex_lock_nested+0x7c/0xc8 [ 35.043060] device_del+0x4c/0x3e8 [ 35.043075] device_unregister+0x20/0x40 [ 35.043082] mipi_dsi_remove_device_fn+0x18/0x28 [ 35.043093] device_for_each_child+0x68/0xb0 [ 35.043105] mipi_dsi_host_unregister+0x40/0x90 [ 35.043115] vc4_dsi_host_attach+0xf0/0x120 [vc4] [ 35.043199] mipi_dsi_attach+0x30/0x48 [ 35.043209] tc358762_probe+0x128/0x164 [tc358762] [ 35.043225] mipi_dsi_drv_probe+0x28/0x38 [ 35.043234] really_probe+0xc0/0x318 [ 35.043244] __driver_probe_device+0x80/0xe8 [ 35.043254] driver_probe_device+0xb8/0x118 [ 35.043263] __device_attach_driver+0x98/0xe8 [ 35.043273] bus_for_each_drv+0x84/0xd8 [ 35.043281] __device_attach+0xf0/0x150 [ 35.043290] device_initial_probe+0x1c/0x28 [ 35.043300] bus_probe_device+0xa4/0xb0 [ 35.043308] deferred_probe_work_func+0xa0/0xe0 [ 35.043318] process_one_work+0x254/0x700 [ 35.043330] worker_thread+0x4c/0x448 [ 35.043339] kthread+0x19c/0x1a8 [ 35.043348] ret_from_fork+0x10/0x20 Shutdown Call trace: [ 365.565417] Call trace: [ 365.565423] __switch_to+0x148/0x200 [ 365.565452] __schedule+0x340/0x9c8 [ 365.565467] schedule+0x48/0x110 [ 365.565479] schedule_timeout+0x3b0/0x448 [ 365.565496] wait_for_completion+0xac/0x138 [ 365.565509] __flush_work+0x218/0x4e0 [ 365.565523] flush_work+0x1c/0x28 [ 365.565536] wait_for_device_probe+0x68/0x158 [ 365.565550] device_shutdown+0x24/0x348 [ 365.565561] kernel_restart_prepare+0x40/0x50 [ 365.565578] kernel_restart+0x20/0x70 [ 365.565591] __do_sys_reboot+0x10c/0x220 [ 365.565605] __arm64_sys_reboot+0x2c/0x38 [ 365.565619] invoke_syscall+0x4c/0x110 [ 365.565634] el0_svc_common.constprop.3+0xfc/0x120 [ 365.565648] do_el0_svc+0x2c/0x90 [ 365.565661] el0_svc+0x4c/0xf0 [ 365.565671] el0t_64_sync_handler+0x90/0xb8 [ 365.565682] el0t_64_sync+0x180/0x184 CVE-2022-48826 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers. Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly. CVE-2022-48827 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr(). CVE-2022-48828 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large. CVE-2022-48829 moderate In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation. CVE-2022-48830 moderate In the Linux kernel, the following vulnerability has been resolved: ima: fix reference leak in asymmetric_verify() Don't leak a reference to the key if its algorithm is unknown. CVE-2022-48831 moderate In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix. CVE-2022-48834 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 [ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [ 150.203206] ? __schedule+0x1e9/0x610 [ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [ 150.217924] kthread+0x12e/0x150 [ 150.224041] ? kthread_worker_fn+0x130/0x130 [ 150.231206] ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop. CVE-2022-48835 moderate In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 CVE-2022-48836 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. CVE-2022-48837 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver. CVE-2022-48838 moderate In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca CVE-2022-48840 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats() It is possible to do NULL pointer dereference in routine that updates Tx ring stats. Currently only stats and bytes are updated when ring pointer is valid, but later on ring is accessed to propagate gathered Tx stats onto VSI stats. Change the existing logic to move to next ring when ring is NULL. CVE-2022-48841 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix race condition during interface enslave Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device") changes a process of re-creation of aux device so ice_plug_aux_dev() is called from ice_service_task() context. This unfortunately opens a race window that can result in dead-lock when interface has left LAG and immediately enters LAG again. Reproducer: ``` #!/bin/sh ip link add lag0 type bond mode 1 miimon 100 ip link set lag0 for n in {1..10}; do echo Cycle: $n ip link set ens7f0 master lag0 sleep 1 ip link set ens7f0 nomaster done ``` This results in: [20976.208697] Workqueue: ice ice_service_task [ice] [20976.213422] Call Trace: [20976.215871] __schedule+0x2d1/0x830 [20976.219364] schedule+0x35/0xa0 [20976.222510] schedule_preempt_disabled+0xa/0x10 [20976.227043] __mutex_lock.isra.7+0x310/0x420 [20976.235071] enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core] [20976.251215] ib_enum_roce_netdev+0xa4/0xe0 [ib_core] [20976.256192] ib_cache_setup_one+0x33/0xa0 [ib_core] [20976.261079] ib_register_device+0x40d/0x580 [ib_core] [20976.266139] irdma_ib_register_device+0x129/0x250 [irdma] [20976.281409] irdma_probe+0x2c1/0x360 [irdma] [20976.285691] auxiliary_bus_probe+0x45/0x70 [20976.289790] really_probe+0x1f2/0x480 [20976.298509] driver_probe_device+0x49/0xc0 [20976.302609] bus_for_each_drv+0x79/0xc0 [20976.306448] __device_attach+0xdc/0x160 [20976.310286] bus_probe_device+0x9d/0xb0 [20976.314128] device_add+0x43c/0x890 [20976.321287] __auxiliary_device_add+0x43/0x60 [20976.325644] ice_plug_aux_dev+0xb2/0x100 [ice] [20976.330109] ice_service_task+0xd0c/0xed0 [ice] [20976.342591] process_one_work+0x1a7/0x360 [20976.350536] worker_thread+0x30/0x390 [20976.358128] kthread+0x10a/0x120 [20976.365547] ret_from_fork+0x1f/0x40 ... [20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084 [20976.446469] Call Trace: [20976.448921] __schedule+0x2d1/0x830 [20976.452414] schedule+0x35/0xa0 [20976.455559] schedule_preempt_disabled+0xa/0x10 [20976.460090] __mutex_lock.isra.7+0x310/0x420 [20976.464364] device_del+0x36/0x3c0 [20976.467772] ice_unplug_aux_dev+0x1a/0x40 [ice] [20976.472313] ice_lag_event_handler+0x2a2/0x520 [ice] [20976.477288] notifier_call_chain+0x47/0x70 [20976.481386] __netdev_upper_dev_link+0x18b/0x280 [20976.489845] bond_enslave+0xe05/0x1790 [bonding] [20976.494475] do_setlink+0x336/0xf50 [20976.502517] __rtnl_newlink+0x529/0x8b0 [20976.543441] rtnl_newlink+0x43/0x60 [20976.546934] rtnetlink_rcv_msg+0x2b1/0x360 [20976.559238] netlink_rcv_skb+0x4c/0x120 [20976.563079] netlink_unicast+0x196/0x230 [20976.567005] netlink_sendmsg+0x204/0x3d0 [20976.570930] sock_sendmsg+0x4c/0x50 [20976.574423] ____sys_sendmsg+0x1eb/0x250 [20976.586807] ___sys_sendmsg+0x7c/0xc0 [20976.606353] __sys_sendmsg+0x57/0xa0 [20976.609930] do_syscall_64+0x5b/0x1a0 [20976.613598] entry_SYSCALL_64_after_hwframe+0x65/0xca 1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev() is called from ice_service_task() context, aux device is created and associated device->lock is taken. 2. Command 'ip link ... set master...' calls ice's notifier under RTNL lock and that notifier calls ice_unplug_aux_dev(). That function tries to take aux device->lock but this is already taken by ice_plug_aux_dev() in step 1 3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already taken in step 2 4. Dead-lock The patch fixes this issue by following changes: - Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev() call in ice_service_task() - The bit is checked in ice_clear_rdma_cap() and only if it is not set then ice_unplug_aux_dev() is called. If it is set (in other words plugging of aux device was requested and ice_plug_aux_dev() is potentially running) then the function only clears the ---truncated--- CVE-2022-48842 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vrr: Set VRR capable prop only if it is attached to connector VRR capable property is not attached by default to the connector It is attached only if VRR is supported. So if the driver tries to call drm core set prop function without it being attached that causes NULL dereference. CVE-2022-48843 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bypass tiling flag check in virtual display case (v2) vkms leverages common amdgpu framebuffer creation, and also as it does not support FB modifier, there is no need to check tiling flags when initing framebuffer when virtual display is enabled. This can fix below calltrace: amdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier WARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu] v2: check adev->enable_virtual_display instead as vkms can be enabled in bare metal as well. CVE-2022-48849 moderate In the Linux kernel, the following vulnerability has been resolved: staging: gdm724x: fix use after free in gdm_lte_rx() The netif_rx_ni() function frees the skb so we can't dereference it to save the skb->len. CVE-2022-48851 moderate In the Linux kernel, the following vulnerability has been resolved: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. CVE-2022-48856 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 CVE-2022-48857 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix a race on command flush flow Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock. It fixes the following warning trace: refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 ... RIP: 0010:refcount_warn_saturate+0x80/0xe0 ... Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK> CVE-2022-48858 moderate In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak. CVE-2022-48859 moderate In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. CVE-2022-48860 moderate In the Linux kernel, the following vulnerability has been resolved: vdpa: fix use-after-free on vp_vdpa_remove When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove, triggering use-after-free. Call Trace of unbinding driver free vp_vdpa : do_syscall_64 vfs_write kernfs_fop_write_iter device_release_driver_internal pci_device_remove vp_vdpa_remove vdpa_unregister_device kobject_release device_release kfree Call Trace of dereference vp_vdpa->mdev.pci_dev: vp_modern_remove pci_release_selected_regions pci_release_region pci_resource_len pci_resource_end (dev)->resource[(bar)].end CVE-2022-48861 moderate In the Linux kernel, the following vulnerability has been resolved: vhost: fix hung thread due to erroneous iotlb entries In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when start is 0 and last is ULONG_MAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 To fix this, do two things: 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map a range with size 0. 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] by splitting it into two entries. CVE-2022-48862 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. CVE-2022-48863 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. The root case is in missing validation check of actual number of endpoints. Code should not blindly access usb_host_interface::endpoint array, since it may contain less endpoints than code expects. Fix it by adding missing validaion check and print an error if number of endpoints do not match expected number CVE-2022-48866 important In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Let probe fail when workqueue cannot be enabled The workqueue is enabled when the appropriate driver is loaded and disabled when the driver is removed. When the driver is removed it assumes that the workqueue was enabled successfully and proceeds to free allocations made during workqueue enabling. Failure during workqueue enabling does not prevent the driver from being loaded. This is because the error path within drv_enable_wq() returns success unless a second failure is encountered during the error path. By returning success it is possible to load the driver even if the workqueue cannot be enabled and allocations that do not exist are attempted to be freed during driver remove. Some examples of problematic flows: (a) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_unmap_portal() is called on error exit path, but drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The driver is thus loaded successfully. idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal() Above flow on driver unload triggers the WARN in devm_iounmap() because the device resource has already been removed during error path of drv_enable_wq(). (b) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_init_percpu_ref() is never called to initialize the percpu counter, yet the driver loads successfully because drv_enable_wq() returns 0. idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill(): Above flow on driver unload triggers a BUG when attempting to drop the initial ref of the uninitialized percpu ref: BUG: kernel NULL pointer dereference, address: 0000000000000010 Fix the drv_enable_wq() error path by returning the original error that indicates failure of workqueue enabling. This ensures that the probe fails when an error is encountered and the driver remove paths are only attempted when the workqueue was enabled successfully. CVE-2022-48868 moderate In the Linux kernel, the following vulnerability has been resolved: tty: fix possible null-ptr-defer in spk_ttyio_release Run the following tests on the qemu platform: syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow: syzkaller:~# modprobe -r speakup_audptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutex_lock+0x14/0x30 Call Trace: <TASK> spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250 ? fpregs_assert_state_consistent+0x1d/0x50 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer: in_synth->dev was not initialized during modprobe, so we add check for in_synth->dev to fix this bug. CVE-2022-48870 moderate In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32. The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds. This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN: Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version :0x400a0200 Bluetooth: hci0: