SUSE-IU-2025:1403-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1403-1 Interim 1 1 2026-02-20T13:59:32Z current 2025-05-22T01:00:00Z 2025-05-22T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1403-1 / google/sle-micro-6-1-byos-v20250522-arm64 This image update for google/sle-micro-6-1-byos-v20250522-arm64 contains the following changes: Package NetworkManager was updated: Package aardvark-dns was updated: - Update to version 1.12.2: * Release v1.12.2 * Update release notes for 1.12.2 * coredns: work on tcp requests concurrently * tcp: add timeout to connection * cirrus: update branch names * Release v1.12.1 * Updated release notes for 1.12.1 * Change av cargo categories * Bump to 1.13.0-dev * Release 1.12.0 * Release notes for 1.12 * config: ignore enoent errors while reading configs * run cargo update * update upsteam resolvers on each refresh * fix(deps): update rust crate syslog to v7 * fix(deps): update rust crate tokio to 1.39.2 * add tcp support for forwarding (bsc#1234660) * add tcp listening support * test: add new test to check for startup error * return bind error to caller on first start * add our own error type and use it over anyhow * server: use anyhow to wrap parse_configs error * server: split out main loop into new function * main: remove aardvark-dns error prefix * coredns: remove unnecessary try_join! call * coredns: drop pointless name var * serve: read nameservers once * replace signal-hook with tokio::signal * serve: fix broken error logging * server: improve parent &lt;-&gt; child error handling * add some basic perf check script * fix(deps): update rust crate tokio to 1.39.0 * coredns: create reply_ip() function * coredns: match dns type explicitly * server: use only one tokio runtime * coredns: improve indentation for process_message() * coredns: move upstream resolvers detection later * coredns: do not clone sender * read AARDVARK_NO_PROXY once * coredns: move main code out of select! * coredns: fix &quot;name&quot; naming * coredns: remove unused forward_addr/port * coredns: fix handling of dns search domain * coredns: rework PTR lookup flow * fix(deps): update rust crate tokio to 1.38.1 * [skip-ci] TMT: Reorg upstream tests for downstream reusability * [skip-ci] Packit: use `packages: [aardvark-dns-fedora]` for podman-next builds * Be sure to have at least Epoch 2 to preserve upgrade path in c10s. * fix(deps): update rust crate log to 0.4.22 * [CI:BUILD] rpm: Update Rust macro usage * fix(deps): update rust crate tokio to 1.38.0 * Bump to 1.12.0-dev - Remove redundant source: cargo_config - Update to version 1.11.0: * Release v1.11.0 * v1.11.0 release notes * run cargo update * chore(deps): update dependency containers/automation_images to v20240529 * Internal networks cannot make external DNS requests * fix(deps): update rust crate anyhow to 1.0.86 * fix(deps): update rust crate nix to 0.29.0 * [skip-ci] RPM: use default __cargo macro across all envs * chore(deps): update dependency containers/automation_images to v20240513 * fix(deps): update rust crate anyhow to 1.0.83 * [skip-ci] Packit: separate `packages` key for rhel jobs * fix(deps): update rust crate libc to 0.2.154 * [skip-ci] Packit: enable rhel10, c10s tests and c10s downstream sync * [skip-ci] Packit: Remove EL8 jobs * fix(deps): update rust crate syslog to ^6.1.1 * fix reverse ipv6 lookup test flake * fix(deps): update hickory-dns monorepo to 0.24.1 * chore(deps): update rust crate chrono to 0.4.38 * Don't tear down all server threads on SIGHUP (bsc#1224167) * fix(deps): update rust crate anyhow to 1.0.82 * fix(deps): update rust crate tokio to 1.37.0 * Update to nix-0.28.0 * update chrono package * chore(deps): update dependency containers/automation_images to v20240320 * fix(deps): update rust crate anyhow to 1.0.81 * tests: check queried domain name in reverse lookup tests * fix: set name for answers in reverse lookups * chore: fix typo in runner script * chore: fix log message when doing reverse lookup * fix(deps): update rust crate log to 0.4.21 * fix(deps): update rust crate anyhow to 1.0.80 * chore(deps): update rust crate chrono to 0.4.34 * fix(deps): update rust crate async-broadcast to 0.7.0 * fix(deps): update rust crate tokio to 1.36.0 * [CI:DOCS] Packit: disable bodhi tasks * chore(deps): update rust crate chrono to 0.4.33 * Bump to 1.11.0-dev Package ca-certificates-mozilla was updated: - reenable the distrusted certs again. the distrust is only for certs issued after the distrust date, not for all certs of a CA. remove: remove-distrusted.patch - explit remove distruted certs, as the distrust does not get exported correctly and the SSL certs are still trusted. (bsc#1240343) - Entrust.net Premium 2048 Secure Server CA - Entrust Root Certification Authority - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - GlobalSign Root E46 - GLOBALTRUST 2020 - remove-distrusted.patch: apply to certdata.txt - Fix awk to compare (missing a =) and give the following output: [#] NSS_BUILTINS_LIBRARY_VERSION &quot;2.74&quot; - pass file argument to awk (bsc#1240009) - update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 - remove extensive signature printing in comments of the cert bundle - Define two macros to break a build cycle with p11-kit. - Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798) Removed: - SecureSign RootCA11 - Security Communication RootCA3 Added: - TWCA CYBER Root CA - TWCA Global Root CA G2 - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15 Package cloud-regionsrv-client was updated: - Update to 10.3.11 (bsc#1234050) + Send registration code for the extensions, not only base product - Update to 10.3.8 (bsc#1233333) + Fix the package requirements for cloud-regionsrv-client + Follow changes to suseconnect error reporting from stdout to stderr - Update to 10.3.7 (bsc#1232770) + Fix the product triplet for LTSS, it is always SLES-LTSS, not $BASEPRODUCT-LTSS - Update to 10.3.6 (jsc#PCT-471, bsc#1230615) + Fix sudo setup ~ permissions cloudguestregistryauth ~ directory ownership /etc/sudoers.d + spec file ~ Remove traces of registry related entries on SLE 12 + Forward port ~ fix-for-sles12-disable-registry.patch ~ fix-for-sles12-no-trans_update.patch + Deregister non free extensions at registercloudguest --clean + Fix registry cleanup at registercloudguest --clean, don't remove files + Prevent duplicate search entries in registry setup - Update EC2 plugin to 1.0.5 + Switch to using the region endpoint from IMDS to determine the region instead of deriving the data from the availability zone - Update to 10.3.5 + Update spec file to build in all code streams, SLE 12, SLE 15, ALP, and SLFO and have proper dependencies - Update to 10.3.4 + Modify the message when network access over a specific IP version does not work. This is an informational message and should not look like an error + Inform the user that LTSS registration takes a little longer + Add fix-for-sles12-no-trans_update.patch + SLE 12 family has no products with transactional-update we do not need to look for this condition - From 10.3.3 (bsc#1229472) + Handle changes in process structure to properly identify the running zypper parent process and only check for 1 PID - From 10.3.2 + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream - From 10.3.1 (jsc#PCT-400) + Add support for LTSS registration + Add fix-for-sles12-disable-registry.patch ~ No container support in SLE 12 - Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137) + The entry for the update infrastructure registry mirror was written incorrectly causing docker daemon startup to fail. - Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file Package cockpit was updated: - suse_docs.patch: update documentation to point at new links (bsc#1226050)- remove_rh_links.patch: remove additional hardcoded RH refs (bsc#1221336) - hide-pcp.patch: correct patch to properly disable pcp on micro (bsc#1226049) - suse-microos-branding.patch: use suse ID as branding instead of sle-micro (bsc#1227441) Package cockpit-podman was updated: - correct-container-search.patch: Fixes issues searching containers bsc#1232687 - Fix systemd units folder for leap and sle (Similar issue like boo#1226541) Package container-selinux was updated: - Update to version 2.236.0: * Allow super privileged containers to use RealtimeKit for scheduling * Add container_ro_file_t to the podman artifact store - Update to version 2.235.0: * Bump to v2.235.0 * OWNERS: add wrabcak and zpytela * OWNERS: initial commit * container_log{reader,writer}_t: allow watch file * RPM: Update gating config * Enable aarch64 testing * TMT: simplify podman tests * feat: support /var/lib/crio - OBS service file: use the tagged commit for archive versioning and don't just archive the latest changes from the main branch using the latest tag - Update to version 2.234.2: * TMT: enable epel idomatically * Packit: switch back to fedora-all * RPM: Bump Epoch to 4 * rpm: ship manpage * Add proper labeling for RamaLama * Packit: remove rhel / epel jobs * packit: remove unused file - Add BuildRequires selinux-policy-%{selinuxtype} to enable building for SLFO. Might be removed in the future again when 1231252 is fixed. - Update to version 2.233.0: * container_engine_t: small change to allow non root exec in a container * RPM: explicitly list ghosted paths and skip mode verification * container-selinux install on non selinux-policy-targeted systems (#332) * set container_log_t type for /var/log/kube-apiserver * Allow kubelet_t to create a sock file kubelet_var_lib_t * dontaudit spc_t to mmap_zero * Packit: update targets (#330) * container_engine_t: another round of small improvements (#327) * Allow container_device_plugin_t to use the network (#325) * RPM: cleanup changelog (#324) * TMT: Simplify tests - Update to version 2.232.1: * Bump to v2.232.1 * TMT: fix srpm download syntax on rawhide * Bump to 2.232.0 * Packit: remove `update_release` key from downstream jobs (#313) * Update container-selinux.8 man page * Add ownership of /usr/share/udica (#312) * Packit/TMT: upstream maintenance of downstream gating tests * extend container_engine_t again * Allow spc_t to use localectl * Allow spc_t to use timedatectl * introduce container_use_xserver_devices boolean to allow GPU access - Update to version 2.231.0: * Allow container domains to communicate with spc_t unix_stream_sockets * Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720) - Manual update to version 2.230.0+git4.a8e389d to include this commit that is needed for the main selinux-policy update to work: * Rename all /var/run file context entries to /run - Update to version 2.230.0: * Move to tar_scm based packaging: added _service and _servicedata * Allow containers to unmount file systems * Add buildah as a container_runtime_exec_t label * Additional rules for container_user_t * improve container_engine_t - Update to version 2.228: * Allow container domains to watch fifo_files * container_engine_t: improve for podman in kubernetes case * Allow spc_t to transition to install_t domain * Default to allowing containers to use dri devices * Allow access to BPF Filesystems * Fix kubernetes transition rule * Label kubensenter as well as kubenswrapper * Allow container domains to execute container_runtime_tmpfs_t files * Allow container domains to ptrace themselves * Allow container domains to use container_runtime_tmpfs_t as an entrypoint * Add boolean to allow containers to use dri devices * Give containers access to pod resources endpoint * Label kubenswrapper kubelet_exec_t - Update to version 2.222: * Allow containers to read/write inherited dri devices - Update to version 2.221: * Allow containers to shutdown sockets inherited from container runtimes * Allow spc_t to use execmod libraries on container file systems * Add boolean to allow containers to read all cert files * More MLS Policy allow rules * Allow container runtimes using pasta bind icmp_socket to port_t * Fix spc_t transitions from container_runtime_domain - Update to version 2.215.0: * Add some MLS rules to policy * Allow container runtime to dyntransition to spc_t * Tighten controls on confined users * Add labels for /var/lib/shared * Cleanup entrypoint definitions * Allow container_device_plugin_t access to debugfs * Allow containers which use devices to map them Package curl was updated: - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc &lt;= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add &quot;TLS required&quot; flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Security fixes: - [bsc#1234068, CVE-2024-11053] curl could leak the password used for the first host to the followed-to host under certain circumstances. - [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry - [bsc#1236589, CVE-2025-0665] eventfd double close * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted &lt;&gt; within backticks - cd2nroff: support &quot;none&quot; as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix &quot;Ignored Return Value&quot; - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit * Rebase pathes: - libcurl-ocloexec.patch - dont-mess-with-rpmoptflags.patch - Update to 8.11.1: * Security fixes: - netrc and redirect credential leak [bsc#1234068, CVE-2024-11053] * Bugfixes: - build: fix ECH to always enable HTTPS RR - cookie: treat cookie name case sensitively - curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected - curl: use realtime in trace timestamps - digest: produce a shorter cnonce in Digest headers - docs: document default 'User-Agent' - docs: suggest --ssl-reqd instead of --ftp-ssl - duphandle: also init netrc - hostip: don't use the resolver for FQDN localhost - http_negotiate: allow for a one byte larger channel binding buffer - krb5: fix socket/sockindex confusion, MSVC compiler warnings - libssh: use libssh sftp_aio to upload file - libssh: when using IPv6 numerical address, add brackets - mime: fix reader stall on small read lengths - mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions - mprintf: fix the integer overflow checks - multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when... - netrc: address several netrc parser flaws - netrc: support large file, longer lines, longer tokens - nghttp2: use custom memory functions - OpenSSL: improvde error message on expired certificate - openssl: remove three &quot;Useless Assignments&quot; - openssl: stop using SSL_CTX_ function prefix for our functions - pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS - rtsp: check EOS in the RTSP receive and return an error code - schannel: remove TLS 1.3 ciphersuite-list support - setopt: fix CURLOPT_HTTP_CONTENT_DECODING - setopt: fix missing options for builds without HTTP &amp; MQTT - socket: handle binding to &quot;host!