QCA ROM Version :0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 If the RX FIFO depth changes after probe, be sure to resize the buffer. CVE-2022-48871 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall CVE-2022-48872 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Don't remove map on creater_process and device_release Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. Do not remove it on fastrpc_device_release either, call fastrpc_map_put instead. The fastrpc_free_map is the only proper place to remove the map. This is called only after the reference count is 0. CVE-2022-48873 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: sdata can be NULL during AMPDU start ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_driver(sdata)) 397 return -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Workqueue: phy3 ieee80211_ba_session_work [mac80211] RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] process_one_work+0x29f/0x620 worker_thread+0x4d/0x3d0 ? process_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> CVE-2022-48875 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Fix driver shutdown on closed serdev The driver shutdown callback (which sends EDL_SOC_RESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hci_dev_open_sync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qca_power_shutdown()). The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth: Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: tty_driver_flush_buffer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x260 kernel_restart+0x48/0xac KASAN report: BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 kasan_report+0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_buffer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 device_shutdown+0x1e8/0x350 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194 CVE-2022-48878 moderate In the Linux kernel, the following vulnerability has been resolved: efi: fix NULL-deref in init error path In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated. Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer. CVE-2022-48879 moderate In the Linux kernel, the following vulnerability has been resolved: platform/surface: aggregator: Add missing call to ssam_request_sync_free() Although rare, ssam_request_sync_init() can fail. In that case, the request should be freed via ssam_request_sync_free(). Currently it is leaked instead. Fix this. CVE-2022-48880 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(), which in a confidential VM allocates swiotlb bounce buffers. If the I/O submission fails in storvsc_do_io(), the I/O is typically retried by higher level code, but the bounce buffer memory is never freed. The mostly like cause of I/O submission failure is a full VMBus channel ring buffer, which is not uncommon under high I/O loads. Eventually enough bounce buffer memory leaks that the confidential VM can't do any I/O. The same problem can arise in a non-confidential VM with kernel boot parameter swiotlb=force. Fix this by doing scsi_dma_unmap() in the case of an I/O submission error, which frees the bounce buffer memory. CVE-2022-48890 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: da9211: Use irq handler when ready If the system does not come from reset (like when it is kexec()), the regulator might have an IRQ waiting for us. If we enable the IRQ handler before its structures are ready, we crash. This patch fixes: [ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078 [ 1.316096] Call trace: [ 1.316101] blocking_notifier_call_chain+0x20/0xa8 [ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests [ 1.327823] regulator_notifier_call_chain+0x1c/0x2c [ 1.327825] da9211_irq_handler+0x68/0xf8 [ 1.327829] irq_thread+0x11c/0x234 [ 1.327833] kthread+0x13c/0x154 CVE-2022-48891 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix pci device refcount leak As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(), pci_dev_put() is called to avoid leak. CVE-2022-48896 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer There are 3 possible interrupt sources are handled by DP controller, HPDstatus, Controller state changes and Aux read/write transaction. At every irq, DP controller have to check isr status of every interrupt sources and service the interrupt if its isr status bits shows interrupts are pending. There is potential race condition may happen at current aux isr handler implementation since it is always complete dp_aux_cmd_fifo_tx() even irq is not for aux read or write transaction. This may cause aux read transaction return premature if host aux data read is in the middle of waiting for sink to complete transferring data to host while irq happen. This will cause host's receiving buffer contains unexpected data. This patch fixes this problem by checking aux isr and return immediately at aux isr handler if there are no any isr status bits set. Current there is a bug report regrading eDP edid corruption happen during system booting up. After lengthy debugging to found that VIDEO_READY interrupt was continuously firing during system booting up which cause dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data from aux hardware buffer which is not yet contains complete data transfer from sink. This cause edid corruption. Follows are the signature at kernel logs when problem happen, EDID has corrupt header panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID Changes in v2: -- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr() -- add more commit text Changes in v3: -- add Stephen suggested -- dp_aux_isr() return IRQ_XXX back to caller -- dp_ctrl_isr() return IRQ_XXX back to caller Changes in v4: -- split into two patches Changes in v5: -- delete empty line between tags Changes in v6: -- remove extra "that" and fixed line more than 75 char at commit text Patchwork: https://patchwork.freedesktop.org/patch/516121/ CVE-2022-48898 moderate In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix GEM handle creation UAF Userspace can guess the handle value and try to race GEM object creation with handle close, resulting in a use-after-free if we dereference the object after dropping the handle's reference. For that reason, dropping the handle's reference must be done *after* we are done dereferencing the object. CVE-2022-48899 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix relocation crash due to premature return from btrfs_commit_transaction() We are seeing crashes similar to the following trace: [38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs] [38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54 [38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs] [38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206 [38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14 [38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360 [38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000 [38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800 [38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360 [38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000 [38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0 [38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [38.992528] Call Trace: [38.992854] <TASK> [38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs] [38.993941] btrfs_balance+0x78e/0xea0 [btrfs] [38.994801] ? vsnprintf+0x33c/0x520 [38.995368] ? __kmalloc_track_caller+0x351/0x440 [38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs] [38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs] [38.997867] ? mod_objcg_state+0xee/0x340 [38.998552] ? seq_release+0x24/0x30 [38.999184] ? proc_nr_files+0x30/0x30 [38.999654] ? call_rcu+0xc8/0x2f0 [39.000228] ? __x64_sys_ioctl+0x84/0xc0 [39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [39.001973] __x64_sys_ioctl+0x84/0xc0 [39.002566] do_syscall_64+0x3a/0x80 [39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae [39.003735] RIP: 0033:0x7f11c166959b [39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b [39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003 [39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0 [39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3 [39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001 [39.015040] </TASK> [39.015418] ---[ end trace 0000000000000000 ]--- [43.131559] ------------[ cut here ]------------ [43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717! [43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI [43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54 [43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs] [43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246 [43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001 [43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff [43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50 [43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000 [43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000 [43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000 [43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0 [43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000 ---truncated--- CVE-2022-48903 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix I/O page table memory leak The current logic updates the I/O page table mode for the domain before calling the logic to free memory used for the page table. This results in IOMMU page table memory leak, and can be observed when launching VM w/ pass-through devices. Fix by freeing the memory used for page table before updating the mode. CVE-2022-48904 moderate In the Linux kernel, the following vulnerability has been resolved: ibmvnic: free reset-work-item when flushing Fix a tiny memory leak when flushing the reset work queue. CVE-2022-48905 moderate In the Linux kernel, the following vulnerability has been resolved: auxdisplay: lcd2s: Fix memory leak in ->remove() Once allocated the struct lcd2s_data is never freed. Fix the memory leak by switching to devm_kzalloc(). CVE-2022-48907 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix connection leak There's a potential leak issue under following execution sequence : smc_release smc_connect_work if (sk->sk_state == SMC_INIT) send_clc_confirim tcp_abort(); ... sk.sk_state = SMC_ACTIVE smc_close_active switch(sk->sk_state) { ... case SMC_ACTIVE: smc_close_final() // then wait peer closed Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are still in the tcp send buffer, in which case our connection token cannot be delivered to the server side, which means that we cannot get a passive close message at all. Therefore, it is impossible for the to be disconnected at all. This patch tries a very simple way to avoid this issue, once the state has changed to SMC_ACTIVE after tcp_abort(), we can actively abort the smc connection, considering that the state is SMC_INIT before tcp_abort(), abandoning the complete disconnection process should not cause too much problem. In fact, this problem may exist as long as the CLC CONFIRM message is not received by the server. Whether a timer should be added after smc_close_final() needs to be discussed in the future. But even so, this patch provides a faster release for connection in above case, it should also be valuable. CVE-2022-48909 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change CVE-2022-48911 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] hooks_validate net/netfilter/core.c:171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK> The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated--- CVE-2022-48912 moderate In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK> Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ================================================================== CVE-2022-48913 moderate In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 Call Trace: <TASK> xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x410 ? _raw_spin_unlock+0x16/0x30 ? klist_iter_exit+0x14/0x20 ? xenbus_dev_request_and_reply+0x80/0x80 device_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Fix this by calling xennet_destroy_queues() from xennet_uninit(), when real_num_tx_queues is still available. This ensures that queues are destroyed when real_num_tx_queues is set to 0, regardless of how unregister_netdev() was called. Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257 CVE-2022-48914 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one. CVE-2022-48915 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix double list_add when enabling VMD in scalable mode When enabling VMD and IOMMU scalable mode, the following kernel panic call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids CPU) during booting: pci 0000:59:00.5: Adding to iommu group 42 ... vmd 0000:59:00.5: PCI host bridge to bus 10000:80 pci 10000:80:01.0: [8086:352a] type 01 class 0x060400 pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] pci 10000:80:01.0: enabling Extended Tags pci 10000:80:01.0: PME# supported from D0 D3hot D3cold pci 10000:80:01.0: DMAR: Setup RID2PASID failed pci 10000:80:01.0: Failed to add to iommu group 42: -16 pci 10000:80:03.0: [8086:352b] type 01 class 0x060400 pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] pci 10000:80:03.0: enabling Extended Tags pci 10000:80:03.0: PME# supported from D0 D3hot D3cold ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:29! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7 Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022 Workqueue: events work_for_cpu_fn RIP: 0010:__list_add_valid.cold+0x26/0x3f Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1 fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9 9e e8 8b b1 fe RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8 RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20 RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888 R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0 R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70 FS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> intel_pasid_alloc_table+0x9c/0x1d0 dmar_insert_one_dev_info+0x423/0x540 ? device_to_iommu+0x12d/0x2f0 intel_iommu_attach_device+0x116/0x290 __iommu_attach_device+0x1a/0x90 iommu_group_add_device+0x190/0x2c0 __iommu_probe_device+0x13e/0x250 iommu_probe_device+0x24/0x150 iommu_bus_notifier+0x69/0x90 blocking_notifier_call_chain+0x5a/0x80 device_add+0x3db/0x7b0 ? arch_memremap_can_ram_remap+0x19/0x50 ? memremap+0x75/0x140 pci_device_add+0x193/0x1d0 pci_scan_single_device+0xb9/0xf0 pci_scan_slot+0x4c/0x110 pci_scan_child_bus_extend+0x3a/0x290 vmd_enable_domain.constprop.0+0x63e/0x820 vmd_probe+0x163/0x190 local_pci_probe+0x42/0x80 work_for_cpu_fn+0x13/0x20 process_one_work+0x1e2/0x3b0 worker_thread+0x1c4/0x3a0 ? rescuer_thread+0x370/0x370 kthread+0xc7/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- ... Kernel panic - not syncing: Fatal exception Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The following 'lspci' output shows devices '10000:80:*' are subdevices of the VMD device 0000:59:00.5: $ lspci ... 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20) ... 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03) 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03) 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03) 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03) 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller] 10000:82:00 ---truncated--- CVE-2022-48916 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48917 moderate In the Linux kernel, the following vulnerability has been resolved: iwlwifi: mvm: check debugfs_dir ptr before use When "debugfs=off" is used on the kernel command line, iwiwifi's mvm module uses an invalid/unchecked debugfs_dir pointer and causes a BUG: BUG: kernel NULL pointer dereference, address: 000000000000004f #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7 Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021 RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm] Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328 RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620 R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320 FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm] iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm] iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm] _iwl_op_mode_start+0x6f/0xd0 [iwlwifi] iwl_opmode_register+0x6a/0xe0 [iwlwifi] ? 0xffffffffa0231000 iwl_mvm_init+0x35/0x1000 [iwlmvm] ? 0xffffffffa0231000 do_one_initcall+0x5a/0x1b0 ? kmem_cache_alloc+0x1e5/0x2f0 ? do_init_module+0x1e/0x220 do_init_module+0x48/0x220 load_module+0x2602/0x2bc0 ? __kernel_read+0x145/0x2e0 ? kernel_read_file+0x229/0x290 __do_sys_finit_module+0xc5/0x130 ? __do_sys_finit_module+0xc5/0x130 __x64_sys_finit_module+0x13/0x20 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f64dda564dd Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018 </TASK> Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev CR2: 000000000000004f ---[ end trace 0000000000000000 ]--- Check the debugfs_dir pointer for an error before using it. [change to make both conditional] CVE-2022-48918 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2022-48919 moderate In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix fault in reweight_entity Syzbot found a GPF in reweight_entity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group") There is a race between sched_post_fork() and setpriority(PRIO_PGRP) within a thread group that causes a null-ptr-deref in reweight_entity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIO_PGRP, 0, -20), wait, and exit. For each of the new threads the copy_process() gets invoked, which adds the new task_struct and calls sched_post_fork() for it. In the above scenario there is a possibility that setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread in the group that is just being created by copy_process(), and for which the sched_post_fork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set. Before the mentioned change the cfs_rq pointer for the task has been set in sched_fork(), which is called much earlier in copy_process(), before the new task is added to the thread_group. Now it is done in the sched_post_fork(), which is called after that. To fix the issue the remove the update_load param from the update_load param() function and call reweight_task() only if the task flag doesn't have the TASK_NEW flag set. CVE-2022-48921 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory. This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: <TASK> kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel: </TASK> CVE-2022-48923 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: fix memory leak in int3400_notify() It is easy to hit the below memory leaks in my TigerLake platform: unreferenced object 0xffff927c8b91dbc0 (size 32): comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s) hex dump (first 32 bytes): 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. backtrace: [<ffffffff9c502c3e>] __kmalloc_track_caller+0x2fe/0x4a0 [<ffffffff9c7b7c15>] kvasprintf+0x65/0xd0 [<ffffffff9c7b7d6e>] kasprintf+0x4e/0x70 [<ffffffffc04cb662>] int3400_notify+0x82/0x120 [int3400_thermal] [<ffffffff9c8b7358>] acpi_ev_notify_dispatch+0x54/0x71 [<ffffffff9c88f1a7>] acpi_os_execute_deferred+0x17/0x30 [<ffffffff9c2c2c0a>] process_one_work+0x21a/0x3f0 [<ffffffff9c2c2e2a>] worker_thread+0x4a/0x3b0 [<ffffffff9c2cb4dd>] kthread+0xfd/0x130 [<ffffffff9c201c1f>] ret_from_fork+0x1f/0x30 Fix it by calling kfree() accordingly. CVE-2022-48924 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Do not change route.addr.src_addr outside state checks If the state is not idle then resolve_prepare_src() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae This is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdma_bind_addr() will copy it over the src_addr once it knows the state is valid. This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.src_addr.ss_family") CVE-2022-48925 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: add spinlock for rndis response list There's no lock for rndis response list. It could cause list corruption if there're two different list_add at the same time like below. It's better to add in rndis_add_response / rndis_free_response / rndis_get_next_response to prevent any race condition on response list. [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c CVE-2022-48926 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: tsc2046: fix memory corruption by preventing array overflow On one side we have indio_dev->num_channels includes all physical channels + timestamp channel. On other side we have an array allocated only for physical channels. So, fix memory corruption by ARRAY_SIZE() instead of num_channels variable. Note the first case is a cleanup rather than a fix as the software timestamp channel bit in active_scanmask is never set by the IIO core. CVE-2022-48927 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: men_z188_adc: Fix a resource leak in an error handling path If iio_device_register() fails, a previous ioremap() is left unbalanced. Update the error handling path and add the missing iounmap() call, as already done in the remove function. CVE-2022-48928 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/ib_srp: Fix a deadlock Remove the flush_workqueue(system_long_wq) call since flushing system_long_wq is deadlock-prone and since that call is redundant with a preceding cancel_work_sync() CVE-2022-48930 moderate In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic. One of cases is: A --> B --> C --> D A <-- B <-- C <-- D delete list_head *B | delete list_head *C --------------------------------|----------------------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | unlink_group unlink_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // next == C | next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex. CVE-2022-48931 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte When adding a rule with 32 destinations, we hit the following out-of-band access issue: BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70 This patch fixes the issue by both increasing the allocated buffers to accommodate for the needed actions and by checking the number of actions to prevent this issue when a rule with too many actions is provided. CVE-2022-48932 moderate In the Linux kernel, the following vulnerability has been resolved: nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX) inclusive. So NFP_MAX_MAC_INDEX (0xff) is a valid id. In order for the error handling path to work correctly, the 'invalid' value for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range, inclusive. So set it to -1. CVE-2022-48934 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block. CVE-2022-48935 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: add a schedule point in io_add_buffers() Looping ~65535 times doing kmalloc() calls can trigger soft lockups, especially with DEBUG features (like KASAN). [ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575] [ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O) [ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801 [ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) [ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 [ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 [ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001 [ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a [ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004 [ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380 [ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 [ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000 [ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 [ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 253.544494] Call Trace: [ 253.544496] <TASK> [ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544505] __kernel_text_address (kernel/extable.c:78) [ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19) [ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27) [ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544521] stack_trace_save (kernel/stacktrace.c:123) [ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?) [ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546) [ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078) [ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441) [ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) [ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096) [ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?) [ 253.544596] __io_queue_sqe (fs/io_uring.c:?) [ 253.544600] io_queue_sqe (fs/io_uring.c:7143) [ 253.544603] io_submit_sqe (fs/io_uring.c:?) [ 253.544608] io_submit_sqes (fs/io_uring.c:?) [ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri ---truncated--- CVE-2022-48937 moderate In the Linux kernel, the following vulnerability has been resolved: CDC-NCM: avoid overflow in sanity checking A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned. CVE-2022-48938 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix concurrent reset and removal of VFs Commit c503e63200c6 ("ice: Stop processing VF messages during teardown") introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is intended to prevent some issues with concurrently handling messages from VFs while tearing down the VFs. This change was motivated by crashes caused while tearing down and bringing up VFs in rapid succession. It turns out that the fix actually introduces issues with the VF driver caused because the PF no longer responds to any messages sent by the VF during its .remove routine. This results in the VF potentially removing its DMA memory before the PF has shut down the device queues. Additionally, the fix doesn't actually resolve concurrency issues within the ice driver. It is possible for a VF to initiate a reset just prior to the ice driver removing VFs. This can result in the remove task concurrently operating while the VF is being reset. This results in similar memory corruption and panics purportedly fixed by that commit. Fix this concurrency at its root by protecting both the reset and removal flows using the existing VF cfg_lock. This ensures that we cannot remove the VF while any outstanding critical tasks such as a virtchnl message or a reset are occurring. This locking change also fixes the root cause originally fixed by commit c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we can simply revert it. Note that I kept these two changes together because simply reverting the original commit alone would leave the driver vulnerable to worse race conditions. CVE-2022-48941 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: Handle failure to register sensor with thermal zone correctly If an attempt is made to a sensor with a thermal zone and it fails, the call to devm_thermal_zone_of_sensor_register() may return -ENODEV. This may result in crashes similar to the following. Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd ... Internal error: Oops: 96000021 [#1] PREEMPT SMP ... pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mutex_lock+0x18/0x60 lr : thermal_zone_device_update+0x40/0x2e0 sp : ffff800014c4fc60 x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790 x26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000 x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd x20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000 x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040 x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000 x5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd x2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd Call trace: mutex_lock+0x18/0x60 hwmon_notify_event+0xfc/0x110 0xffffdde1cb7a0a90 0xffffdde1cb7a0b7c irq_thread_fn+0x2c/0xa0 irq_thread+0x134/0x240 kthread+0x178/0x190 ret_from_fork+0x10/0x20 Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02) Jon Hunter reports that the exact call sequence is: hwmon_notify_event() --> hwmon_thermal_notify() --> thermal_zone_device_update() --> update_temperature() --> mutex_lock() The hwmon core needs to handle all errors returned from calls to devm_thermal_zone_of_sensor_register(). If the call fails with -ENODEV, report that the sensor was not attached to a thermal zone but continue to register the hwmon device. CVE-2022-48942 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is ready, KVM relies on kvm_arch_can_dequeue_async_page_present() to determine whether to deliver a READY event to the Guest. This function test token value of struct kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a READY event is finished by Guest. If value is zero meaning that a READY event is done, so the KVM can deliver another. But the kvm_arch_setup_async_pf() may produce a valid token with zero value, which is confused with previous mention and may lead the loss of this READY event. This bug may cause task blocked forever in Guest: INFO: task stress:7532 blocked for more than 1254 seconds. Not tainted 5.10.0 #16 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:stress state:D stack: 0 pid: 7532 ppid: 1409 flags:0x00000080 Call Trace: __schedule+0x1e7/0x650 schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000 CVE-2022-48943 moderate In the Linux kernel, the following vulnerability has been resolved: sched: Fix yet more sched_fork() races Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group") fixed a fork race vs cgroup, it opened up a race vs syscalls by not placing the task on the runqueue before it gets exposed through the pidhash. Commit 13765de8148f ("sched/fair: Fix fault in reweight_entity") is trying to fix a single instance of this, instead fix the whole class of issues, effectively reverting this commit. CVE-2022-48944 moderate In the Linux kernel, the following vulnerability has been resolved: media: vivid: fix compose size exceed boundary syzkaller found a bug: BUG: unable to handle page fault for address: ffffc9000a3b1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 [...] Call Trace: <TASK> ? tpg_fill_plane_buffer+0x856/0x15b0 vivid_fillbuff+0x8ac/0x1110 vivid_thread_vid_cap_tick+0x361/0xc90 vivid_thread_vid_cap+0x21a/0x3a0 kthread+0x143/0x180 ret_from_fork+0x1f/0x30 </TASK> This is because we forget to check boundary after adjust compose->height int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem for this case. CVE-2022-48945 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Fix preallocation discarding at indirect extent boundary When preallocation extent is the first one in the extent block, the code would corrupt extent tree header instead. Fix the problem and use udf_delete_aext() for deleting extent to avoid some code duplication. CVE-2022-48946 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Prevent buffer overflow in setup handler Setup function uvc_function_setup permits control transfer requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE), data stage handler for OUT transfer uses memcpy to copy req->actual bytes to uvc_event->data.data array of size 60. This may result in an overflow of 4 bytes. CVE-2022-48948 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Initialize mailbox message for VF reset When a MAC address is not assigned to the VF, that portion of the message sent to the VF is not set. The memory, however, is allocated from the stack meaning that information may be leaked to the VM. Initialize the message buffer to 0 so that no information is passed to the VM in this case. CVE-2022-48949 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks. CVE-2022-48951 moderate In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit. CVE-2022-48953 moderate In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated--- CVE-2022-48954 moderate In the Linux kernel, the following vulnerability has been resolved: net: thunderbolt: fix memory leak in tbnet_open() When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in tb_xdomain_alloc_out_hopid() is not released. Add tb_xdomain_release_out_hopid() to the error path to release ida. CVE-2022-48955 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated--- CVE-2022-48956 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(), priv->regions is not released. CVE-2022-48959 moderate In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. CVE-2022-48960 moderate In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix unbalanced fwnode reference count in mdio_device_release() There is warning report about of_node refcount leak while probing mdio device: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4 In of_mdiobus_register_device(), we increase fwnode refcount by fwnode_handle_get() before associating the of_node with mdio device, but it has never been decreased in normal path. Since that, in mdio_device_release(), it needs to call fwnode_handle_put() in addition instead of calling kfree() directly. After above, just calling mdio_device_free() in the error handle path of of_mdiobus_register_device() is enough to keep the refcount balanced. CVE-2022-48961 moderate In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. CVE-2022-48962 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks. CVE-2022-48967 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential memory leak in otx2_init_tc() In otx2_init_tc(), if rhashtable_init() failed, it does not free tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap(). CVE-2022-48968 moderate In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennet_poll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finish_task_switch+0x71/0x230 timerqueue_del+0x1d/0x40 hrtimer_try_to_cancel+0xb5/0x110 xennet_alloc_rx_buffers+0x2a0/0x2a0 napi_busy_loop+0xdb/0x270 sock_poll+0x87/0x90 do_sys_poll+0x26f/0x580 tracing_map_insert+0x1d4/0x2f0 event_hist_trigger+0x14a/0x260 finish_task_switch+0x71/0x230 __schedule+0x256/0x890 recalc_sigpending+0x1b/0x50 xen_sched_clock+0x15/0x20 __rb_reserve_next+0x12d/0x140 ring_buffer_lock_reserve+0x123/0x3d0 event_triggers_call+0x87/0xb0 trace_event_buffer_commit+0x1c4/0x210 xen_clocksource_get_cycles+0x15/0x20 ktime_get_ts64+0x51/0xf0 SyS_ppoll+0x160/0x1a0 SyS_ppoll+0x160/0x1a0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]--- xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time CVE-2022-48969 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix not cleanup led when bt_init fails bt_init() calls bt_leds_init() to register led, but if it fails later, bt_leds_cleanup() is not called to unregister it. This can cause panic if the argument "bluetooth-power" in text is freed and then another led_trigger_register() tries to access it: BUG: unable to handle page fault for address: ffffffffc06d3bc0 RIP: 0010:strcmp+0xc/0x30 Call Trace: <TASK> led_trigger_register+0x10d/0x4f0 led_trigger_register_simple+0x7d/0x100 bt_init+0x39/0xf7 [bluetooth] do_one_initcall+0xd0/0x4e0 CVE-2022-48971 moderate In the Linux kernel, the following vulnerability has been resolved: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Kernel fault injection test reports null-ptr-deref as follows: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 Call Trace: <TASK> raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 ieee802154_if_add() allocates wpan_dev as netdev's private data, but not init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage the list when device register/unregister, and may lead to null-ptr-deref. Use INIT_LIST_HEAD() on it to initialize it correctly. CVE-2022-48972 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: amd8111: Fix PCI device reference count leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL input parameter, there is no problem for the 'Device not found' branch. For the normal path, add pci_dev_put() in amd_gpio_exit(). CVE-2022-48973 moderate In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable. CVE-2022-48975 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32. CVE-2022-48978 moderate In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. CVE-2022-48981 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix race on per-CQ variable napi work_done After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be cleared, and another CPU can start napi thread and access per-CQ variable, cq->work_done. If the other thread (for example, from busy_poll) sets it to a value >= budget, this thread will continue to run when it should stop, and cause memory corruption and panic. To fix this issue, save the per-CQ work_done variable in a local variable before napi_complete_done(), so it won't be corrupted by a possible concurrent thread after napi_complete_done(). Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done variable race is fixed, so the driver is able to reliably support features like busy_poll. CVE-2022-48985 moderate In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks. So instead set a maximum for the total horizontal and vertical blanking and check that each field remains below that. That is still sufficient to avoid integer overflows, but it also allows for more flexibility in how userspace fills in these fields. CVE-2022-48987 moderate In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type. CVE-2022-48988 moderate In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free. I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables. CVE-2022-48991 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: Add NULL check in BE reparenting Add NULL check in dpcm_be_reparent API, to handle kernel NULL pointer dereference error. The issue occurred in fuzzing test. CVE-2022-48992 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes matching snd_seq_dump_func_t. Adjust this and remove the casts. There are not resulting binary output differences. This was found as a result of Clang's new -Wcast-function-type-strict flag, which is more sensitive than the simpler -Wcast-function-type, which only checks for type width mismatches. CVE-2022-48994 moderate In the Linux kernel, the following vulnerability has been resolved: Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() There is a kmemleak when test the raydium_i2c_ts with bpf mock device: unreferenced object 0xffff88812d3675a0 (size 8): comm "python3", pid 349, jiffies 4294741067 (age 95.695s) hex dump (first 8 bytes): 11 0e 10 c0 01 00 04 00 ........ backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 unreferenced object 0xffff88812d3675c8 (size 8): comm "python3", pid 349, jiffies 4294741070 (age 95.692s) hex dump (first 8 bytes): 22 00 36 2d 81 88 ff ff ".6-.... backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 After BANK_SWITCH command from i2c BUS, no matter success or error happened, the tx_buf should be freed. CVE-2022-48995 moderate In the Linux kernel, the following vulnerability has been resolved: char: tpm: Protect tpm_pm_suspend with locks Currently tpm transactions are executed unconditionally in tpm_pm_suspend() function, which may lead to races with other tpm accessors in the system. Specifically, the hw_random tpm driver makes use of tpm_get_random(), and this function is called in a loop from a kthread, which means it's not frozen alongside userspace, and so can race with the work done during system suspend: tpm tpm0: tpm_transmit: tpm_recv: error -52 tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Call Trace: tpm_tis_status.cold+0x19/0x20 tpm_transmit+0x13b/0x390 tpm_transmit_cmd+0x20/0x80 tpm1_pm_suspend+0xa6/0x110 tpm_pm_suspend+0x53/0x80 __pnp_bus_suspend+0x35/0xe0 __device_suspend+0x10f/0x350 Fix this by calling tpm_try_get_ops(), which itself is a wrapper around tpm_chip_start(), but takes the appropriate mutex. [Jason: reworked commit message, added metadata] CVE-2022-48997 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in has_external_pci() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() before 'return true' to avoid reference count leak. CVE-2022-49000 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the error path to avoid reference count leak. CVE-2022-49002 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: fix SRCU protection of nvme_ns_head list Walking the nvme_ns_head siblings list is protected by the head's srcu in nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths(). Removing namespaces from the list also fails to synchronize the srcu. Concurrent scan work can therefore cause use-after-frees. Hold the head's srcu lock in nvme_mpath_revalidate_paths() and synchronize with the srcu, not the global RCU, in nvme_ns_remove(). Observed the following panic when making NVMe/RDMA connections with native multipath on the Rocky Linux 8.6 kernel (it seems the upstream kernel has the same race condition). Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx; computing capacity != get_capacity(ns->disk). Address 0x50 is dereferenced because ns->disk is NULL. The NULL disk appears to be the result of concurrent scan work freeing the namespace (note the log line in the middle of the panic). [37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [37314.206036] nvme0n3: detected capacity change from 0 to 11811160064 [37314.299753] PGD 0 P4D 0 [37314.299756] Oops: 0000 [#1] SMP PTI [37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1 [37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018 [37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core] [37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core] [37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3 [37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202 [37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000 [37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800 [37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff [37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000 [37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000 [37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000 [37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0 [37315.799267] Call Trace: [37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core] [37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core] [37315.961871] ? __blk_mq_free_request+0x6b/0x90 [37316.015021] nvme_scan_work+0x151/0x240 [nvme_core] [37316.073371] process_one_work+0x1a7/0x360 [37316.121318] ? create_worker+0x1a0/0x1a0 [37316.168227] worker_thread+0x30/0x390 [37316.212024] ? create_worker+0x1a0/0x1a0 [37316.258939] kthread+0x10a/0x120 [37316.297557] ? set_kthread_struct+0x50/0x50 [37316.347590] ret_from_fork+0x35/0x40 [37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex ---truncated--- CVE-2022-49003 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Fix bounds check for _sx controls For _sx controls the semantics of the max field is not the usual one, max is the number of steps rather than the maximum value. This means that our check in snd_soc_put_volsw_sx() needs to just check against the maximum value. CVE-2022-49005 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="��������������������������������������� ---truncated--- CVE-2022-49006 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations. CVE-2022-49007 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Check for null before removing sysfs attrs If coretemp_add_core() gets an error then pdata->core_data[indx] is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: error_code(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] [91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] [91855.871107] cpuhp_invoke_callback+0x105/0x4b0 [91855.893432] cpuhp_thread_fun+0x8e/0x150 ... Fix this by checking for NULL first. CVE-2022-49010 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak. CVE-2022-49011 moderate In the Linux kernel, the following vulnerability has been resolved: afs: Fix server->active leak in afs_put_server The atomic_read was accidentally replaced with atomic_inc_return, which prevents the server from getting cleaned up and causes rmmod to hang with a warning: Can't purge s=00000001 CVE-2022-49012 moderate In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done. CVE-2022-49014 moderate In the Linux kernel, the following vulnerability has been resolved: net: hsr: Fix potential use-after-free The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free. CVE-2022-49015 moderate In the Linux kernel, the following vulnerability has been resolved: net: mdiobus: fix unbalanced node reference count I got the following report while doing device(mscc-miim) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0 If the 'fwnode' is not an acpi node, the refcount is get in fwnode_mdiobus_phy_device_register(), but it has never been put when the device is freed in the normal path. So call fwnode_handle_put() in phy_device_release() to avoid leak. If it's an acpi node, it has never been get, but it's put in the error path, so call fwnode_handle_get() before phy_device_register() to keep get/put operation balanced. CVE-2022-49016 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: nixge: fix NULL dereference In function nixge_hw_dma_bd_release() dereference of NULL pointer priv->rx_bd_v is possible for the case of its allocation failure in nixge_hw_dma_bd_init(). Move for() loop with priv->rx_bd_v dereference under the check for its validity. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2022-49019 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct(). CVE-2022-49021 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration Fix possible out-of-bound access in ieee80211_get_rate_duration routine as reported by the following UBSAN report: UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 index 15 is out of range for type 'u16 [12]' CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 Workqueue: mt76 mt76u_tx_status_data [mt76_usb] Call Trace: <TASK> show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x43 __ubsan_handle_out_of_bounds.cold+0x42/0x47 ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] mt76u_tx_status_data+0x67/0xd0 [mt76_usb] process_one_work+0x225/0x400 worker_thread+0x50/0x3e0 ? process_one_work+0x400/0x400 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 CVE-2022-49022 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. CVE-2022-49023 moderate In the Linux kernel, the following vulnerability has been resolved: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods In m_can_pci_remove() and error handling path of m_can_pci_probe(), m_can_class_free_dev() should be called to free resource allocated by m_can_class_allocate_dev(), otherwise there will be memleak. CVE-2022-49024 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null. CVE-2022-49025 moderate In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free. CVE-2022-49026 moderate In the Linux kernel, the following vulnerability has been resolved: iavf: Fix error handling in iavf_init_module() The iavf_init_module() won't destroy workqueue when pci_register_driver() failed. Call destroy_workqueue() when pci_register_driver() failed to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak") CVE-2022-49027 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbevf: Fix resource leak in ixgbevf_init_module() ixgbevf_init_module() won't destroy the workqueue created by create_singlethread_workqueue() when pci_register_driver() failed. Add destroy_workqueue() in fail path to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak") CVE-2022-49028 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free(). CVE-2022-49029 moderate In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it. CVE-2022-49031 moderate In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 Read of size 4 at addr ffffffffc00e4658 by task cat/278 Call Trace: afe4404_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4404_channel_leds+0x18/0xffffffffffffe9c0 This issue can be reproduce by singe command: $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw The array size of afe4404_channel_leds and afe4404_channel_offdacs are less than channels, so access with chan->address cause OOB read in afe4404_[read|write]_raw. Fix it by moving access before use them. CVE-2022-49032 moderate A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. CVE-2023-1582 moderate A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. CVE-2023-2166 moderate A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. CVE-2023-28327 moderate An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c. CVE-2023-37453 moderate OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 important A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 moderate In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated--- CVE-2023-52489 moderate In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem. CVE-2023-52591 important In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. CVE-2023-52762 moderate In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. CVE-2023-52766 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52800 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001 CVE-2023-52881 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. CVE-2023-52885 important In the Linux kernel, the following vulnerability has been resolved: gsmi: fix null-deref in gsmi_get_variable We can get EFI variables without fetching the attribute, so we must allow for that in gsmi. commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore access layer") added a new get_variable call with attr=NULL, which triggers panic in gsmi. CVE-2023-52893 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79 strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9 str w12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9 ldr x10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9 ldr x9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9 ldr w11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec */ data = req->buf + sizeof *event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing... CVE-2023-52894 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between quota rescan and disable leading to NULL pointer deref If we have one task trying to start the quota rescan worker while another one is trying to disable quotas, we can end up hitting a race that results in the quota rescan worker doing a NULL pointer dereference. The steps for this are the following: 1) Quotas are enabled; 2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan(). It calls qgroup_rescan_init() which returns 0 (success) and then joins a transaction and commits it; 3) Task B calls the quota disable ioctl and enters btrfs_quota_disable(). It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls btrfs_qgroup_wait_for_completion(), which returns immediately since the rescan worker is not yet running. Then it starts a transaction and locks fs_info->qgroup_ioctl_lock; 4) Task A queues the rescan worker, by calling btrfs_queue_work(); 5) The rescan worker starts, and calls rescan_should_stop() at the start of its while loop, which results in 0 iterations of the loop, since the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by task B at step 3); 6) Task B sets fs_info->quota_root to NULL; 7) The rescan worker tries to start a transaction and uses fs_info->quota_root as the root argument for btrfs_start_transaction(). This results in a NULL pointer dereference down the call chain of btrfs_start_transaction(). The stack trace is something like the one reported in Link tag below: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: btrfs-qgroup-rescan btrfs_work_helper RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564 Code: 48 89 fb 48 (...) RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206 RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402 btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280 process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: So fix this by having the rescan worker function not attempt to start a transaction if it didn't do any rescan work. CVE-2023-52896 moderate In the Linux kernel, the following vulnerability has been resolved: xhci: Fix null pointer dereference when host dies Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies. Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id] virt device at the same time that xhci_kill_endpoint_urbs() tries to loop through all the device's endpoints, checking if there are any cancelled urbs left to give back. hold the xhci spinlock while freeing the virt device CVE-2023-52898 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix general protection fault in nilfs_btree_insert() If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling __nilfs_btree_get_block() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave. When nilfs_btree_insert() receives this spurious 'not found' code from nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_write_begin+0x93/0x1e0 fs/buffer.c:2102 nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 call_write_iter include/linux/fs.h:2186 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> This patch fixes the root cause of this problem by replacing the error code that __nilfs_btree_get_block() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted. By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfs_bmap_convert_error(), and code -EIO will be eventually returned as it should be. CVE-2023-52900 moderate In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Check endpoint is valid before dereferencing it When the host controller is not responding, all URBs queued to all endpoints need to be killed. This can cause a kernel panic if we dereference an invalid endpoint. Fix this by using xhci_get_virt_ep() helper to find the endpoint and checking if the endpoint is valid before dereferencing it. [233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead [233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8 [233311.853964] pc : xhci_hc_died+0x10c/0x270 [233311.853971] lr : xhci_hc_died+0x1ac/0x270 [233311.854077] Call trace: [233311.854085] xhci_hc_died+0x10c/0x270 [233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4 [233311.854105] call_timer_fn+0x50/0x2d4 [233311.854112] expire_timers+0xac/0x2e4 [233311.854118] run_timer_softirq+0x300/0xabc [233311.854127] __do_softirq+0x148/0x528 [233311.854135] irq_exit+0x194/0x1a8 [233311.854143] __handle_domain_irq+0x164/0x1d0 [233311.854149] gic_handle_irq.22273+0x10c/0x188 [233311.854156] el1_irq+0xfc/0x1a8 [233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm] [233311.854185] cpuidle_enter_state+0x1f0/0x764 [233311.854194] do_idle+0x594/0x6ac [233311.854201] cpu_startup_entry+0x7c/0x80 [233311.854209] secondary_start_kernel+0x170/0x198 CVE-2023-52901 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix resource leakage in VF driver unbind resources allocated like mcam entries to support the Ntuple feature and hash tables for the tc feature are not getting freed in driver unbind. This patch fixes the issue. CVE-2023-52905 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() Fix a use-after-free that occurs in hcd when in_urb sent from pn533_usb_send_frame() is completed earlier than out_urb. Its callback frees the skb data in pn533_send_async_complete() that is used as a transfer buffer of out_urb. Wait before sending in_urb until the callback of out_urb is called. To modify the callback of out_urb alone, separate the complete function of out_urb and ack_urb. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in dummy_timer Call Trace: memcpy (mm/kasan/shadow.c:65) dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352) transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453) dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972) arch_static_branch (arch/x86/include/asm/jump_label.h:27) static_key_false (include/linux/jump_label.h:207) timer_expire_exit (include/trace/events/timer.h:127) call_timer_fn (kernel/time/timer.c:1475) expire_timers (kernel/time/timer.c:1519) __run_timers (kernel/time/timer.c:1790) run_timer_softirq (kernel/time/timer.c:1803) CVE-2023-52907 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm: another fix for the headless Adreno GPU Fix another oops reproducible when rebooting the board with the Adreno GPU working in the headless mode (e.g. iMX platforms). Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [00000000] *pgd=74936831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11 Hardware name: Freescale i.MX53 (Device Tree Support) PC is at msm_atomic_commit_tail+0x50/0x970 LR is at commit_tail+0x9c/0x188 pc : [<c06aa430>] lr : [<c067a214>] psr: 600e0013 sp : e0851d30 ip : ee4eb7eb fp : 00090acc r10: 00000058 r9 : c2193014 r8 : c4310000 r7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000 r3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 74910019 DAC: 00000051 Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024 Register r4 information: NULL pointer Register r5 information: NULL pointer Register r6 information: non-paged memory Register r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128 Register r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048 Register r9 information: non-slab/vmalloc memory Register r10 information: non-paged memory Register r11 information: non-paged memory Register r12 information: non-paged memory Process reboot (pid: 51, stack limit = 0xc80046d9) Stack: (0xe0851d30 to 0xe0852000) 1d20: c4759380 fbd77200 000005ff 002b9c70 1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058 1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c 1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468 1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810 1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00 1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8 1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854 1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000 1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60 1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4 1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000 1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058 1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028 1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc 1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000 msm_atomic_commit_tail from commit_tail+0x9c/0x188 commit_tail from drm_atomic_helper_commit+0x160/0x188 drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0 drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0 drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140 drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240 device_shutdown from kernel_restart+0x38/0x90 kernel_restart from __do_sys_reboot+0x ---truncated--- CVE-2023-52911 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference. CVE-2023-52919 moderate In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. CVE-2023-52922 moderate A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. CVE-2023-6270 moderate In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400. CVE-2023-7256 moderate Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host. CVE-2024-10524 moderate When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053 moderate The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. CVE-2024-11168 low Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 important If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 important A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. CVE-2024-2201 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires. CVE-2024-26583 important In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. CVE-2024-26584 important In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. CVE-2024-26585 important In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated--- CVE-2024-26782 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. CVE-2024-26800 important In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index. CVE-2024-26813 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/fsl-mc: Block calling interrupt handler without trigger The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive. The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged. CVE-2024-26814 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated--- CVE-2024-26976 moderate In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. CVE-2024-27043 important An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 important Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 important When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. CVE-2024-35176 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix Rx DMA datasize and skb_over_panic mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be multiple of 64. So a packet slightly bigger than mtu+14, say 1536, can be received and cause skb_over_panic. Sample dmesg: [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL> [ 5325.243689] ------------[ cut here ]------------ [ 5325.245748] kernel BUG at net/core/skbuff.c:192! [ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60 [ 5325.302941] Call Trace: [ 5325.304389] <IRQ> [ 5325.315794] ? skb_panic+0x4f/0x60 [ 5325.317457] ? asm_exc_invalid_op+0x1f/0x30 [ 5325.319490] ? skb_panic+0x4f/0x60 [ 5325.321161] skb_put+0x4e/0x50 [ 5325.322670] mana_poll+0x6fa/0xb50 [mana] [ 5325.324578] __napi_poll+0x33/0x1e0 [ 5325.326328] net_rx_action+0x12e/0x280 As discussed internally, this alignment is not necessary. To fix this bug, remove it from the code. So oversized packets will be marked as CQE_RX_TRUNCATED by NIC, and dropped. CVE-2024-35901 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE At the time of LPAR boot up, partition firmware provides Open Firmware property ibm,dma-window for the PE. This property is provided on the PCI bus the PE is attached to. There are execptions where the partition firmware might not provide this property for the PE at the time of LPAR boot up. One of the scenario is where the firmware has frozen the PE due to some error condition. This PE is frozen for 24 hours or unless the whole system is reinitialized. Within this time frame, if the LPAR is booted, the frozen PE will be presented to the LPAR but ibm,dma-window property could be missing. Today, under these circumstances, the LPAR oopses with NULL pointer dereference, when configuring the PCI bus the PE is attached to. BUG: Kernel NULL pointer dereference on read at 0x000000c8 Faulting instruction address: 0xc0000000001024c0 Oops: Kernel access of bad area, sig: 7 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: Supported: Yes CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1 Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450 REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default) MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28000822 XER: 00000000 CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0 ... NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0 LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 Call Trace: pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable) pcibios_setup_bus_self+0x1c0/0x370 __of_scan_bus+0x2f8/0x330 pcibios_scan_phb+0x280/0x3d0 pcibios_init+0x88/0x12c do_one_initcall+0x60/0x320 kernel_init_freeable+0x344/0x3e4 kernel_init+0x34/0x1d0 ret_from_kernel_user_thread+0x14/0x1c CVE-2024-36926 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 moderate In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. CVE-2024-39463 important In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. CVE-2024-39494 important REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. CVE-2024-39908 moderate Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 important In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. CVE-2024-40902 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release(). CVE-2024-40910 important In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. CVE-2024-40937 important In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). CVE-2024-40954 important In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. CVE-2024-40956 important In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. CVE-2024-40989 important In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. CVE-2024-40994 important In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that "owns" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter. CVE-2024-41009 important In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 important In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). CVE-2024-41012 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 important In the Linux kernel, the following vulnerability has been resolved: bluetooth/l2cap: sync sock recv cb and release The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer. CVE-2024-41062 important In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. CVE-2024-41069 important In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed. CVE-2024-41087 important In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 CVE-2024-41090 important Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 critical REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. CVE-2024-41123 moderate REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. CVE-2024-41946 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix DIO failure due to insufficient transaction credits The code in ocfs2_dio_end_io_write() estimates number of necessary transaction credits using ocfs2_calc_extend_credits(). This however does not take into account that the IO could be arbitrarily large and can contain arbitrary number of extents. Extent tree manipulations do often extend the current transaction but not in all of the cases. For example if we have only single block extents in the tree, ocfs2_mark_extent_written() will end up calling ocfs2_replace_extent_rec() all the time and we will never extend the current transaction and eventually exhaust all the transaction credits if the IO contains many single block extents. Once that happens a WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to this error. This was actually triggered by one of our customers on a heavily fragmented OCFS2 filesystem. To fix the issue make sure the transaction always has enough credits for one extent insert before each call of ocfs2_mark_extent_written(). Heming Zhao said: ------ PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error" PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA" #0 machine_kexec at ffffffff8c069932 #1 __crash_kexec at ffffffff8c1338fa #2 panic at ffffffff8c1d69b9 #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2] #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2] #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2] #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2] #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2] #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2] #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2] #10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2] #11 dio_complete at ffffffff8c2b9fa7 #12 do_blockdev_direct_IO at ffffffff8c2bc09f #13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2] #14 generic_file_direct_write at ffffffff8c1dcf14 #15 __generic_file_write_iter at ffffffff8c1dd07b #16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2] #17 aio_write at ffffffff8c2cc72e #18 kmem_cache_alloc at ffffffff8c248dde #19 do_io_submit at ffffffff8c2ccada #20 do_syscall_64 at ffffffff8c004984 #21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba CVE-2024-42077 moderate In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it. CVE-2024-42093 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel crash when invoked during real mode interrupt handling (e.g. early HMI/MCE interrupt handler) if percpu allocation comes from vmalloc area. Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when percpu allocation is from the embedded first chunk. However with CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu allocation can come from the vmalloc area. With kernel command line "percpu_alloc=page" we can force percpu allocation to come from vmalloc area and can see kernel crash in machine_check_early: [ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 [ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 [ 1.215719] --- interrupt: 200 [ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) [ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 [ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu first chunk is not embedded. CVE-2024-42126 moderate In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. CVE-2024-42145 important In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all. CVE-2024-42230 moderate In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed CVE-2024-42232 important In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. CVE-2024-42271 important In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] CVE-2024-42301 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability. CVE-2024-43398 important In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd CVE-2024-43853 moderate In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes. CVE-2024-43854 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: fix memory leak for not ip packets Free the unused skb when not ip packets arrive. CVE-2024-43861 important In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. CVE-2024-43882 important In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. CVE-2024-43883 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix UAFs when destroying the queues The second tagged commit started sometimes (very rarely, but possible) throwing WARNs from net/core/page_pool.c:page_pool_disable_direct_recycling(). Turned out idpf frees interrupt vectors with embedded NAPIs *before* freeing the queues making page_pools' NAPI pointers lead to freed memory before these pools are destroyed by libeth. It's not clear whether there are other accesses to the freed vectors when destroying the queues, but anyway, we usually free queue/interrupt vectors only when the queues are destroyed and the NAPIs are guaranteed to not be referenced anywhere. Invert the allocation and freeing logic making queue/interrupt vectors be allocated first and freed last. Vectors don't require queues to be present, so this is safe. Additionally, this change allows to remove that useless queue->q_vector pointer cleanup, as vectors are still valid when freeing the queues (+ both are freed within one function, so it's not clear why nullify the pointers at all). CVE-2024-44932 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix shift-out-of-bounds in dbDiscardAG When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative. This patch fixes the issue by exiting the loop directly when negative shift is found. CVE-2024-44938 important In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated--- CVE-2024-44946 important In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). CVE-2024-44947 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leaks and crashes while performing a soft reset The second tagged commit introduced a UAF, as it removed restoring q_vector->vport pointers after reinitializating the structures. This is due to that all queue allocation functions are performed here with the new temporary vport structure and those functions rewrite the backpointers to the vport. Then, this new struct is freed and the pointers start leading to nowhere. But generally speaking, the current logic is very fragile. It claims to be more reliable when the system is low on memory, but in fact, it consumes two times more memory as at the moment of running this function, there are two vports allocated with their queues and vectors. Moreover, it claims to prevent the driver from running into "bad state", but in fact, any error during the rebuild leaves the old vport in the partially allocated state. Finally, if the interface is down when the function is called, it always allocates a new queue set, but when the user decides to enable the interface later on, vport_open() allocates them once again, IOW there's a clear memory leak here. Just don't allocate a new queue set when performing a reset, that solves crashes and memory leaks. Readd the old queue number and reopen the interface on rollback - that solves limbo states when the device is left disabled and/or without HW queues enabled. CVE-2024-44964 moderate In the Linux kernel, the following vulnerability has been resolved: vfs: Don't evict inode under the inode lru traversing context The inode reclaiming process(See function prune_icache_sb) collects all reclaimable inodes and mark them with I_FREEING flag at first, at that time, other processes will be stuck if they try getting these inodes (See function find_inode_fast), then the reclaiming process destroy the inodes by function dispose_list(). Some filesystems(eg. ext4 with ea_inode feature, ubifs with xattr) may do inode lookup in the inode evicting callback function, if the inode lookup is operated under the inode lru traversing context, deadlock problems may happen. Case 1: In function ext4_evict_inode(), the ea inode lookup could happen if ea_inode feature is enabled, the lookup process will be stuck under the evicting context like this: 1. File A has inode i_reg and an ea inode i_ea 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea 3. Then, following three processes running like this: PA PB echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // i_reg is added into lru, lru->i_ea->i_reg prune_icache_sb list_lru_walk_one inode_lru_isolate i_ea->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(i_reg) spin_unlock(&i_reg->i_lock) spin_unlock(lru_lock) rm file A i_reg->nlink = 0 iput(i_reg) // i_reg->nlink is 0, do evict ext4_evict_inode ext4_xattr_delete_inode ext4_xattr_inode_dec_ref_all ext4_xattr_inode_iget ext4_iget(i_ea->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(i_ea) -----> AA deadlock dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&i_ea->i_state) Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file deleting process holds BASEHD's wbuf->io_mutex while getting the xattr inode, which could race with inode reclaiming process(The reclaiming process could try locking BASEHD's wbuf->io_mutex in inode evicting function), then an ABBA deadlock problem would happen as following: 1. File A has inode ia and a xattr(with inode ixa), regular file B has inode ib and a xattr. 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa 3. Then, following three processes running like this: PA PB PC echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // ib and ia are added into lru, lru->ixa->ib->ia prune_icache_sb list_lru_walk_one inode_lru_isolate ixa->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(ib) spin_unlock(&ib->i_lock) spin_unlock(lru_lock) rm file B ib->nlink = 0 rm file A iput(ia) ubifs_evict_inode(ia) ubifs_jnl_delete_inode(ia) ubifs_jnl_write_inode(ia) make_reservation(BASEHD) // Lock wbuf->io_mutex ubifs_iget(ixa->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(ixa) | iput(ib) // ib->nlink is 0, do evict | ubifs_evict_inode | ubifs_jnl_delete_inode(ib) ↓ ubifs_jnl_write_inode ABBA deadlock <------make_reservation(BASEHD) dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&ixa->i_state) Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING to pin the inode in memory while inode_lru_isolate( ---truncated--- CVE-2024-45003 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd ("nvme: start keep-alive after admin queue setup") moves starting keep-alive from nvme_start_ctrl() into nvme_init_ctrl_finish(), but don't move stopping keep-alive into nvme_uninit_ctrl(), so keep-alive work can be started and keep pending after failing to start controller, finally use-after-free is triggered if nvme host driver is unloaded. This patch fixes kernel panic when running nvme/004 in case that connection failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl(). This way is reasonable because keep-alive is now started in nvme_init_ctrl_finish(). CVE-2024-45013 moderate In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS. CVE-2024-45016 moderate In the Linux kernel, the following vulnerability has been resolved: memcg_write_event_control(): fix a user-triggerable oops we are *not* guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane). CVE-2024-45021 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format. The check for incorrect length is to imprecise since other error cases leading to transport of insufficient data also have this flag set. This might lead to data corruption in certain error cases for example during a storage server warmstart. Fix by removing the check for incorrect length and replacing by explicitly checking for invalid track format in transport mode. Also remove the check for file protected since this is not a valid ESE handling case. CVE-2024-45026 moderate runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 low An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 moderate In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 moderate The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be attempted to be re-acquired, resulting in a deadlock. This deadlock was already found when the code was first introduced, but was analysed incorrectly and the fix was incomplete. Analysis in light of the new finding cannot find a way to make the existing locking discipline work. In staging, this logic has all been removed because it was discovered to be accidentally disabled since Xen 4.7. Therefore, we are fixing the locking problem by backporting the removal of most of the feature. Note that even with the feature disabled, the lock would still be acquired for any accesses to the VGA MMIO region. CVE-2024-45818 moderate PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. CVE-2024-45819 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path "undo_platform_dev_alloc" is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. CVE-2024-46674 important In the Linux kernel, the following vulnerability has been resolved: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor. This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor which does not correctly free the descriptors as first nodes were not removed from the list. CVE-2024-46716 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. CVE-2024-46774 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_index before accessing dc->links[] [WHY & HOW] dc->links[] has max size of MAX_LINKS and NULL is return when trying to access with out-of-bound index. This fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity. CVE-2024-46813 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check msg_id before processing transcation [WHY & HOW] HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid array index, and it needs checking before used. This fixes 4 OVERRUN issues reported by Coverity. CVE-2024-46814 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] [WHY & HOW] num_valid_sets needs to be checked to avoid a negative index when accessing reader_wm_sets[num_valid_sets - 1]. This fixes an OVERRUN issue reported by Coverity. CVE-2024-46815 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links [Why] Coverity report OVERRUN warning. There are only max_links elements within dc->links. link count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31. [How] Make sure link count less than max_links. CVE-2024-46816 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 [Why] Coverity reports OVERRUN warning. Should abort amdgpu_dm initialize. [How] Return failure to amdgpu_dm_init. CVE-2024-46817 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check gpio_id before used as array index [WHY & HOW] GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore should be checked in advance. This fixes 5 OVERRUN issues reported by Coverity. CVE-2024-46818 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: meson: axg-card: fix 'use-after-free' Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()', so move 'pad' pointer initialization after this function when memory is already reallocated. Kasan bug report: ================================================================== BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc Read of size 8 at addr ffff000000e8b260 by task modprobe/356 CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1 Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x78/0x90 print_report+0xfc/0x5c0 kasan_report+0xb8/0xfc __asan_load8+0x9c/0xb8 axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card] meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils] platform_probe+0x8c/0xf4 really_probe+0x110/0x39c __driver_probe_device+0xb8/0x18c driver_probe_device+0x108/0x1d8 __driver_attach+0xd0/0x25c bus_for_each_dev+0xe0/0x154 driver_attach+0x34/0x44 bus_add_driver+0x134/0x294 driver_register+0xa8/0x1e8 __platform_driver_register+0x44/0x54 axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card] do_one_initcall+0xdc/0x25c do_init_module+0x10c/0x334 load_module+0x24c4/0x26cc