&lt;ip&gt;&quot; - socketpair: fix enabling 'USE_EVENTFD' - strtok: use namespaced 'strtok_r' macro instead of redefining it * Remove 0001-duphandle-also-init-netrc.patch upstream - Add patch to fix libcurl when netrc parsing is enabled. curl_easy_duphandle did not init netrc which broke applications such as for example git. gh#curl/curl#15496 * 0001-duphandle-also-init-netrc.patch - Update to 8.11.0: * Security fixes: [bsc#1232528, CVE-2024-9681] - curl: HSTS subdomain overwrites parent cache entry * Changes: - curl: --create-dirs works for --dump-header as well - gtls: Add P12 format support - ipfs: add options to disable - TLS: TLSv1.3 earlydata support for curl - WebSockets: make support official (non-experimental) * Bugfixes: - build: clarify CA embed is for curl tool, mark default, improve summary - build: show if CA bundle to embed was found - build: tidy up and improve versioned-symbols options - cmake/FindNGTCP2: use library path as hint for finding crypto module - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled - cmake: rename LDAP dependency config variables to match Find modules - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection - cmake: use OpenSSL for LDAP detection only if available - curl: add build options for safe/no CA bundle search (Windows) - curl: detect ECH support dynamically, not at build time - curl_addrinfo: support operating systems with only getaddrinfo(3) - ftp: fix 0-length last write on upload from stdin - gnutls: use session cache for QUIC - hsts: improve subdomain handling - hsts: support &quot;implied LWS&quot; properly around max-age - http2: auto reset stream on server eos - json.md: cli-option '--json' is an alias of '--data-binary' - lib: move curl_path.[ch] into vssh/ - lib: remove function pointer typecasts for hmac/sha256/md5 - libssh.c: handle EGAINS during proto-connect correctly - libssh2: use the filename buffer when getting the homedir - multi.c: warn/assert on stall only without timer - negotiate: conditional check around GSS &amp; SSL specific code - netrc: cache the netrc file in memory - ngtcp2: do not loop on recv - ngtcp2: set max window size to 10x of initial (128KB) - openssl quic: populate x509 store before handshake - openssl: extend the OpenSSL error messages - openssl: improve retries on shutdown - quic: use send/recvmmsg when available - schannel: fix TLS cert verification by IP SAN - schannel: ignore error on recv beyond close notify - select: use poll() if existing, avoid poll() with no sockets - sendf: add condition to max-filesize check - server/mqttd: fix two memory leaks - setopt: return error for bad input to CURLOPT_RTSP_REQUEST - setopt_cptr: make overflow check only done when needed - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED - tool: support --show-headers AND --remote-header-name - tool_operate: make --skip-existing work for --parallel - url: connection reuse on h3 connections - url: use same credentials on redirect - urlapi: normalize the IPv6 address - version: say quictls in MSH3 builds - vquic: fix compiler warning with gcc + MUSL - vquic: recv_mmsg, use fewer, but larger buffers - vtls: convert Curl_pin_peer_pubkey to use dynbuf - vtls: convert pubkey_pem_to_der to use dynbuf * Rebase curl-secure-getenv.patch - Update to 8.10.1: * Bugfixes: - autotools: fix `--with-ca-embed` build rule - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync - cmake: fix MSH3 to appear on the feature list - connect: store connection info when really done - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a - http2: when uploading data from stdin, fix eos forwarding - http: make max-filesize check not count ignored bodies - lib: fix AF_INET6 use outside of USE_IPV6 - multi: check that the multi handle is valid in curl_multi_assign - QUIC: on connect, keep on trying on draining server - request: correctly reset the eos_sent flag - setopt: remove superfluous use of ternary expressions - singleuse: drop `Curl_memrchr()` for no-HTTP builds - tool_cb_wrt: use &quot;curl_response&quot; if no file name in URL - transfer: fix sendrecv() without interim poll - vtls: fix `Curl_ssl_conn_config_match` doc param - Update to version 8.10.0: * Security fixes: - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS * Changes: - curl: make --rate accept &quot;number of units&quot; - curl: make --show-headers the same as --include - curl: support --dump-header % to direct to stderr - curl: support embedding a CA bundle and --dump-ca-embed - curl: support repeated use of the verbose option; -vv etc - curl: use libuv for parallel transfers with --test-event - vtls: stop offering alpn http/1.1 for http2-prior-knowledge * Bugfixes: - curl: allow 500MB data URL encode strings - curl: warn on unsupported SSL options - Curl_rand_bytes to control env override - curl_sha512_256: fix symbol collisions with nettle library - dist: fix reproducible build from release tarball - http2: fix GOAWAY message sent to server - http2: improve rate limiting of downloads - INSTALL.md: MultiSSL and QUIC are mutually exclusive - lib: add eos flag to send methods - lib: make SSPI global symbols use Curl_ prefix - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name - lib: remove the final strncpy() calls - lib: remove use of RANDOM_FILE - Makefile.mk: fixup enabling libidn2 - max-filesize.md: mention zero disables the limit - mime: avoid inifite loop in client reader - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks - openssl quic: fix memory leak - openssl: certinfo errors now fail correctly - openssl: fix the data race when sharing an SSL session between threads - openssl: improve shutdown handling - POP3: fix multi-line responses - pop3: use the protocol handler -&gt;write_resp - progress: ratelimit/progress tweaks - rand: only provide weak random when needed - sectransp: fix setting tls version - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL - sigpipe: init the struct so that first apply ignores - smb: convert superflous assign into assert - smtp: add tracing feature - spnego_gssapi: implement TLS channel bindings for openssl - src: delete `curlx_m*printf()` aliases - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build) - tool_operhlp: fix &quot;potentially uninitialized local variable 'pc' used&quot; - tool_paramhlp: bump maximum post data size in memory to 16GB - transfer: skip EOS read when download done - url: fix connection reuse for HTTP/2 upgrades - urlapi: verify URL *decoded* hostname when set - urldata: introduce `data-&gt;mid`, a unique identifier inside a multi - vtls: add SSLSUPP_CIPHER_LIST - vtls: fix static function name collisions between TLS backends - vtls: init ssl peer only once - websocket: introduce blocking sends - ws: flags to opcodes should ignore CURLWS_CONT flag - x509asn1: raise size limit for x509 certification information * Remove curl-sigpipe.patch upstream * Rebase curl-secure-getenv.patch Package python-kiwi was updated: - Bump version: 10.2.11 → 10.2.12 - Fix profile env variable name regression In the effort of adapting to the latest snapper in Issue #2697 we overlooked the after effect of a different variable name in the profile environment with regards to $kiwi_btrfs_root_is_snapshot and $kiwi_btrfs_root_is_snapper_snapshot. Image builds that references the former variable name would be broken by the change. This commit makes sure no regression is introduced by providing both variants. This Fixes bsc#1237772 - Fix grub mkimage call for the ppc platform The list of modules used to create a grub platform image for ppc was the same list as used for the x86 bios platform. This commit fixes this and also cleans up the inconsistency and misleading names used for creating platform specific output. This Fixes #2738 - Bump version: 10.2.10 → 10.2.11 - Update box plugin documentation Add chapter about new container build feature. The box plugin can now also run the build in containers - The ubuntu 20.04 github runner is closing down Make sure to move to another runner for workloads which still uses ubuntu 20.04 - Bump version: 10.2.9 → 10.2.10 - Poetry build sdist timestamps set to epoch 0 Newer versions of poetry set the timestamp for all source files to epoch 0. Such sources are not accepted by e.g Debian FTP servers and in general I don't like when tools changes their behavior just like that. This commit forces an older version of poetry for the purpose of creating the sdist tarball which then gets published on pypi. The argumentation for reproducible builds by forcing source files to a certain timestamp doesn't fly for me. I'm open for any better solution though. This Fixes #2730 - Bump version: 10.2.8 → 10.2.9 - Classify missing chkstat as debug message chkstat is a distribution specific tool. If it is present we use it, if not we don't but it's not worth a warning. This Fixes #2711 - Allow to run setfiles multi threaded Use option -T0 for newer setfiles version. This Fixes #2719 - Add rd.kiwi.dialog.timeout option Allow to configure the timeout value for dialogs displayed by the kiwi dracut code. By default the timeout is set to 60 seconds. With the special value &quot;off&quot; the dialog will never timeout. This Fixes #2718 - Make sure copy actions does not drop context Use shutil.copy2 to copy files preserving their attributes in the grub BootLoader space. This Fixes #2709 - Improve unit test for archive target_dir Add a test case with absolute path in the target_dir to make sure we never unpack the archive to the host system. The actual issue was resolved together with the implementation in #1953 and commit 78238a993c966d1229cd2fc1f5923673a90de14d This Fixes #2701 - Fixed profiled overlay imports When building an image for profile: SOME and providing an overlay directory named SOME/... kiwi will sync the contents of this overlay directory to the root tree. However it took the toplevel name SOME/ into account which is unwanted because only the sub data structure should be synced into the new root tree. This Fixes #2690 - Bump version: 10.2.7 → 10.2.8 - Use multipath child instead of parent device On multipath systems we need to find underlying child device instead of using parent device. This prevents listing all parent devices for a multipath device - Increase size for agama integration test build Agama needs more space to build now - Fixed agama integration test rubygem-byebug and rubygem-agama-yast seems to no longer exist - Update TW integration tests Package nscd was dropped from TW - Fix documentation regarding URI styles In reference to commit 760a65558f9e2e91d3eaa3a2f9503ff596984b48 the support for iso:// URI types was dropped some time ago. However, the documentation was not properly updated. This commit fixes it - Fix return value of grub helper methods The grub helper methods to find grub tools returns a None value if the tool cannot be found. This None value could be used later in a Command call where it will be used in a join() command to log the resulting commandline. This join() call then fails and raises an unhandled error causing a stack trace in the application. This commit fixes it - Added disk validation for duplicate installs Installing the same image to different storage disks on the same machine creates device conflicts with unexpected side effects. This commit adds a validation based on the PTUUID of the disk image to check if another device on the system has the same ID and if yes, does not allow to install the image again including a message which device takes the same identifier. This references bsc#1228741 - Fixed documentation for signing key attribute The source locator name for local files was incorrect - Bump version: 10.2.6 → 10.2.7 - Update documentation Added a new troubleshooting chapter as subsection to the Build Host Constraints named Package Manager Behavior. It serves the purpose to describe options for the customer to change the default package manager behavior which we from the kiwi side do not influence intentionally. This is a followup change to bsc#1235448 - Drop still present tox artifacts There were still some left over tox files and the documentation contribution chapter was also wrong at several places - Add support for reading optional pkgmgr env file If there is a file .kiwi.package_manager.env in the root of the image tree it will be read and put into the caller environment for the selected package and repository manager. There are features in e.g zypper which can only be used via env variables. This Fixes bsc#1235448 - Auto convert unit test XML data to schema v8.3 - Rename btrfs_root_is_snapshot Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot. This happens in preparation for the changes suggested in #2697 where we want to get rid of snapper specific btrfs code which will be available in snapper natively soon. To make sure a btrfs layout specific to snapper(and SUSE), the implicitly used attribute named btrfs_root_is_snapshot now becomes explicit and its new name will indicate that snapper sits behind it. Along with the rename a XSLT stylesheet to automatically convert the old name into the new name for schema v8.3 will be performed. - Bump version: 10.2.5 → 10.2.6 - Fixed donate button target - Added LUKS reencryption support Added rd.kiwi.oem.luks.reencrypt boot option consumed by the kiwi-repart dracut module. For OEM LUKS2 encrypted disk images. If set, reencrypts the disk prior an eventual resize and therefore creates a new key pool and master key. The reencryption is advisable if the image binary is not protected. With access to the image binary it's possible to extract the luks header which then allows to decrypt the data unless it was reencrypted. The reencryption process only runs if the checksum of the luks header still matches the one from the original disk image. Be aware that the reencryption will ask for the passphrase if the image has been built with an initial luks passphrase. - Fixed arm/tumbleweed/test-image-rpi No ruby required for this integration test build - Plain zipl loader needs boot partition If the rootfs is something zipl cannot read, we need an extra boot partition using a supported filesystem - Fixed IBM-Cloud-Standard profile The test-image-MicroOS integration test builds an IBM-Cloud-Standard profile as encrypted variant with a random key that is not protected by an encrypted boot image. This doesn't make sense. Thus the encryption setup for the IBM cloud standard build got removed. Use the IBM-Cloud-Secure-Execution profile to test encrypted secure linux builds - Fixed test-image-qcow-openstack rsh package was dropped from TW - Fix genprotimg for s390 builds A recent change on genprotimg now forbids to use --cert in combination with --no-verify, even though this was allowed before. - Fix documentation for repo, package gpg settings In contrast to the documentation, kiwi sets default values for any gpg setting if not explicitly specified differently. We want to avoid to inherit a behavior from how the distribution packages the package manager. This commit fixes the documentation to be in line with the implementation - Drop insecure and unsupported md5 digest Decommission the Checksum.md5() method and move all places in code to sha256(). The md5 digest is considered insecure and has also been removed from hashlib as a supported digest. This Fixes #2696 - Fix config functions action The action failed on the setup of the runtime because the upgrade of pip failed. - Bump version: 10.2.4 → 10.2.5 - Changed systemfiles provider Instead of providing a static list of filenames, provide a list of package names. It is expected that the pilot of flake-pilot resolves this list against the local package database to build up the filelist for provisioning - Bump version: 10.2.3 → 10.2.4 - Update system files setup for containers The attribute provide_system_files creates a meta file in the root tree named 'systemfiles'. The contents of this file were produced by just a dump of the package database so far. For a more generic use of this data some adaptions were needed. First we allow to skip packages matching a pattern from being part of the system files. Next we do not put ghost and doc files into account. And last we handle library files in a different file named 'systemfiles.libs' where we do not add symlink targets if the target path is also part of the package. The consumer of this information is flake-pilot which syncs that library system files from the host via --copy-links. This allows a more generic use with regards to versioned libraries e.g. libc - Drop /dev/pts from bind mount locations This has created havoc in the Fedora build environments by fully unmounting /dev/pts and breaking the builders for subsquent tasks. This is a partial revert of commit daf1323c5ded7e4e7783205f5e30457b40eb322f. - Don't take ghost files into account When creating the system files information do not take ghost files and artifact files into account - Bump version: 10.2.2 → 10.2.3 - Update STYLEROOT to SUSE 2022 - Fix broken links in the documentation - Fix legacy_bios_mode detection The code in this method does not work correctly if the firmware is set to 'bios'. In bios only mode the method returned a false value which is incorrect as it should return a true value in this case. Without this patch ISO images will fail to boot because no loader gets configured. - Added /dev/pts to bind mount locations During runtime several kernel filesystems are bind mounted into the image root system such that programs expecting it can work. /dev/pts was not needed so far but seems to be a good addition to the list to make tools like sudo to work properly when called e.g. from a config.sh script. This Fixes #2686 - xorriso: respect efiparttable and gpt_hybrid_mbr This should make the xorriso-based ISO build path respect the 'efiparttable' and 'gpt_hybrid_mbr' settings when building a UEFI-compatible image, making it write a GPT disk label by default instead of an MBR (msdos) one. If it's building an image that is not UEFI-compatible it will always write an MBR label, regardless of this setting. If 'gpt_hybrid_mbr' is set, xorriso will write an Ubuntu-style MBR/GPT hybrid partition table, where the MBR partition table includes a partition with type 00 and the bootable flag, as well as the partition with type ee required by the UEFI spec. This mildly violates the UEFI spec but may make the image bootable on native BIOS or CSM firmwares which refuse to boot from a disk with no partition marked 'bootable' in the MBR. If 'gpt_hybrid_mbr' is not set, xorriso will write a strictly UEFI-spec compliant label, with just the 'protective MBR' required by the UEFI spec (no bootable partition) and the correct GPT partition table. Note this is somewhat different from what gpt_hybrid_mbr does for disk images. Also, we now pass -compliance no_emul_toc when building ISOs, as recommended by upstream in https://lists.gnu.org/archive/html/bug-xorriso/2024-11/msg00012.html This tool is generally always going to be building ISOs intended for write-once use, not multi-session use (and which are rarely, these days, written to physical discs at all anyway). Signed-off-by: Adam Williamson &lt;awilliam@redhat.com&gt; - Added provide/require system files for containers Added the attributes provide_system_files and require_system_files to control the provider and requester of system files in container image builds. systemfiles is a metadata file which contains all files from the package database at call time. It is used in flake-pilot to provision the systemfiles data from the host into the container instance. One possible use case for this data is a flake registration which uses a base container that is derived from a runtime container but all data from the runtime should be provisioned from the host. Using this feature tightly couples the flake to the host OS distribution and version. - Bump version: 10.2.1 → 10.2.2 - Fix scope issue Increase livetime of the the compressor instances to the livetime of RootImportOCI. They create temporary files which are referenced later and need to live longer than the block they got created in - Bump version: 10.2.0 → 10.2.1 - Fixed use of fscreateoptions for iso type The information for fscreateoptions was not passed along to the tooling if a custom filesystem attribute was specified. This Fixes #2681 - Allow to derive from multiple containers Add support for multi inheritance to the derived_from attribute In the order of a comma seperated list of docker source URI's a base tree is created. This was possible only with one container so far and Fixes #2680 as well as jira#OBS-354 - Bump version: 10.1.18 → 10.2.0 - Add selinux test build to TW Also update derived docker integration test to latest Leap - kiwi/schema: Fix allowed value type for ISO publisher and application ID According to the spec, this should be constrained to 128 characters but also allow quite a few other special characters (as well as spaces). We didn't allow spaces in application ID, but allowed too much for Publisher. Now we set up both correctly. - Fix setup of kiwi environment variables Some kiwi env vars are initialized with an empty value and not overwritten if another value is provided. For the selected variables an empty value setting is not allowed because the schema also enforces the value to be set at least once. In addition a helpful option named --print-kiwi-env was added to the 'image info' command which allows to print the environment variables and their values. - Add random key support for LUKS encryption Allow to pass luks=&quot;random&quot;. In random mode use the generated keyfile as the only key to decrypt. This is only secure if the generated initrd also gets protected e.g. through encryption like it is done with the secure linux execution on zSystems - Added development group in pyproject setup generateDS and other tools are needed and were forgotten to be added when we deleted the tox dependency - Added containers integration with OBS When building in the Open Build Service (OBS) there is no way to create outgoing connections from the build workers. To allow the &lt;containers&gt; section to fetch containers from the SUSE registry we need to apply an OCI URI translation into a local path. The actual OCI container image is expected to be provided by the obs backend on the worker. Along with this commit also an integration test named test-image-disk-containers is provided. This Fixes jira#OBS-351 - Fix rendering of SUSE docs The SUSE documentation is produced through a conversion of the ReST source into docbook. The name kiwi is reserved in the index and needs to be referenced as kiwi-ng when used as command. - Remove tox dependency tox was used as sort of a make target to run unit tests and more in a python virtualenv. However, since we switched everything to poetry it's no longer needed to let tox create the python virtual environments. This commit moves the tox targets into the Makefile and adapts the github workflow files accordingly. In addition the scripts container based tests were re-activated and fixed such that they succeed again. - Fix make build target Move the actions done by the tox target into the build target and call them there in a clean and easy to spot sequence. There is no need to call tox to prepare for the package submission, instead the checks and poetry runs to prepare for the package target should be called directly as part of the build target. In the future we might get rid of tox completely. - Bump version: 10.1.17 → 10.1.18 - Fixed zipl caller environment zipl gets confused with an active sysfs mount inside the root tree at call time of zipl. This commit umounts the /sys bind mount in the image tree prior calling zipl - Fix s390 test-image-disk build Add missing kernel links used by suse tools - Bump version: 10.1.16 → 10.1.17 - Fix coloring of build_status.sh flags Depending on the place of the status flag the color setup might fail. This commit fixes it - Add pytest-container as optional dependency The pyproject.toml listed pytest-container as dependency but it is used only to run the container based integration tests for the shell helper methods. For building the package this dependency should not be pulled in - Fix networking in erofs integration test The network setup was systemd-networkd based but the provided network config was not for systemd - Bump version: 10.1.15 → 10.1.16 - Fix erofs requires in spec erofs-utils for SUSE only exists in Tumbleweed. The former conditon would also add the requirement for ALP and SLFO which is wrong. This commit fixes it - Add vagrantconfig rule for vagrant format If the format=&quot;vagrant&quot; attribute is set, a vagrantconfig section becomes mandatory. This commit enforces this rule on the schema. This Fixes #2666 - Bump version: 10.1.14 → 10.1.15 - Fixed sphinx_rtd_theme setup Delete obsolete display_version attribute - Evaluate eficsm everywhere Fixed _supports_bios_modules() to take an eventually provided eficsm setup into account. The grub config still searches for i386 grub modules even if eficsm=&quot;false&quot; is set. - Fixed debian bootstrap script calls Run scripts as commands with their native shebang and not through bash. Not all debian package scripts uses bash, some of them uses sh which can be a link to dash or other interpreters. This Fixes #2660 - Update TW integration tests The package x86info was dropped from TW - Turn DiskFormat into an ordinary class - it does not need to be an abstract base class - use f-strings where applicable instead of format() - change return type of _custom_args_for_format from list to tuple - Add new containers section Allow to specify references to OCI containers in the image description like in the following example: &lt;containers source=&quot;registry.suse.com&quot; backend=&quot;podman&quot;&gt; &lt;container name=&quot;some&quot; tag=&quot;some&quot; path=&quot;/some/path&quot;/&gt; &lt;/containers&gt; During the kiwi process the containers are fetched into a temporary location and a systemd service is configured to one time load the containers into the local registry at first boot of the system. This Fixes #2663 - Bump version: 10.1.13 → 10.1.14 - Revert &quot;Install usrmerge for Debian integration test&quot; This reverts commit 95ac861741f14c4f35611c16328384c18e53dcfb. Solution needs to be provided in code - Install usrmerge for Debian integration test - Support older apt versions for bootstrap This Fixes #2660 - Run package scripts in apt bootstrap phase The bootstrap procedure based on apt only runs a manual collection of package scripts. This commit refactors the code that unpacks the bootstrap packages to a python implementation and adds a method to run the bootstrap scripts from all packages resolved by apt. - Bump version: 10.1.12 → 10.1.13 - Fix bundle extension for vagrant type When bundling result files that uses a vagrant type, kiwi creates them with the extension .vagrant.virtualbox.box or .vagrant.libvirt.box. The bundler code renames them using only the .box suffix which is too short as it is missing the subformat information. This commit fixes it and keeps this information in the result bundle file name. This Fixes #2656 - Use simple quotas (squota) for volumes - Add quota attribute to volume section Allow to set quota per volume for the btrfs filesystem This Fixes #2651 - Fix globbing with exclude with regex This fixes a collection of bugs when producing erofs images. On one hand, this ensures that an exclude of `/sys` doesn't accidentally match `/lib/libsystemd.so`, only `/sys/whatever`. On the other hand, this ensures that `/dev/*` does match `/dev/vda` and not just `/dev///////////`. This fixes libsystemd.so getting dropped in Kiwi-built FEX images. Signed-off-by: Alyssa Rosenzweig &lt;alyssa@rosenzweig.io&gt; - Honour custom exclude for filesystem builds All other call sites honour the custom exclude file, it's just this one that needs to be fixed. This unblocks use of Kiwi for generating FEX rootfs. Closes: #2652 Signed-off-by: Alyssa Rosenzweig &lt;alyssa@rosenzweig.io&gt; - test: storage: update clone_device tests with new block size Signed-off-by: Isaac True &lt;isaac@is.having.coffee&gt; - storage: clone_device: increase dd block size Increasing the block size used for dd reduces the time needed to clone a device. Signed-off-by: Isaac True &lt;isaac@is.having.coffee&gt; - Bump version: 10.1.11 → 10.1.12 - Add missing erofscompression validation In the filesystem builder I forgot to evaluate the erofscompression attribute. This Fixes #2647 - Include PI and comments in XSL stylesheets So far comments and processing instructions (PI) were ignored when applying the XSL stylesheets. This commit updates all stylesheets to take them into account - Bump version: 10.1.10 → 10.1.11 - doc: Add login information test