init_module_from_file+0xd4/0x128 __arm64_sys_finit_module+0x1f4/0x41c invoke_syscall+0x60/0x188 el0_svc_common.constprop.0+0x78/0x13c do_el0_svc+0x30/0x40 el0_svc+0x38/0x78 el0t_64_sync_handler+0x100/0x12c el0t_64_sync+0x190/0x194 CVE-2024-46849 moderate In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path. CVE-2024-47668 moderate In the Linux kernel, the following vulnerability has been resolved: mm: avoid leaving partial pfn mappings around in error case As Jann points out, PFN mappings are special, because unlike normal memory mappings, there is no lifetime information associated with the mapping - it is just a raw mapping of PFNs with no reference counting of a 'struct page'. That's all very much intentional, but it does mean that it's easy to mess up the cleanup in case of errors. Yes, a failed mmap() will always eventually clean up any partial mappings, but without any explicit lifetime in the page table mapping itself, it's very easy to do the error handling in the wrong order. In particular, it's easy to mistakenly free the physical backing store before the page tables are actually cleaned up and (temporarily) have stale dangling PTE entries. To make this situation less error-prone, just make sure that any partial pfn mapping is torn down early, before any other error handling. CVE-2024-47674 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786] Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even ---truncated--- CVE-2024-47684 moderate In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | ^ | ^ | ^ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | ^ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> ^ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated--- CVE-2024-47706 moderate In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove. CVE-2024-47747 moderate In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set. CVE-2024-47748 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case. CVE-2024-47757 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory. CVE-2024-49860 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any jobs running in all the work queues and then free the work queues. Syzbot reported a case where a fixup worker resulted in a crash when doing a delayed iput on its inode while attempting to wake up the cleaner at btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread was already freed. This can happen during unmount because we don't wait for any fixup workers still running before we call kthread_stop() against the cleaner kthread, which stops and free all its resources. Fix this by waiting for any fixup workers at close_ctree() before we call kthread_stop() against the cleaner and run pending delayed iputs. The stack traces reported by syzbot were the following: BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_h ---truncated--- CVE-2024-49867 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: efifb: Register sysfs groups through driver core The driver core can register and cleanup sysfs groups already. Make use of that functionality to simplify the error handling and cleanup. Also avoid a UAF race during unregistering where the sysctl attributes were usable after the info struct was freed. CVE-2024-49925 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 CVE-2024-49930 moderate In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. CVE-2024-49936 moderate In the Linux kernel, the following vulnerability has been resolved: net/ncsi: Disable the ncsi work before freeing the associated structure The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic. CVE-2024-49945 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd. CVE-2024-49960 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 color transformation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max CVE-2024-49969 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Limit the number of concurrent async COPY operations Nothing appears to limit the number of concurrent async COPY operations that clients can start. In addition, AFAICT each async COPY can copy an unlimited number of 4MB chunks, so can run for a long time. Thus IMO async COPY can become a DoS vector. Add a restriction mechanism that bounds the number of concurrent background COPY operations. Start simple and try to be fair -- this patch implements a per-namespace limit. An async COPY request that occurs while this limit is exceeded gets NFS4ERR_DELAY. The requesting client can choose to send the request again after a delay or fall back to a traditional read/write style copy. If there is need to make the mechanism more sophisticated, we can visit that in future patches. CVE-2024-49974 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug. CVE-2024-49991 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-49995 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm/ident_map: Use gbpages only where full GB page should be mapped. When ident_pud_init() uses only GB pages to create identity maps, large ranges of addresses not actually requested can be included in the resulting table; a 4K request will map a full GB. This can include a lot of extra address space past that requested, including areas marked reserved by the BIOS. That allows processor speculation into reserved regions, that on UV systems can cause system halts. Only use GB pages when map creation requests include the full GB page of space. Fall back to using smaller 2M pages when only portions of a GB page are included in the request. No attempt is made to coalesce mapping requests. If a request requires a map entry at the 2M (pmd) level, subsequent mapping requests within the same 1G region will also be at the pmd level, even if adjacent or overlapping such requests could have been combined to map a full GB page. Existing usage starts with larger regions and then adds smaller regions, so this should not have any great consequence. CVE-2024-50017 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. CVE-2024-50047 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-50089 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. CVE-2024-50115 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. CVE-2024-50125 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update 'admin' immediately before an attempt to schedule freeing. CVE-2024-50127 moderate In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb CVE-2024-50154 important In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division. The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-50205 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Avoid memory corruption while setting up Level-2 PBL pages for the non MR resources when num_pages > 256K. There will be a single PDE page address (contiguous pages in the case of > PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid memory access after 256K PBL entries in the PDE. CVE-2024-50208 moderate In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that the function performs properly. CVE-2024-50259 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. CVE-2024-50264 moderate In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. CVE-2024-50267 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: avoid vport access in idpf_get_link_ksettings When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer. To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps. CVE-2024-50274 moderate In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug in bitset iteration causes out-of-bounds access. Reproduce steps: 1. create a cache device of 1024 cache blocks (128 bytes dirty bitset) dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. shrink the fast device to 512 cache blocks, triggering out-of-bounds access to the dirty bitset (offset 0x80) dmsetup suspend cache dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 Read of size 8 at addr ffffc900000f3080 by task dmsetup/131 (...snip...) The buggy address belongs to the virtual mapping at [ffffc900000f3000, ffffc900000f5000) created by: cache_ctr+0x176a/0x35f0 (...snip...) Memory state around the buggy address: ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Fix by making the index post-incremented. CVE-2024-50279 moderate In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that. CVE-2024-50290 important In the Linux kernel, the following vulnerability has been resolved: security/keys: fix slab-out-of-bounds in key_task_permission KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/ [jarkko: tweaked the commit message a bit to have an appropriate closes tag.] CVE-2024-50301 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. CVE-2024-50302 moderate An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 moderate gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. CVE-2024-52533 moderate A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. CVE-2024-52616 moderate In the Linux kernel, the following vulnerability has been resolved: media: s5p-jpeg: prevent buffer overflows The current logic allows word to be less than 2. If this happens, there will be buffer overflows, as reported by smatch. Add extra checks to prevent it. While here, remove an unused word = 0 assignment. CVE-2024-53061 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: prevent the risk of out of memory access The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_register_adapter() would already be enforcing it. On a similar way, dvb_device_open() uses the assumption that the register functions already did the needed checks. This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity. So, add explicit guards to prevent potential risk of OOM issues. CVE-2024-53063 important In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() The scmi_dev->name is released prematurely in __scmi_device_destroy(), which causes slab-use-after-free when accessing scmi_dev->name in scmi_bus_notifier(). So move the release of scmi_dev->name to scmi_device_release() to avoid slab-use-after-free. | BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec | Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1 | | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1 | Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT) | Call trace: | dump_backtrace+0x94/0x114 | show_stack+0x18/0x24 | dump_stack_lvl+0x48/0x60 | print_report+0xf4/0x5b0 | kasan_report+0xa4/0xec | __asan_report_load1_noabort+0x20/0x2c | strncmp+0xe4/0xec | scmi_bus_notifier+0x5c/0x54c | notifier_call_chain+0xb4/0x31c | blocking_notifier_call_chain+0x68/0x9c | bus_notify+0x54/0x78 | device_del+0x1bc/0x840 | device_unregister+0x20/0xb4 | __scmi_device_destroy+0xac/0x280 | scmi_device_destroy+0x94/0xd0 | scmi_chan_setup+0x524/0x750 | scmi_probe+0x7fc/0x1508 | platform_probe+0xc4/0x19c | really_probe+0x32c/0x99c | __driver_probe_device+0x15c/0x3c4 | driver_probe_device+0x5c/0x170 | __driver_attach+0x1c8/0x440 | bus_for_each_dev+0xf4/0x178 | driver_attach+0x3c/0x58 | bus_add_driver+0x234/0x4d4 | driver_register+0xf4/0x3c0 | __platform_driver_register+0x60/0x88 | scmi_driver_init+0xb0/0x104 | do_one_initcall+0xb4/0x664 | kernel_init_freeable+0x3c8/0x894 | kernel_init+0x24/0x1e8 | ret_from_fork+0x10/0x20 | | Allocated by task 1: | kasan_save_stack+0x2c/0x54 | kasan_set_track+0x2c/0x40 | kasan_save_alloc_info+0x24/0x34 | __kasan_kmalloc+0xa0/0xb8 | __kmalloc_node_track_caller+0x6c/0x104 | kstrdup+0x48/0x84 | kstrdup_const+0x34/0x40 | __scmi_device_create.part.0+0x8c/0x408 | scmi_device_create+0x104/0x370 | scmi_chan_setup+0x2a0/0x750 | scmi_probe+0x7fc/0x1508 | platform_probe+0xc4/0x19c | really_probe+0x32c/0x99c | __driver_probe_device+0x15c/0x3c4 | driver_probe_device+0x5c/0x170 | __driver_attach+0x1c8/0x440 | bus_for_each_dev+0xf4/0x178 | driver_attach+0x3c/0x58 | bus_add_driver+0x234/0x4d4 | driver_register+0xf4/0x3c0 | __platform_driver_register+0x60/0x88 | scmi_driver_init+0xb0/0x104 | do_one_initcall+0xb4/0x664 | kernel_init_freeable+0x3c8/0x894 | kernel_init+0x24/0x1e8 | ret_from_fork+0x10/0x20 | | Freed by task 1: | kasan_save_stack+0x2c/0x54 | kasan_set_track+0x2c/0x40 | kasan_save_free_info+0x38/0x5c | __kasan_slab_free+0xe8/0x164 | __kmem_cache_free+0x11c/0x230 | kfree+0x70/0x130 | kfree_const+0x20/0x40 | __scmi_device_destroy+0x70/0x280 | scmi_device_destroy+0x94/0xd0 | scmi_chan_setup+0x524/0x750 | scmi_probe+0x7fc/0x1508 | platform_probe+0xc4/0x19c | really_probe+0x32c/0x99c | __driver_probe_device+0x15c/0x3c4 | driver_probe_device+0x5c/0x170 | __driver_attach+0x1c8/0x440 | bus_for_each_dev+0xf4/0x178 | driver_attach+0x3c/0x58 | bus_add_driver+0x234/0x4d4 | driver_register+0xf4/0x3c0 | __platform_driver_register+0x60/0x88 | scmi_driver_init+0xb0/0x104 | do_one_initcall+0xb4/0x664 | kernel_init_freeable+0x3c8/0x894 | kernel_init+0x24/0x1e8 | ret_from_fork+0x10/0x20 CVE-2024-53068 moderate Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 moderate Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. CVE-2024-56326 moderate CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). CVE-2024-5642 moderate There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 important A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 important There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. CVE-2024-6923 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 moderate There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 moderate Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. CVE-2024-8006 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 moderate A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 moderate