build test images Package dracut was updated: - Update to version 059+suse.631.ga638ed12: * fix(dmsquash-live): do not check ISO md5 if image filesystem (bsc#1240919) * fix(nfs): set correct ownership of rpc.statd state directories (bsc#1217885) * perf(nfs): remove references to old rpcbind state dir * fix(nfs): libnfsidmap plugins not added in some distributions * fix(dracut.spec): move znet to the main package (bsc#1239632) - Update to version 059+suse.623.gf9a73df5: * fix(iscsi): make sure services are shut down when switching root (bsc#1237695) * fix(iscsi): don't require network setup for qedi * fix(network-legacy): do not require pgrep when using wicked (bsc#1236982) - Update to version 059+suse.617.gb2c1d974: Fixes for booting from iSCSI offload with bnx2i (bsc#1228086): * fix(iscsi): attempt iSCSI login before all interfaces are up * fix(iscsi): don't require network setup for bnx2i Other: * fix(dracut): rework timeout for devices added via --mount and --add-device (bsc#1231792) - Update to version 059+suse.610.g850d981a: * fix(dm): remove 59-persistent-storage-dm.rules (bsc#1232063) Package findutils was updated: - do not crash when file system loop was encountered [bsc#1231472]- added patches fix https://git.savannah.gnu.org/cgit/findutils.git/commit/?id=e5d6eb919b9 + findutils-avoid-crash-system-loop.patch - modified patches % findutils-xautofs.patch (p1) Package gettext-runtime was updated: - Fix crash while handling po files with malformed header and process them properly (0003-Fix-malformed-header-processing.patch, boo#1227316). Package glib2 was updated: - Add glib2-CVE-2024-52533.patch: fix a single byte buffer overflow (boo#1233282 CVE-2024-52533 glgo#GNOME/glib#3461). Package glibc was updated: - assert-message-allocation.patch: Fix underallocation of abort_msg_s struct (CVE-2025-0395, bsc#1236282, BZ #32582)) Package google-guest-agent was updated: - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch - Update to version 20250116.00: (bsc#1236403) * networkd(vlan): remove the interface in addition to config (#468) * Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465) * Update logging library (#479) * Remove Pat from owners file. (#478) - Update to version 20241209.01: (bsc#1235664) * readme: add notes about plugin manager (#476) * Update metadata script runner to honor cloud logging config flag (#475) * Fixing fallback from systemd-networkd to dhclient (#471) * network: fix nmcli check pattern (#472) * Update readme with guest agent manager (#469) * Add missing packaging spec (#466) * Bring back side-by-side packaging (#464) * Avoid changing permissions of directory if parent is / (#463) * network: force NetworkManager to connect to primary nic (#461) * Revert plugin manager packaging (#460) * Add GOPATH to PATH in debian build (#459) * Add plugin manager to debian build (#457) * rpm packaging: fix plugin manager assumptions (#458) * packaging: add plugin manager to rhel packaging (#454) - Update to version 20241018.01 (bsc#1231775, bsc#1231776) * Add support for including agent manager in guest-agent package (#456) * plugin manager: Introduce the systemd service file (#455) * documentation: Update metadata script runner details (#453) - from version 20241013.00 * Update OWNERS (#452) - from version 20241011.01 * SUSE no overwrite bug fix, Ubuntu 18.04 exception (#451) - from version 20241011.00 * Skip MDS setup by default for this release (#450) - from version 20241010.01 * Revert &quot;network/netplan: Adjust link-local accordingly (#443)&quot; (#448) * Set enable regardless of previous check failed or not (#447) - from version 20241009.03 * Avoid unnecessary reloads, check before overwriting configs (#446) - from version 20241009.02 * network/netplan: Do generate instead of apply (#445) - from version 20241009.01 * Skip SetupInterfaces if configs are already applied (#444) * network/netplan: Adjust link-local accordingly (#443) * Repeated logging could be mistaken for a recurring issue, log mds mtls endpoint error only once (#439) * Retry MDS PUT operation, reload netplan/networkctl only if configs are changed (#438) * Log interface state after setting up network (#437) * network: Debian 12 rollback only if default netplan is ok (#436) - from version 20240930.01 * Change mtls mds defaults, update log message to assure error is harmless (#434) - from version 20240930.00 * network: Restore Debian 12 netplan configuration. (#433) * network: Remove primary NIC left over configs. (#432) * Update VLAN interfaces format to match with MDS (#431) * Fix panics in agent when setting up VLAN with netplan (#430) * Add VLAN NIC support for NetworkManager (#429) * Fix debian12 netplan config issue, use ptr receiver (#428) * Update README to reflect new network manager changes (#427) * Introduce a configuration toggle for enabling/disabling cloud logging (#413) * Adapt and update config key to be consistent with MDS (#426) * Allow users to enable/disable the mds mtls via metadata key (#423) * Make primary nic management config consistent across all network managers (#422) * Document disabling account manager on AD (#421) * Update README with MDS MTLS docs (#418) * Avoid writing configuration files when they already exist on wicked and (#410) * Update golang.org/x/net dependencies to catch up on CVEs (#412) * Get rid of deperecated dependencies in snapshot service generate code (#411) * Fix where agent panics on nil event (#409) * Configure primary nic if only set in cfg file (#408) * Update NIC management strategy (#402) * Only release dhclient leases for an interface if the respective dhclient is still running (#407) * Disable OS Login without pruning off any extra suffix. (#400) * Skip root cert rotation if installed once (#405) * Add ipv6 support to guest agent (#404) * Update Accounts documentation (#403) * Update google-startup-scripts.service to enable logging (#399) * Network subsystem remove os rules (#396) * oslogin: Don't remove sshca watcher when oslogin is disabled (#398) * Update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * Update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * windows account: Ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * Change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: Support Debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: Only set secondary interfaces as up (#378) * address manager: Make sure we check for oldMetadata (#375) * network: Early setup network (#374) * NetworkManager: Fix ipv6 and ipv4 mode attribute (#373) * Network Manager: Make sure we clean up ifcfg files (#371) * metadata script runner: Fix script download (#370) * oslogin: Avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: Remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - Update to version 20240816.00 * Add configuration toggle to enable/disable use of OS native certificate stores (#419) * Fix dependencies in stable branch #412 (#415) * Update dep: golang.org/x/crypto to v0.17.0 * Update dep: google.golang.org/protobuf to 1.33.0 * Update dep: golang.org/x/net to 0.17.0 * Update dep: google.golang.org/grpc to v1.57.1 - from version 20240813.00 * Update README with MDS MTLS docs (#418) - from version 20240808.01 * Avoid writing configuration files when they already exist on wicked and NetworkManager (#410) - from version 20240808.00 * Update golang.org/x/net dependencies to catch up on CVEs (#412) - from version 20240805.00 * Get rid of deperecated dependencies in snapshot service generate code (#411) - Drop dont_overwrite_ifcfg.patch, fixed upstream - Update to version 20240802.00 * Fix where agent panics on nil event (#409) - from version 20240801.00 * Configure primary nic if only set in cfg file (#408) * Update NIC management strategy (#402) * Only release dhclient leases for an interface if the respective dhclient is still running (#407) * Disable OS Login without pruning off any extra suffix. (#400) * Skip root cert rotation if installed once (#405) * Add ipv6 support to guest agent (#404) * Update Accounts documentation (#403) * Update google-startup-scripts.service to enable logging (#399) * Network subsystem remove os rules (#396) * oslogin: don't remove sshca watcher when oslogin is disabled (#398) * Update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * Update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * Windows account: ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * Change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: support debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - from version 20240716.00 * Update dep: golang.org/x/crypto to v0.17.0 * Update dep: google.golang.org/protobuf to 1.33.0 * Update dep: golang.org/x/net to 0.17.0 * Update dep: google.golang.org/grpc to v1.57.1 - Update to version 20240701.00 * Update google-startup-scripts.service to enable logging (#399) - Update to version 20240611.01 * Network subsystem remove os rules (#396) * oslogin: don't remove sshca watcher when oslogin is disabled (#398) * update dependencies to catch up on CVE fixes (#397) * Network manager netplan implementation (#386) * update dependencies to catch up on CVE fixes (#391) * Log current available routes on error (#388) * Fix command monitor bugs (#389) * windows account: ignore &quot;user already belogs to group&quot; error (#387) * Add more error logging in snapshot handling requests, use common retry util (#384) * All non-200 status code from MDS should raise error (#383) * change metadata key to enable-oslogin-certificates (#382) * Update dhclient pid/lease file directory to abide apparmor rules (#381) * Add COS homedir-gid patch to upstream. (#365) * Add require-oslogin-certificates logic to disable keys (#368) * systemd-networkd: support debian 12's version (#372) * Minor update typo in comment (#380) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) * Create systemd-networkd unit tests. (#354) * Update network manager unit tests (#351) * Implement retry util (#350) * Refactor utils package to not dump everything unrelated into one file (#352) * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) * Remove quintonamore from OWNERS (#345) * Delete integration tests (#343) - from version 20240528.00 * update dep: golang.org/x/crypto to v0.17.0 * update dep: google.golang.org/protobuf to 1.33.0 * update dep: golang.org/x/net to 0.17.0 * update dep: google.golang.org/grpc to v1.57.1 - Update to version 20240314.00 (bsc#1221900, bsc#1221901) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) - Refresh patches for new version * dont_overwrite_ifcfg.patch - No need for double %setup. - Use %patch -P N instead of deprecated %patchN. - Update to version 20240213.00 * Create systemd-networkd unit tests (#354) - from version 20240209.00 * Update network manager unit tests (#351) - from version 20240207.02 * Implement retry util (#350) - from version 20240207.01 * Refactor utils package to not dump everything unrelated into one file (#352) - from version 20240207.00 * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) - from version 20240122.00 * Remove quintonamore from OWNERS (#345) - from version 20240111.00 * Delete integration tests (#343) - from version 20240109.00 * Update licenses with dependencies of go-winio (#339) * Add github.com/Microsoft/go-winio to third party licensing (#337) - Add explicit versioned dependency on google-guest-oslogin (bsc#1219642) - Refresh patches for new version * dont_overwrite_ifcfg.patch Package google-guest-configs was updated: - Add ggc-no-dup-metasrv-entry.patch + Follow up to (bsc#1234289, bsc#1234293). Avoid duplicate entries for the metadata server in /etc/hosts - Update to version 20241205.00 (bsc#1234254, bsc#1234255) * Update google_set_multiqueue to configure vCPU ranges based on VM platform (#90) - from version 20241204.00 * Restore google_set_multiqueue changes for A3Ultra (#93) * Depend on networkd-dispatcher in Ubuntu (#94) - Include components to set hostname and /etc/hosts entries (bsc#1234289, bsc#1234293) * Add sysconfig and sysconfig-network to BuildRequires * Install google_set_hostname into %{_bindir} * Install google_up.sh into %{_sysconfdir}/sysconfig/network/scripts/ * Add code to add and remove POST_UP_SCRIPT=&quot;compat:suse:google_up.sh&quot; to /etc/sysconfig/network/ifcfg-eth0 in %post and %postun sections - Update to version 20241121.00 (bsc#1233625, bsc#1233626) * Temporarily revert google_set_multiqueue changes for release (#92) - from version 20241115.00 * Remove IDPF devices from renaming rules (#91) - from version 20241112.00 * Revert &quot;Revert 3 commits:&quot; (#89) - from version 20241108.00 * Revert 3 commits: (#87) - from version 20241107.00 * gce-nic-naming: Exit 1 so that udev ignores the rule on error (#86) - from version 20241106.00 * Remove Apt IPv4 only config for Debian and Ubuntu (#85) - from version 20241031.00 * Add GCE intent based NIC naming tools (#84) - from version 20241025.00 * Update google_set_multiqueue to skip set_irq if NIC is not a gvnic device (#83) - Add new binary gce-nic-naming to %{_bindir} in %files section - Update to version 20241021.00 (bsc#1231775, bsc#1231776) * Add GCE-specific config for systemd-resolved (#82) - from version 20241015.00 * Update google_set_multiqueue to enable on A3Ultra family (#79) - from version 20241013.00 * Update OWNERS (#81) - from version 20241010.00 * Depend on jq in enterprise linux (#80) - from version 20241008.00 * Always use IP from primary NIC in the networkd-dispatcher routable hook (#78) - Update to version 20240925.00 * Call google_set_hostname on openSUSE and when the agent is configured to manage hostname and FQDN, let it (#75) - from version 20240924.00 * Include systemd-networkd hook in Ubuntu packaging (#77) - from version 20240905.00 * Update packaging as of Ubuntu devel packaging (#65) - from version 20240830.00 * Fix the name for A3 Edge VMs (#76) - Update to version 20240725.00 * Fix: hostnamectl command (#74) - Update to version 20240607.00 * Update is_a3_platform to include A3-edge shape (#73) - Update to version 20240514.00 * Add systemd-networkd hostname hook (#71) - from version 20240501.00 * Add hostname hook for NetworkManager without dhclient compat script (#70) - Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901) * Support dot in NVMe device ids (#68) - from version 20240304.00 * google_set_hostname: Extract rsyslog service name with a regexp for valid systemd unit names (#67) - from version 20240228.00 * Remove quintonamore from OWNERS (#64) - from version 20240119.00 * Setup smp affinity for IRQs and XPS on A3+ VMs (#63) Package google-osconfig-agent was updated: - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch - Add patch to fix vulnerability when creating log files * CVE-2024-45339.patch (bsc#1236560, CVE-2024-45339) - Update to version 20250115.01 (bsc#1236406, bsc#1236407) * Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772) - from version 20250115.00 * Bump cloud.google.com/go/auth from 0.10.2 to 0.14.0 (#767) * Bump go.opentelemetry.io/otel from 1.32.0 to 1.33.0 (#771) * Bump google.golang.org/protobuf from 1.35.1 to 1.36.2 (#763) - from version 20250114.00 * Bump golang.org/x/time from 0.8.0 to 0.9.0 (#770) - from version 20250113.01 * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.5 to 0.2.7 (#766) - from version 20250113.00 * Bump golang.org/x/net from 0.31.0 to 0.34.0 (#769) - from version 20250110.00 * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in the go_modules group (#760) * Bump cloud.google.com/go/longrunning from 0.6.2 to 0.6.3 (#744) - from version 20241218.00 * Scanners fixes (#720) * Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 (#736) * Bump go.opentelemetry.io/contrib/detectors/gcp from 1.29.0 to 1.32.0 (#730) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#738) * Bump golang.org/x/net from 0.30.0 to 0.31.0 (#731) - from version 20241118.01 * Bump github.com/googleapis/gax-go/v2 from 2.13.0 to 2.14.0 (#737) - from version 20241118.00 * move example to appropriate directory (#740) - from version 20241115.00 * Replace sles-15-sp3-sap old deprecated image in e2e tests (#739) * Bump golang.org/x/time from 0.7.0 to 0.8.0 (#734) - from version 20241114.03 * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp (#735) - from version 20241114.02 * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#729) - from version 20241114.01 * Remove SLES-15-SP2-SAP from e2e tests and add the new SLES-15-SP6 (#733) * Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#728) * Bump go.opentelemetry.io/otel/sdk/metric from 1.30.0 to 1.32.0 (#727) - from version 20241114.00 * Add example to run exec script from the gcs bucket (#732) * Bump cel.dev/expr from 0.16.1 to 0.18.0 (#723) - from version 20241112.00 * Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#722) * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric (#721) * Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#725) * Bump github.com/golang/glog from 1.2.2 to 1.2.3 (#715) * Bump google.golang.org/api from 0.203.0 to 0.205.0 (#716) - from version 20241107.01 * Bump github.com/envoyproxy/go-control-plane from 0.13.0 to 0.13.1 (#717) * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping (#718) * Bump cloud.google.com/go/auth from 0.10.0 to 0.10.1 (#719) - from version 20241107.00 * Bump cloud.google.com/go/logging from 1.11.0 to 1.12.0 (#709) * Bump cloud.google.com/go/iam from 1.2.1 to 1.2.2 (#710) * Bump cloud.google.com/go/storage from 1.43.0 to 1.46.0 (#713) * Bump cloud.google.com/go/osconfig from 1.14.1 to 1.14.2 (#708) * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.4 to 0.2.5 (#712) - from version 20241106.00 * Update OWNERS (#714) - from version 20241029.01 * remove toolchain override (#706) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#701) - from version 20241029.00 * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#702) - from version 20241028.00 * Bump cloud.google.com/go/longrunning from 0.6.0 to 0.6.2 (#705) - from version 20241017.00 * Add a new CloudBuild trigger config-file for auto updating the presubmit test container image on every new commit (#704) - from version 20241004.00 * Add new packagebuild presubmit that will use cloud-build (#694) - from version 20240927.00 * Third batch of dependencies upgrade (#690) - Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790) - Update to version 20240926.03 (bsc#1231775, bsc#1231776) * Revert &quot;Bump go.opentelemetry.io/otel from 1.24.0 to 1.30.0 (#679)&quot; (#684) - from version 20240926.02 * Bump go.opentelemetry.io/otel from 1.24.0 to 1.30.0 (#679) * another batch of depencies upgrade (#683) - from version 20240926.01 * aggregate dependabot changes to go.mod (#677) * Revert back Source package info delivery to control-plane (#673) - from version 20240926.00 * Update OWNERS (#676) - from version 20240924.02 * Upgrade grpc and it's dependencies to latest version (#672) - from version 20240924.01 * Implement keepalive config (#671) - from version 20240924.00 * Set new version of gRPC for test (#669) - from version 20240920.00 * Revert &quot;bump version of the gRPC&quot; (#667) - from version 20240919.00 * bump version of the gRPC (#666) - from version 20240917.00 * Merge pull request #665 from GoogleCloudPlatform/revert-664-update_grpc_dependency * Revert &quot;Update grpc library and other dependencies. (#664)&quot; - from version 20240916.00 * Update grpc library and other dependencies. (#664) - from version 20240913.00 * Move packagebuild presubmit to osconfig (#662) - from version 20240912.00 * Revert &quot;update osconfig api to v1.13.0 &amp; indirect dependency update&quot; (#659) - from version 20240822.00 * Revert &quot;Source package info delivery to control-plane (#639)&quot; (#656) - from version 20240821.00 * Fix golang version format to fix builds. (#655) - from version 20240814.01 * Use gcsfuse pkg in guest-policies e2e in pkg update tests instead of old pkgs (#653) * Replace osconfig-agent-test pkg by gcsfuse in ospolicies tests and inventory-report tests (#652) - from version 20240806.00 * Disable Repository Resource test for SLES-12 (#650) - Update to version 20240801.00 * Fix Debian-12 failing test by using gcsfuse pkg * Fix fetching gpg key unit tests (#649) - from version 20240729.00 * Fix for old state file on Windows (#648) - from version 20240723.00 * Add debugging logs for repository resource config (#646) - from version 20240718.00 * Fix SLES-12 SP5 RPM package-resource e2e test (#645) - from version 20240715.01 * Fix OSPolicies e2e tests for SLES-15 SP5 by removing zypper update from VMs startup script (#644) - from version 20240715.00 * Fix GuestPolicies e2e tests for SLES-15 SP5 by removing zypper update from VMs startup script (#643) - from version 20240709.01 * Source package info delivery to control-plane (#639) - from version 20240709.00 * Enable gpgcheck flag for RPM e2e tests (#638) - from version 20240708.00 * Update osconfig api to v1.13.0 * Indirect dependency update (#637) - from version 20240705.01 * Updating Windows &amp; Linux Chrome packages to fix failing e2e tests (#636) - from version 20240705.00 * Merge pull request #635 from Gulio/patch-1 * Update OWNERS - from version 20240702.02 * Remove RHEL-7 and CentOS-7 images from e2e tests (#634) - Update to version 20240702.01 * Use Debian-11 img in googet pkg build workflow (#632) - from version 20240702.00 * Pipeline testing 00 (#631) - from version 20240701.00 * update readme file (#628) - from version 20240625.01 * Updating yum install to support multi architecture based packages * Revert &quot;Adding Architecture to the packages being installed/updated in yum repo&quot; - from version 20240625.00 * Update old SLES images urls (#627) - from version 20240620.00 * Merge pull request #626 from GoogleCloudPlatform/yum-multiarch-fix * Adding Architecture to the packages being installed/updated in yum repo - from version 20240618.01 * Extract source_name(source_rpm) for rpm packages (#624) - from version 20240618.00 * update README.md file (#625) - from version 20240615.00 * Fix(dpkg) return onlt installed items as inventory (#623) * Extract source name and version for dpkg packages. (#622) - Update to version 20240607.00 * Update e2e tests to use VMM team's GCP project for pkgs testing version (#621) - from version 20240606.00 * Disable SUSE tests to run with testing agent repo (#619) - from version 20240604.00 * Fix the logic of pick region for Artifact Registry function (#618) - from version 20240603.00 * Disable centos-stream-8 tests as it reached EOL in May 31 (#617) - from version 20240529.00 * Merge pull request #610 from savijatv/patch-3 * Update cis-level1-once-a-day-policy.yaml - from version 20240528.00 * Merge pull request #616 from MahmoudOuka/allow-windows-e2e-tests-to-\ install-testing-version-of-agent-from-private-artifact-registry-repos * Allow Windows e2e tests to pull osconfig-agent pkg from testing (private) repos from Artifact registry - from version 20240527.01 * Merge pull request #615 from MahmoudOuka/fix-SUSE-e2e-tests * fix SUSE e2e tests - from version 20240527.00 * Merge pull request #614 from MahmoudOuka/allow-apt-and-yum-\ e2e-tests-to-pull-osconfig-agent-pkg-from-testing-repos * fix golint comments * Allow Apt &amp; Yum e2e tests to pull osconfig-agent pkg from testing repos - from version 20240524.03 * Merge pull request #611 from savijatv/patch-ospolicy-samples * Update to the CIS OS policy samples - from version 20240524.00 * Merge pull request #612 from MahmoudOuka/update-apt-e2e-tests-\ to-pull-osconfig-agent-pkg-from-new-ar-repos * fix golint comment * Update Apt e2e tests to pull osconfig-agent pkg from new AR repos instead of rapture - from version 20240523.02 * bump golang.org/x/crypto version (#613) - from version 20240523.00 * update go-cmp dependency (#604) - from version 20240522.00 * rollback masive dependency update (#603) * Bump google.golang.org/api from 0.180.0 to 0.181.0 (#596) - Update to version 20240517.00 * Bump cloud.google.com/go/auth from 0.4.1 to 0.4.2 (#597) - from version 20240516.01 * Bump cloud.google.com/go/logging from 1.9.0 to 1.10.0 (#595) * Bump cloud.google.com/go/storage from 1.40.0 to 1.41.0 (#594) - from version 20240516.00 * Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#593) - Update to version 20240513.02 * E2e tests: allow passing spesific EL version number to InstallOSConfigEL func (#592) - from version 20240513.01 * Bump google.golang.org/api from 0.179.0 to 0.180.0 (#591) - from version 20240513.00 * E2e tests: Fix EL version detection logic in E2E tests (#590) * Bump google.golang.org/api from 0.178.0 to 0.179.0 (#589) - from version 20240510.02 * Bump cloud.google.com/go/auth from 0.4.0 to 0.4.1 (#588) - from version 20240510.01 * E2e tests: use family url format instead of specific version URL for head test images (#587) - from version 20240510.00 * Fix for lock location (#586) - from version 20240509.03 * Bump cloud.google.com/go from 0.112.2 to 0.113.0 (#584) - from version 20240509.02 * Remove dependabot not needed label (#576) - from version 20240509.01 * Write inventory to attributes only if enabled (#486) - from version 20240509.00 * E2e tests: install gnupg2 and run apt update in VMs startup-scripts (#583) * Add a temporary e2e test image for Ubuntu to test the latest osconfig-agent stable version (#582) * Bump google.golang.org/api from 0.177.0 to 0.178.0 (#578) * Bump github.com/googleapis/gax-go/v2 from 2.12.3 to 2.12.4 (#579) * Bump cloud.google.com/go/iam from 1.1.7 to 1.1.8 (#577) * Bump cloud.google.com/go/auth from 0.3.0 to 0.4.0 (#580) * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#581) * Bump golang.org/x/net from 0.24.0 to 0.25.0 (#575) * Bump cloud.google.com/go/osconfig from 1.12.6 to 1.12.7 (#573) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#574) * Bump cloud.google.com/go/longrunning from 0.5.6 to 0.5.7 (#571) - from version 20240508.08 * Bump github.com/golang/glog from 1.2.0 to 1.2.1 (#572) - from version 20240508.07 * Bump golang.org/x/text from 0.14.0 to 0.15.0 (#565) - from version 20240508.06 * Bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#566) * Bump golang.org/x/sys from 0.19.0 to 0.20.0 (#564) - from version 20240508.05 * Bump go.opentelemetry.io/otel/trace from 1.24.0 to 1.26.0 (#563) - from version 20240508.04 * Bump google.golang.org/protobuf from 1.34.0 to 1.34.1 (#567) * Using the default reviewer set for PR approvals (#570) - from version 20240508.03 * Adding advanced CodeQL settings to scan on PRs (#569) - from version 20240508.02 * Update Debian-12 package build workflow to use debian-cloud project (#568) - from version 20240508.01 * Dependabot dependency updates (#562) - from version 20240508.00 * Revert &quot;Initial configuration of the dependabot for the direct and indirect d…&quot; (#561) * Initial configuration of the dependabot for the direct and indirect dependency scanning (#560) - from version 20240507.00 * Fix Debian-12 package build workflow typo (#559) - from version 20240506.00 * Use signed-by keyring approach for apt repos in Debian 12+ and Ubuntu 24+ (#558) - from version 20240501.03 * Logrus dependency update (#557) - from version 20240501.02 * Updating dependencies and respective checksums (#556) - from version 20240501.01 * Update go.mod (#554) - from version 20240501.00 * Bump golang.org/x/net from 0.17.0 to 0.23.0 (#542) - from version 20240430.01 * Remove SBOM generation logic from package build workflows (#553) - from version 20240425.00 * Fix e2e tests for exec-output size limit (#552) - from version 20240424.00 * Disabled some images which are either past EoL or broken (#549) - from version 20240423.01 * Copy packagebuild folder from guest-test-infra repo to osconfig repo (#545) * OS Config windows state file location changed (#544) - from version 20240423.00 * Removed debian-10 from e2e tests (#548) - from version 20240422.00 * Merge pull request #541 from GoogleCloudPlatform/michaljankowiak-patch-1 * Update OWNERS - from version 20240409.00 * Bump output size limit to 500KB (#538) - Update to version 20240320.00 (bsc#1221900, bsc#1221901) * Enable OSConfig agent to read GPG keys files with multiple entities (#537) - from version 20240314.00 * Update OWNERS file to replace mahmoudn GitHub username by personal email GitHub username (#534) - from version 20240313.01 * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535) - from version 20240313.00 * Adds a console and gcloud example policies (#533) - from version 20240228.00 * GuestPolicies e2e: Remove ed package if exist for zypper startup_script in recipe-steps tests (#532) - from version 20240126.00 * Fix Enterprise Linux Recipe-Steps tests to install info dependency package in the startup-script (#530) - from version 20240125.01 * Fix SUSE pkg-update and pkg-no-update e2e tests (#529) - from version 20240125.00 * Fix zypper patch info parser to consider conflicts-pkgs float versions (#528) - from version 20240123.01 * Fix SUSE package update e2e tests to use another existing package (#527) - from version 20240123.00 * Update cis-exclude-check-once-a-day.yaml (#526) Package kernel-source:kernel-default was updated: - Update patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_devic.patch (git-fixes CVE-2025-21936 bsc#1240716). - Update patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_remot.patch (git-fixes CVE-2025-21937 bsc#1240643). - Update patches.suse/Bluetooth-Fix-error-code-in-chan_alloc_skb_cb.patch (git-fixes CVE-2025-22007 bsc#1240829). - Update patches.suse/HID-appleir-Fix-potential-NULL-dereference-at-raw-ev.patch (git-fixes CVE-2025-21948 bsc#1240703). - Update patches.suse/HID-hid-steam-Fix-use-after-free-when-detaching-devi.patch (git-fixes CVE-2025-21923 bsc#1240691). - Update patches.suse/HID-ignore-non-functional-sensor-in-HP-5MP-Camera.patch (stable-fixes CVE-2025-21992 bsc#1240796). - Update patches.suse/HID-intel-ish-hid-Fix-use-after-free-issue-in-ishtp_.patch (git-fixes CVE-2025-21928 bsc#1240722). - Update patches.suse/KVM-arm64-Unconditionally-save-flush-host-FPSIMD-SVE-SME-state.patch (git-fixes CVE-2025-22013 bsc#1240938). - Update patches.suse/RDMA-hns-Fix-soft-lockup-during-bt-pages-loop.patch (git-fixes CVE-2025-22010 bsc#1240943). - Update patches.suse/accel-qaic-Fix-integer-overflow-in-qaic_validate_req.patch (git-fixes CVE-2025-22001 bsc#1240873). - Update patches.suse/bus-mhi-host-pci_generic-Use-pci_try_reset_function-.patch (git-fixes CVE-2025-21951 bsc#1240718). - Update patches.suse/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch (git-fixes CVE-2025-22003 bsc#1240825). - Update patches.suse/cdx-Fix-possible-UAF-error-in-driver_override_show.patch (git-fixes CVE-2025-21915 bsc#1240594). - Update patches.suse/dm-flakey-Fix-memory-corruption-in-optional-corrupt_.patch (git-fixes CVE-2025-21966 bsc#1240779). - Update patches.suse/drivers-virt-acrn-hsm-Use-kzalloc-to-avoid-info-leak.patch (git-fixes CVE-2025-21950 bsc#1240719). - Update patches.suse/drm-amd-display-Assign-normalized_pix_clk-when-color.patch (stable-fixes CVE-2025-21956 bsc#1240739). - Update patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st-374c9fa.patch (git-fixes CVE-2025-21941 bsc#1240701). - Update patches.suse/drm-amd-display-Fix-slab-use-after-free-on-hdcp_work.patch (git-fixes CVE-2025-21968 bsc#1240783). - Update patches.suse/drm-hyperv-Fix-address-space-leak-when-Hyper-V-DRM-d.patch (git-fixes CVE-2025-21978 bsc#1240806). - Update patches.suse/drm-radeon-fix-uninitialized-size-issue-in-radeon_vc.patch (git-fixes CVE-2025-21996 bsc#1240801). - Update patches.suse/drm-sched-Fix-fence-reference-count-leak.patch (git-fixes CVE-2025-21995 bsc#1240821). - Update patches.suse/gpio-aggregator-protect-driver-attr-handlers-against.patch (git-fixes CVE-2025-21943 bsc#1240647). - Update patches.suse/gpio-rcar-Use-raw_spinlock-to-protect-register-acces.patch (stable-fixes CVE-2025-21912 bsc#1240584). - Update patches.suse/msft-hv-3170-net-mana-cleanup-mana-struct-after-debugfs_remove.patch (git-fixes CVE-2025-21953 bsc#1240727). - Update patches.suse/net_sched-Prevent-creation-of-classes-with-TC_H_ROOT.patch (git-fixes CVE-2025-21971 bsc#1240799). - Update patches.suse/nvme-tcp-fix-potential-memory-corruption-in-nvme_tcp.patch (git-fixes CVE-2025-21927 bsc#1240714). - Update patches.suse/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_.patch (git-fixes CVE-2025-21935 bsc#1240700). - Update patches.suse/rapidio-fix-an-API-misues-when-rio_add_net-fails.patch (git-fixes CVE-2025-21934 bsc#1240708). - Update patches.suse/regulator-check-that-dummy-regulator-has-been-probed.patch (stable-fixes CVE-2025-22008 bsc#1240942). - Update patches.suse/regulator-dummy-force-synchronous-probing.patch (git-fixes CVE-2025-22009 bsc#1240940). - Update patches.suse/slimbus-messaging-Free-transaction-ID-in-delayed-int.patch (git-fixes CVE-2025-21914 bsc#1240595). - Update patches.suse/soc-qcom-pdr-Fix-the-potential-deadlock.patch (git-fixes CVE-2025-22014 bsc#1240937). - Update patches.suse/usb-atm-cxacru-fix-a-flaw-in-existing-endpoint-check.patch (git-fixes CVE-2025-21916 bsc#1240582). - Update patches.suse/usb-renesas_usbhs-Flush-the-notify_hotplug_work.patch (git-fixes CVE-2025-21917 bsc#1240596). - Update patches.suse/usb-typec-ucsi-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-21918 bsc#1240592). - Update patches.suse/wifi-cfg80211-cancel-wiphy_work-before-freeing-wiphy.patch (git-fixes CVE-2025-21979 bsc#1240808). - Update patches.suse/wifi-cfg80211-regulatory-improve-invalid-hints-check.patch (git-fixes CVE-2025-21910 bsc#1240583). - Update patches.suse/wifi-iwlwifi-limit-printed-string-from-FW-file.patch (git-fixes CVE-2025-21905 bsc#1240575). - Update patches.suse/wifi-iwlwifi-mvm-don-t-try-to-talk-to-a-dead-firmwar.patch (git-fixes CVE-2025-21930 bsc#1240715). - Update patches.suse/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-w.patch (git-fixes CVE-2025-21909 bsc#1240590). - commit a467018 - affs: don't write overlarge OFS data block size fields (git-fixes). - commit 334bc15 - affs: generate OFS sequence numbers starting at 1 (git-fixes). - commit f93c833 - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - commit 4b6b673 - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - Refresh patches.suse/net-better-track-kernel-sockets-lifetime.patch. - commit bd8699b - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - commit c784a67 - drm/amd: Keep display off while going into S4 (stable-fixes). - Refresh patches.suse/drm-amd-display-Restore-correct-backlight-brightness.patch. - commit e9996bf - drm/sti: remove duplicate object names (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb_perf: Fix printk format (git-fixes). - commit a733ec5 - netfilter: br_netfilter: skip conntrack input hook for promisc packets (CVE-2024-27415 bsc#1224757). - commit 01cefc0 - kabi: restore layout of struct nf_ct_hook after backport of commit 62e7151ae3eb (CVE-2024-27415 bsc#1224757). - netfilter: bridge: confirm multicast packets before passing them up the stack (CVE-2024-27415 bsc#1224757). - commit 69425e5 - netfilter: xtables: fix typo causing some targets not to load on IPv6 (CVE-2024-50038 bsc#1231910). - netfilter: xtables: avoid NFPROTO_UNSPEC where needed (CVE-2024-50038 bsc#1231910). - commit 9ec5161 - net: mctp: unshare packets when reassembling (CVE-2025-21972 bsc#1240813). - commit 5878b19 - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - commit eeb7f74 - ntb: intel: Fix using link status DB's (git-fixes). - commit a988a90 - s390/cio: Fix CHPID &quot;configure&quot; attribute caching (git-fixes bsc#1240979). - commit a947a32 - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - commit 610fa90 - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - Refresh patches.suse/wifi-ath11k-choose-default-PM-policy-for-hibernation.patch. - Refresh patches.suse/wifi-ath11k-support-non-WoWLAN-mode-suspend-as-well.patch. - commit 5ef71a9 - Update upstream status for ath11k patches - commit 42fd2e8 - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE - commit 7b55ff2 - perf tools: annotate asm_pure_loop.S (bsc#1239906). - commit a3afe13 - perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585 CVE-2025-21895). - commit c393384 - io_uring/kbuf: reallocate buf lists on upgrade (CVE-2025-21836 bsc#1239066). - commit 1c3b3b4 - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev &amp; systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - commit 634be2c - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - commit 88d79df - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: fix potential error return (git-fixes). - commit 59fa8cd - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - commit dcc0903 - scsi: qla1280: Fix kernel oops when debug level &gt; 2 (CVE-2025-21957 bsc#1240742) - commit bd3922a - io_uring: prevent opcode speculation (CVE-2025-21863 bsc#1239475). - commit cf2b4a4 - wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (CVE-2025-21729 bsc#1237874) - commit dfb7d10 - net: let net.core.dev_weight always be non-zero (CVE-2025-21806 bsc#1238746) - commit c6ce075 - Refresh patches.suse/Bluetooth-L2CAP-Fix-corrupted-list-in-hci_chan_del.patch Drop redundant mutex lock that was forgotten - commit 8253168 - net/mlx5: Bridge, fix the crash caused by LAG state check (CVE-2025-21970 bsc#1240819). - eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (CVE-2025-21960 bsc#1240815). - eth: bnxt: fix truesize for mb-xdp-pass case (CVE-2025-21961 bsc#1240816). - net/mlx5: handle errors in mlx5_chains_create_table() (CVE-2025-21975 bsc#1240812). - commit 5bfb0f9 - x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (CVE-2025-21991 bsc#1240795). - x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (CVE-2025-21913 bsc#1240591). - commit 718ae0d - NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (CVE-2025-21908 bsc#1240600). - commit a2db92f - kABI workaround for l2cap_conn changes (CVE-2025-21969 bsc#1240784). - commit 0c8af58 - Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (CVE-2025-21969 bsc#1240784). - commit 730e49a - Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (CVE-2025-21969 bsc#1240784). - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (CVE-2025-21993 bsc#1240797). - commit 80da9db - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - commit d5f05d8 - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - commit 4482ca3 - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - commit 8f97ff8 - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - commit 5af8777 - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - commit cb855f9 - usbnet:fix NPE during rx_complete (git-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - commit e1c84cd - vsock: Orphan socket after transport release (CVE-2025-21755 bsc#1237882) - commit 6317d55 - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - commit 6e4dc96 - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - Refresh patches.suse/tpm_tis-Resend-command-to-recover-from-data-transfer.patch - commit 66fe063 - Delete patches.suse/tpm-send_data-Wait-longer-for-the-TPM-to-become-read.patch. To be replaced with upstream fix. - commit d0fcf25 - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - commit 34e3f46 - kernel-binary: Support livepatch_rt with merged RT branch - commit 470cd1a - arm64: Don't call NULL in do_compat_alignment_fixup() (git-fixes) - commit 249080a - arm64: mm: Correct the update of max_pfn (git-fixes) - commit b6d4b51 - tpm: tis: Double the timeout B to 4s (bsc#1235870). - commit 2ecc734 - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - commit cc21438 - ice: fix memory leak in aRFS after reset (CVE-2025-21981 bsc#1240612). - ppp: Fix KMSAN uninit-value warning with bpf (CVE-2025-21922 bsc#1240639). - net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (CVE-2025-21924 bsc#1240720). - net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (CVE-2025-21894 bsc#1240581). - net: enetc: Replace ifdef with IS_ENABLED (CVE-2025-21894 bsc#1240581). - commit e9dce38 - wifi: iwlwifi: mvm: clean up ROC on failure (CVE-2025-21906 bsc#1240587). - commit 887f91d - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - commit ea68f49 - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - commit 504723c - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - commit 8b30c73 - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - commit 8fbe8b1 - net: fix data-races around sk-&gt;sk_forward_alloc (CVE-2024-53124 bsc#1234074). - commit ea48905 - sctp: fix possible UAF in sctp_v6_available() (CVE-2024-53139 bsc#1234157). - commit 779dfcf - usb: xhci: correct debug message page size calculation (git-fixes). - ucsi_ccg: Don't show failed to get FW build information error (git-fixes). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - counter: fix privdata alignment (git-fixes). - commit 8ea2563 - Move upstreamed ACPI patch into sorted section - commit 871d0d6 - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - commit 808a9df - net: better track kernel sockets lifetime (CVE-2025-21884 bsc#1240171). - net: Add net_passive_inc() and net_passive_dec() (CVE-2025-21884 bsc#1240171). - commit 741fa11 - Update patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch (git-fixes bsc#1239925). - Update patches.suse/kABI-fix-for-RDMA-core-Don-t-expose-hw_counters-outs.patch (git-fixes bsc#1239925). Add bug reference. - commit 8eef29b - Revert &quot;Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6&quot; This reverts commit bb7a7b2a95aa93ef5db11cca2317b7fe59e19e38, reversing changes made to ac2aed10902386a981d430e6af9b7946722682ea. - commit 9b78ca6 - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - commit ff26688 - Refresh patches.suse/net-usb-usbnet-restore-usb-d-name-exception-for-loca.patch. Moved into place as merged upstream - commit 098c735 - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - commit c70af66 - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64 - commit 0ffcad3 - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052) - commit 7e63d78 - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - commit eb90de6 - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - commit 1d57e2b - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - commit 3eb3994 - topology: Set capacity_freq_ref in all cases (bsc#1238052) - commit d357c02 - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - commit c2cc745 - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - commit 679001e - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052) - commit bad5fb8 - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - commit be4a850 - selftests: mptcp: close fd_in before returning in main_loop (git-fixes). - selftests: mptcp: fix incorrect fd checks in main_loop (git-fixes). - rndis_host: Flag RNDIS modems as WWAN devices (git-fixes). - thermal/drivers/rockchip: Add missing rk3328 mapping entry (git-fixes). - i3c: Add NULL pointer check in i3c_master_queue_ibi() (git-fixes). - i3c: master: svc: Use readsb helper for reading MDB (git-fixes). - i3c: master: svc: Fix missing the IBI rules (git-fixes). - soundwire: slave: fix an OF node reference leak in soundwire slave device (git-fixes). - bus: mhi: host: Fix race between unprepare and queue_buf (git-fixes). - iio: adc: ad7124: Fix comparison of channel configs (git-fixes). - iio: adc: ad4130: Fix comparison of channel setups (git-fixes). - iio: accel: msa311: Fix failure to release runtime pm if direct mode claim fails (git-fixes). - iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio (git-fixes). - driver core: Remove needless return in void API device_remove_group() (git-fixes). - selftests/mm/cow: fix the incorrect error handling (git-fixes). - commit 0fbd190 - uprobes: Reject the shared zeropage in uprobe_write_opcode() (CVE-2025-21881 bsc#1240185) - commit 8483377 - scsi: ufs: core: bsg: Fix crash when arpmb command fails (CVE-2025-21873 bsc#1240184) - commit 8b26b99 - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - commit 647e59a - RAS: Avoid build errors when CONFIG_DEBUG_FS=n (jsc#PED-7619). Replace our patch with the upstream version. - Delete patches.suse/RAS-AMD-FMPM-Fix-build-when-debugfs-is-not-enabled.patch. - commit 9580b87 - kABI fix for RDMA/core: Don't expose hw_counters outside (git-fixes) - commit 6079f81 - RDMA/core: Don't expose hw_counters outside of init net namespace (git-fixes) - commit f134527 - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). - commit e4d47e4 - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - commit fe44e60 - rpm/release-projects: Update the ALP projects again (bsc#1231293). - commit a2f9145 - nvme: move passthrough logging attribute to head (git-fixes). - nvme: introduce nvme_disk_is_ns_head helper (git-fixes). - commit e2a4340 - bpf: Add tracepoints with null-able arguments (bsc#1235501 CVE-2024-56702). - commit 60ddcfa - net: Add rx_skb of kfree_skb to raw_tp_null_args (bsc#1235501 CVE-2024-56702). - commit 2f246d2 - bpf: Augment raw_tp arguments with PTR_MAYBE_NULL (bsc#1235501 CVE-2024-56702). - commit bd84127 - CIFS: New mount option for cifs.upcall namespace resolution (CVE-2025-2312 bsc#1239684). - commit b749482 - ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (CVE-2025-21887 bsc#1240176) - commit d9e7d31 - mptcp: always handle address removal under msk socket lock (CVE-2025-21875 bsc#1240168) - commit ae417d1 - perf/core: Add RCU read lock protection to perf_iterate_ctx() (CVE-2025-21889 bsc#1240167) - commit 6d49490 - nvkm: correctly calculate the available space of the GSP cmdq buffer (CVE-2024-58018 bsc#1238990) - commit 3fbbd2b - team: prevent adding a device which is already a team device lower (CVE-2024-58071 bsc#1238970) - commit 0e6515d - mm/page_alloc: fix memory accept before watermarks gets initialized (bsc#1239600). - commit 10a4fc6 - netfilter: allow exp not to be removed in nf_ct_find_expectation (CVE-2023-52927 bsc#1239644). - commit 67af0a4 - nvme-tcp: Fix a C2HTermReq error message (git-fixes). - commit c4c365f - nvme: move error logging from nvme_end_req() to __nvme_end_req() (git-fixes). - commit c939fa2 - nvme-fc: rely on state transitions to handle connectivity loss (git-fixes bsc#1222649). - commit 0e1fcfd - nvme: allow passthru cmd error logging (git-fixes). Refresh: - patches.suse/nvme-fix-multipath-batched-completion-accounting.patch - patches.suse/nvme-use-srcu-for-iterating-namespace-list.patch - patches.suse/nvme-split-off-tls-sysfs-attributes-into-a-separate-group.patch - commit ca344c0 - arm64: cputype: Add MIDR_CORTEX_A76AE (git-fixes) - commit aad868b - nvmet-fc: Remove unused functions (git-fixes). - nvme-pci: remove stale comment (git-fixes). - nvme-tcp: fix signedness bug in nvme_tcp_init_connection() (git-fixes). - nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch (git-fixes). - nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() (git-fixes). - nvmet: remove old function prototype (git-fixes). - nvme-ioctl: fix leaked requests on mapping error (git-fixes). - nvme: only allow entering LIVE from CONNECTING state (git-fixes bsc#1222649). - nvmet-rdma: recheck queue state is LIVE in state lock in recv done (git-fixes). - nvme-tcp: add basic support for the C2HTermReq PDU (git-fixes). - nvme-pci: quirk Acer FA100 for non-uniqueue identifiers (git-fixes). - nvme-fc: do not ignore connectivity loss during connecting (git-fixes bsc#1222649). Refresh: - patches.suse/nvme-fc-use-ctrl-state-getter.patch - nvme-fc: go straight to connecting state when initializing (git-fixes bsc#1222649). - commit 22d62a2 - arm64: dts: rockchip: Fix PWM pinctrl names (git-fixes) - commit bea89fa - arm64: dts: rockchip: Remove bluetooth node from rock-3a (git-fixes) - commit 3224bb8 - arm64: tegra: Remove the Orin NX/Nano suspend key (git-fixes) - commit bcfde59 - arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() (git-fixes) - commit 4d30cdc - arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe (git-fixes) - commit 49aa8a8 - arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre (git-fixes) - commit eb80776 - arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (git-fixes) - commit b4f3b31 - idpf: fix checksums set in idpf_rx_rsc() (CVE-2025-21890 bsc#1240173). - ice: Fix deinitializing VF in error path (CVE-2025-21883 bsc#1240189). - ipvlan: ensure network headers are in skb linear part (CVE-2025-21891 bsc#1240186). - commit ac7a561 - Update patches.suse/RDMA-bnxt_re-Fix-the-page-details-for-the-srq-create.patch (git-fixes CVE-2025-21885 bsc#1240169). - Update patches.suse/RDMA-mlx5-Fix-a-WARN-during-dereg_mr-for-DM-type.patch (git-fixes CVE-2025-21888 bsc#1240177). - Update patches.suse/RDMA-mlx5-Fix-implicit-ODP-hang-on-parent-deregistra.patch (git-fixes CVE-2025-21886 bsc#1240188). - Update patches.suse/RDMA-mlx5-Fix-the-recovery-flow-of-the-UMR-QP.patch (git-fixes CVE-2025-21892 bsc#1240175). - Update patches.suse/i2c-npcm-disable-interrupt-enable-bit-before-devm_re.patch (git-fixes CVE-2025-21878 bsc#1240192). - Update patches.suse/ibmvnic-Don-t-reference-skb-after-sending-to-VIOS.patch (CVE-2025-21858 bsc#1239468 CVE-2025-21855 bsc#1239484). - Update patches.suse/iommu-vt-d-Fix-suspicious-RCU-usage.patch (git-fixes CVE-2025-21876 bsc#1240179). - Update patches.suse/ndisc-use-RCU-protection-in-ndisc_alloc_skb.patch (bsc#1239994 CVE-2025-21764 bsc#1237885). - Update patches.suse/powerpc-code-patching-Disable-KASAN-report-during-pa.patch (bsc#1215199 CVE-2025-21869 bsc#1240182). - Update patches.suse/usbnet-gl620a-fix-endpoint-checking-in-genelink_bind.patch (git-fixes CVE-2025-21877 bsc#1240172). - commit 9c6e710 - Update patches.suse/block-fix-integer-overflow-in-BLKSECDISCARD.patch (git-fixes CVE-2024-49994 bsc#1225770 bsc#1237757). - Update patches.suse/crypto-qat-qat_420xx-fix-off-by-one-in-uof_get_name.patch (jsc#PED-12416 CVE-2024-53163 bsc#1234828). - Update patches.suse/crypto-qat-validate-slices-count-returned-by-FW.patch (jsc#PED-12416 CVE-2024-38606 bsc#1226871). - Update patches.suse/dm-raid-Fix-WARN_ON_ONCE-check-for-sync_thread-in-ra.patch (git-fixes CVE-2024-43820 bsc#1229311). - Update patches.suse/fbdev-pxafb-Fix-possible-use-after-free-in-pxafb_tas.patch (stable-fixes CVE-2024-49924 bsc#1232364). - Update patches.suse/media-cx24116-prevent-overflows-on-SNR-calculus.patch (git-fixes CVE-2024-50290 bsc#1233479 bsc#1225742). - Update patches.suse/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch (git-fixes CVE-2024-53063 bsc#1233557 bsc#1225742). - commit e0b966a - IB/mad: Check available slots before posting receive WRs (git-fixes) - commit 34587d0 - RDMA/mlx5: Fix calculation of total invalidated pages (git-fixes) - commit 2fa0f31 - RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow (git-fixes) - commit b249c41 - RDMA/mlx5: Fix cache entry update on dereg error (git-fixes) - commit 0fe5ca5 - RDMA/mlx5: Fix MR cache initialization error flow (git-fixes) - commit e5c2137 - RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() (git-fixes) - commit 3634652 - power: supply: max77693: Fix wrong conversion of charge input threshold value (git-fixes). - pinctrl: qcom: Clear latched interrupt status when changing IRQ type (git-fixes). - pinctrl: tegra: Set SFIO mode to Mux Register (git-fixes). - pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm() (git-fixes). - pinctrl: renesas: rza2: Fix missing of_node_put() call (git-fixes). - pinctrl: renesas: rzv2m: Fix missing of_node_put() call (git-fixes). - backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() (git-fixes). - leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs (git-fixes). - leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs (git-fixes). - Revert &quot;leds-pca955x: Remove the unused function pca95xx_num_led_regs()&quot; (stable-fixes). - crypto: nx - Fix uninitialised hv_nxc on error (git-fixes). - crypto: qat - remove access to parity register for QAT GEN4 (git-fixes). - crypto: qat - set parity error mask for qat_420xx (git-fixes). - crypto: ccp - Fix uAPI definitions of PSP errors (git-fixes). - crypto: iaa - Test the correct request flag (git-fixes). - crypto: hisilicon/sec2 - fix for sec spec check (git-fixes). - crypto: hisilicon/sec2 - fix for aead authsize alignment (git-fixes). - crypto: hisilicon/sec2 - fix for aead auth key length (git-fixes). - crypto: ccp - Fix check for the primary ASP device (git-fixes). - lib: 842: Improve error handling in sw842_compress() (git-fixes). - commit 8ad02d4 - mfd: ene-kb3930: Fix a potential NULL pointer dereference (git-fixes). - mfd: sm501: Switch to BIT() to mitigate integer overflows (git-fixes). - mfd: syscon: Fix race in device_node_get_regmap() (git-fixes). - mfd: syscon: Use scoped variables with memory allocators to simplify error paths (stable-fixes). - mfd: syscon: Add of_syscon_register_regmap() API (stable-fixes). - mfd: syscon: Remove extern from function prototypes (stable-fixes). - commit 87db269 - ocfs2: mark dquot as inactive if failed to start trans while releasing dquot (git-fixes). - commit 54dc104 - ocfs2: fix deadlock in ocfs2_get_system_file_inode (git-fixes). - commit 73be6ce - ocfs2: update seq_file index in ocfs2_dlm_seq_next (git-fixes). - commit ef7689a - ocfs2: check dir i_size in ocfs2_find_entry (git-fixes). - commit cc4c3a7 - ocfs2: handle a symlink read error correctly (git-fixes). - commit 79c2998 - dlm: prevent NPD when writing a positive value to event_done (git-fixes). - commit 8f717c8 - jfs: add index corruption check to DT_GETPAGE() (git-fixes). - commit bb32126 - jfs: fix slab-out-of-bounds read in ea_get() (git-fixes). - commit 45fdfe2 - jfs: add check read-only before truncation in jfs_truncate_nolock() (git-fixes). - commit 88c1bf9 - jfs: add check read-only before txBeginAnon() call (git-fixes). - commit 7ae1e64 - jfs: reject on-disk inodes of an unsupported type (git-fixes). - commit fd3fbef - Move upstreamed nfsd and sunrpc patches into sorted section - commit 8ca9bbb - Move upstreamed PCI and initramfs patches into sorted section - commit 66970bb - Move upstreamed powerpc and SCSI patches into sorted section - commit 21807c4 - PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe (git-fixes). - PCI: dwc: ep: Return -ENOMEM for allocation failures (git-fixes). - PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload (git-fixes). - PCI: brcmstb: Fix potential premature regulator disabling (git-fixes). - PCI: brcmstb: Fix error path after a call to regulator_bulk_get() (git-fixes). - PCI: brcmstb: Use internal register to change link capability (git-fixes). - PCI: brcmstb: Set generation limit before PCIe link up (git-fixes). - PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() (git-fixes). - PCI: Avoid reset when disabled via sysfs (git-fixes). - PCI: pciehp: Don't enable HPIE when resuming in poll mode (git-fixes). - PCI/portdrv: Only disable pciehp interrupts early when needed (git-fixes). - PCI: Remove stray put_device() in pci_register_host_bridge() (git-fixes). - PCI: Fix reference leak in pci_alloc_child_bus() (git-fixes). - PCI/ASPM: Fix link state exit during switch upstream function removal (git-fixes). - PCI/ACS: Fix 'pci=config_acs=' parameter (git-fixes). - drm/amd/display: avoid NPD when ASIC does not support DMUB (git-fixes). - drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() (git-fixes). - drm/mediatek: dp: drm_err =&gt; dev_err in HPD path to avoid NULL ptr (git-fixes). - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member (git-fixes). - drm/mediatek: mtk_hdmi: Unregister audio platform device on failure (git-fixes). - drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump (git-fixes). - drm/msm/a6xx: Fix stale rpmh votes from GPU (git-fixes). - drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host (git-fixes). - drm/msm/dsi: Use existing per-interface slice count in DSC timing (git-fixes). - drm/msm/dpu: don't use active in atomic_check() (git-fixes). - drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() (git-fixes). - drm/amdkfd: Fix Circular Locking Dependency in 'svm_range_cpu_invalidate_pagetables' (git-fixes). - drm/bridge: Fix spelling mistake &quot;gettin&quot; -&gt; &quot;getting&quot; (git-fixes). - drm/repaper: fix integer overflows in repeat functions (git-fixes). - drm/panel: ilitek-ili9882t: fix GPIO name in error message (git-fixes). - drm/i915/dsi: Use TRANS_DDI_FUNC_CTL's own port width macro (git-fixes). - drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV (git-fixes). - drm/amdgpu/umsch: declare umsch firmware (git-fixes). - drm/radeon/ci_dpm: Remove needless NULL checks of dpm tables (git-fixes). - drm/vkms: Fix use after free and double free on init error (git-fixes). - drm: xlnx: zynqmp: Fix max dma segment size (git-fixes). - drm/bridge: it6505: fix HDCP V match check is not performed correctly (git-fixes). - drm/dp_mst: Fix drm RAD print (git-fixes). - drm/ssd130x: ensure ssd132x pitch is correct (git-fixes). - drm/ssd130x: fix ssd132x encoding (git-fixes). - drm/ssd130x: Set SPI .id_table to prevent an SPI core warning (git-fixes). - drm/bridge: ti-sn65dsi86: Fix multiple instances (git-fixes). - fbdev: sm501fb: Add some geometry checks (git-fixes). - mdacon: rework dependency list (git-fixes). - dummycon: fix default rows/cols (git-fixes). - fbdev: au1100fb: Move a variable assignment behind a null pointer check (git-fixes). - tpm, tpm_tis: Fix timeout handling when waiting for TPM status (git-fixes). - tpm: do not start chip while suspended (git-fixes). - regulator: check that dummy regulator has been probed before using it (stable-fixes). - drm/amd/display: Use HW lock mgr for PSR1 when only one eDP (git-fixes). - drm/amdgpu: Fix JPEG video caps max size for navi1x and raven (stable-fixes). - drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size (stable-fixes). - soc: imx8m: Unregister cpufreq and soc dev in cleanup path (git-fixes). - soc: imx8m: Use devm_* to simplify probe failure handling (stable-fixes). - soc: imx8m: Remove global soc_uid (stable-fixes). - fbdev: pxafb: Fix possible use after free in pxafb_task() (stable-fixes). - commit 0b221d1 - mptcp: pm: only set fullmesh for subflow endp (CVE-2025-21706 bsc#1238528) - commit 1499b76 - net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels (git-fixes). - net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue (git-fixes). - ioam6: improve checks on user data (git-fixes). - net: ipv6: ioam6: new feature tunsrc (git-fixes). - net: ipv6: ioam6: code alignment (git-fixes). - ipv6: ioam: block BH from ioam6_output() (git-fixes). - commit 2678976 - af_unix: Remove put_pid()/put_cred() in copy_peercred() (bsc#1240334). - commit 3c2ac6a - splice: do not checksum AF_UNIX sockets (bsc#1240333). - commit 73d1c92 - Reapply &quot;wifi: ath11k: restore country code during resume&quot; (bsc#1207948). - wifi: ath11k: choose default PM policy for hibernation (bsc#1207948). - wifi: ath11k: support non-WoWLAN mode suspend as well (bsc#1207948). - wifi: ath11k: refactor ath11k_core_suspend/_resume() (bsc#1207948). - wifi: ath11k: introduce ath11k_core_continue_suspend_resume() (bsc#1207948). - wifi: ath11k: determine PM policy based on machine model (bsc#1207948). - commit 776bdcc - tee: optee: Fix supplicant wait loop (CVE-2025-21871 bsc#1240183). - ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers (CVE-2025-21870 bsc#1240191). - commit d4df66d - kunit: qemu_configs: sparc: use Zilog console (git-fixes). - bus: qcom-ssc-block-bus: Fix the error handling path of qcom_ssc_block_bus_probe() (git-fixes). - bus: qcom-ssc-block-bus: Remove some duplicated iounmap() calls (git-fixes). - memory: mtk-smi: Add ostd setting for mt8192 (git-fixes). - soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() (git-fixes). - soc: mediatek: mt8365-mmsys: Fix routing table masks and values (git-fixes). - soc: mediatek: mt8167-mmsys: Fix missing regval in all entries (git-fixes). - firmware: arm_scmi: use ioread64() instead of ioread64_hi_lo() (git-fixes). - firmware: arm_ffa: Explicitly cast return value from FFA_VERSION before comparison (git-fixes). - Bluetooth: HCI: Add definition of hci_rp_remote_name_req_cancel (git-fixes). - wifi: mt76: mt7925: remove unused acpi function for clc (git-fixes). - wifi: mt76: Add check for devm_kstrdup() (git-fixes). - wifi: mt76: mt7925: fix country count limitation for CLC (git-fixes). - wifi: mt76: mt7925: ensure wow pattern command align fw format (git-fixes). - wifi: mt76: mt7915: fix possible integer overflows in mt7915_muru_stats_show() (git-fixes). - wifi: rtw89: pci: correct ISR RDU bit for 8922AE (git-fixes). - wifi: rtw89: fw: correct debug message format in rtw89_build_txpwr_trk_tbl_from_elm() (git-fixes). - wifi: mwifiex: Fix premature release of RF calibration data (git-fixes). - wifi: cfg80211: init wiphy_work before allocating rfkill fails (git-fixes). - wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path (git-fixes). - wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path (git-fixes). - wifi: ath11k: add srng-&gt;lock for ath11k_hal_srng_* in monitor mode (git-fixes). - wifi: ath11k: fix RCU stall while reaping monitor destination ring (git-fixes). - wifi: ath11k: fix wrong overriding for VHT Beamformee STS Capability (git-fixes). - wifi: ath9k: do not submit zero bytes to the entropy pool (git-fixes). - wifi: ath12k: encode max Tx power in scan channel list command (git-fixes). - broadcom: fix supported flag check in periodic output function (git-fixes). - wifi: mac80211: fix integer overflow in hwmp_route_info_get() (git-fixes). - commit 62d1ca7 - drop_monitor: fix incorrect initialization order (CVE-2025-21862 bsc#1239474). - rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current-&gt;nsproxy (CVE-2025-21635 bsc#1236111). - net/smc: protect link down work from execute after lgr freed (CVE-2024-56718 bsc#1235589). - netfilter: IDLETIMER: Fix for possible ABBA deadlock (CVE-2024-54683 bsc#1235729). - net/smc: fix LGR and link use-after-free issue (CVE-2024-56640 bsc#1235436). - ipv6: Fix soft lockups in fib6_select_path under high next hop churn (CVE-2024-56703 bsc#1235455). - commit 32a040d - kABI fix for net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - commit 3656735 - net: avoid race between device unregistration and ethnl ops (CVE-2025-21701 bsc#1237164). - commit adae27d - net: usb: usbnet: restore usb%d name exception for local mac addresses (bsc#1234480). - commit 0605bcc - x86/entry: Add __init to ia32_emulation_override_cmdline() (git-fixes). - commit 98c0019 - ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0 (stable-fixes). - Refresh patches.suse/ALSA-hda-realtek-Add-support-for-various-ASUS-Laptop.patch. - commit a9e9dbb - ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using CS35L41 HDA (stable-fixes). - commit 249008f - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names (stable-fixes). - ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx (stable-fixes). - commit 401355a - coredump: Fixes core_pipe_limit sysctl proc_handler (git-fixes). - ata: libata: Fix NCQ Non-Data log not supported print (git-fixes). - mtd: nand: Fix a kdoc comment (git-fixes). - mtd: rawnand: brcmnand: fix PM resume warning (git-fixes). - mtd: Add check for devm_kcalloc() (git-fixes). - mtd: Replace kcalloc() with devm_kcalloc() (git-fixes). - HID: Enable playstation driver independently of sony driver (git-fixes). - HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER (git-fixes). - platform/x86: dell-ddv: Fix temperature calculation (git-fixes). - ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA (git-fixes). - ASoC: cs35l41: check the return value from spi_setup() (git-fixes). - ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible (git-fixes). - ALSA: usb-audio: separate DJM-A9 cap lvl options (git-fixes). - ALSA: hda/realtek: Always honor no_shutup_pins (git-fixes). - ALSA: pcm: Drop superfluous NULL check in snd_pcm_format_set_silence() (git-fixes). - commit 52d0d3b - netfilter: nf_set_pipapo: fix initial map fill (CVE-2024-57947 bsc#1236333). - commit 970aeca - include: net: add static inline dst_dev_overhead() to dst.h (git-fixes). - commit 38a62b9 - Refresh patches.suse/tpm-send_data-Wait-longer-for-the-TPM-to-become-read.patch. Also extend the remaining tpm_tis_send_data timeout (bsc#1235870). - commit 4b3d91d - x86/microcode/intel: Add a minimum required revision for late loading (git-fixes). - commit 5da2185 - x86/microcode: Prepare for minimal revision check (git-fixes). - commit c420631 - x86/microcode: Handle &quot;offline&quot; CPUs correctly (git-fixes). - commit 392e00e - x86/apic: Provide apic_force_nmi_on_cpu() (git-fixes). - commit b3900fd - cpufreq/amd-pstate: Fix max_perf updation with schedutil (bsc#1239707). - commit fefd3ab - kABI fix for ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - commit 2b5c9da - x86/microcode: Protect against instrumentation (git-fixes). - commit c6912a2 - x86/microcode: Rendezvous and load in NMI (git-fixes). - commit 62c98c3 - x86/microcode: Replace the all-in-one rendevous handler (git-fixes). - commit 918f8ee - x86/microcode: Provide new control functions (git-fixes). - commit 8430c04 - x86/microcode: Add per CPU control field (git-fixes). - commit 866b0a5 - x86/microcode: Add per CPU result state (git-fixes). - commit 579033e - net/smc: check smcd_v2_ext_offset when receiving proposal msg (CVE-2024-47408 bsc#1235711). - commit 2f01046 - x86/microcode: Clarify the late load logic (git-fixes). - commit 6230ee4 - x86/microcode: Handle &quot;nosmt&quot; correctly (git-fixes). - Refresh patches.suse/x86-microcode-Sanitize-__wait_for_cpus.patch. - commit dc94359 - x86/microcode: Clean up mc_cpu_down_prep() (git-fixes). - commit bdacddf - x86/microcode: Get rid of the schedule work indirection (git-fixes). - commit 6a00f9e - x86/microcode: Mop up early loading leftovers (git-fixes). - commit 9018df4 - kABI fix for &quot;netfilter: nft_inner: incorrect percpu area handling under softirq&quot; (CVE-2024-56638 bsc#1235524). - commit 3acf757 - ipv6: introduce dst_rt6_info() helper (git-fixes). - Refresh patches.suse/ipv6-prevent-UAF-in-ip6_send_skb.patch. - Refresh patches.suse/net-fix-__dst_negative_advice-race.patch. - commit a265247 - ipv6: sr: add missing seg6_local_exit (git-fixes). - Refresh patches.suse/ipv6-sr-fix-incorrect-unregister-order.patch. - commit ef06a22 - ipv6: annotate data-races around cnf.disable_ipv6 (git-fixes). - Refresh patches.suse/ipv6-prevent-NULL-dereference-in-ip6_output.patch. - commit 97af13b - x86/microcode/amd: Use cached microcode for AP load (git-fixes). - commit 916bc1a - x86/microcode/amd: Cache builtin/initrd microcode early (git-fixes). - commit 6cd5382 - x86/microcode/amd: Cache builtin microcode too (git-fixes). - commit d0a37ed - x86/microcode/amd: Use correct per CPU ucode_cpu_info (git-fixes). - commit 834a488 - x86/microcode: Remove pointless apply() invocation (git-fixes). - commit a5ea134 - ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() (git-fixes). - ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() (git-fixes). - net: ipv6: fix missing dst ref drop in ila lwtunnel (git-fixes). - net: ipv6: fix dst ref loop in ila lwtunnel (git-fixes). - net: ipv6: fix dst ref loop on input in rpl lwt (git-fixes). - net: ipv6: fix dst ref loop on input in seg6 lwt (git-fixes). - net: ipv6: rpl_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: seg6_iptunnel: mitigate 2-realloc issue (git-fixes). - ipv6: release nexthop on device removal (CVE-2024-56751 bsc#1234936). - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL (git-fixes). - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input (git-fixes). - ipv6: fix ndisc_is_useropt() handling for PIO (git-fixes). - ipv6: take care of scope when choosing the src addr (git-fixes). - net: use unrcu_pointer() helper (git-fixes). - ipv6: sr: block BH in seg6_output_core() and seg6_input_core() (git-fixes). - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() (git-fixes). - net: ipv6: fix wrong start position when receive hop-by-hop fragment (git-fixes). - ipv6: fib: hide unused 'pn' variable (git-fixes). - ipv6: fib6_rules: flush route cache when rule is changed (git-fixes). - commit ae4c044 - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid (git-fixes). - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses (git-fixes). - commit 3e6f7bb - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - ipv6: fix potential NULL deref in fib6_add() (git-fixes). - ipv6: avoid atomic fragment on GSO packets (git-fixes). - ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - commit aab80f1 - x86/microcode/intel: Rework intel_find_matching_signature() (git-fixes). - commit a8e1ba8 - x86/microcode/intel: Reuse intel_cpu_collect_info() git-fixes). - commit 12d10b3 - x86/microcode/intel: Rework intel_cpu_collect_info() (git-fixes). - commit 44d31ee - x86/microcode/intel: Unify microcode apply() functions (git-fixes). - Refresh patches.suse/x86-microcode-intel-Remove-unnecessary-cache-writeback-and.patch. - commit fd684d8 - x86/microcode/intel: Switch to kvmalloc() (git-fixes). - commit deae801 - x86/microcode/intel: Save the microcode only after a successful late-load (git-fixes). - commit c89162d - x86/microcode/intel: Simplify early loading (git-fixes). - commit 571e4fe - x86/microcode/intel: Cleanup code further (git-fixes). - commit 53a643e - x86/microcode/32: Move early loading after paging enable (git-fixes). - commit f3beb78 - x86/boot/32: Temporarily map initrd for microcode loading (git-fixes). - commit f25c748 - x86/microcode: Provide CONFIG_MICROCODE_INITRD32 (git-fixes). - commit 040895c - x86/boot/32: Restructure mk_early_pgtbl_32() (git-fixes). - commit bf7e36d - x86/boot/32: De-uglify the 2/3 level paging difference in mk_early_pgtbl_32() (git-fixes). - commit cb4b02a - x86/boot: Use __pa_nodebug() in mk_early_pgtbl_32() (git-fixes). - commit 1ec4661 - x86/boot/32: Disable stackprotector and tracing for mk_early_pgtbl_32() (git-fixes). - commit 1bef486 - x86/microcode/intel: Simplify and rename generic_load_microcode() (git-fixes). - commit 7d2da5d - x86/microcode/intel: Simplify scan_microcode() (git-fixes). - commit 4164fad - x86/microcode/intel: Rip out mixed stepping support for Intel CPUs (git-fixes). - commit 842e778 - x86/microcode/intel: Remove pointless mutex (git-fixes). - commit d92edaf - x86/microcode/intel: Remove debug code (git-fixes). - commit f06da57 - x86/microcode: Move core specific defines to local header (git-fixes). - Delete patches.suse/x86-cpu-Fix-amd_check_microcode-declaration.patch. - commit 68e5a18 - x86/hyperv: Fix output argument to hypercall that changes page visibility (git-fixes). - x86/hyperv/vtl: Stop kernel from probing VTL0 low memory (git-fixes). - commit d929456 - x86/microcode/intel: Rename get_datasize() since its used externally (git-fixes). - commit cd4315f - x86/microcode: Make reload_early_microcode() static (git-fixes). - commit adc4f73 - x86/microcode: Include vendor headers into microcode.h (git-fixes). - Refresh patches.suse/platform-x86-intel-ifs-Gen2-scan-image-loading.patch. - commit 9b8d381 - x86/microcode/intel: Move microcode functions out of cpu/intel.c (git-fixes). - Refresh patches.suse/x86-cpu-intel-Detect-TME-keyid-bits-before-setting-MTRR-ma.patch. - commit 4e2f346 - x86/microcode: Hide the config knob (git-fixes). - commit d6f3245 - x86/mm: Remove unused microcode.h include (git-fixes). - commit 88b351c - x86/microcode: Remove microcode_mutex (git-fixes). - commit 9723346 - Revert &quot;wifi: ath11k: support hibernation&quot; (bsc#1207948). - commit 36caa36 - Revert &quot;wifi: ath11k: restore country code during resume&quot; (bsc#1207948). - commit 18bdb23 - x86/microcode: Sanitize __wait_for_cpus() (git-fixes). - commit 4a52b36 - x86/platform/olpc: Remove unused variable 'len' in olpc_dt_compatible_match() (git-fixes). - commit a5f84ff - x86/entry: Add __init to ia32_emulation_override_cmdline() (git-fixes). - commit e6ba4df - x86/coco: Replace 'static const cc_mask' with the newly introduced cc_get_mask() function (git-fixes). - commit c13c7b0 - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - commit 8e4bd72 - x86/fpu: Fix guest FPU state buffer allocation size (git-fixes). - commit 0180053 - media: vim2m: print device name after registering device (git-fixes). - media: platform: stm32: Add check for clk_enable() (git-fixes). - media: siano: Fix error handling in smsdvb_module_init() (git-fixes). - media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() (git-fixes). - media: venus: hfi: add a check to handle OOB in sfr region (git-fixes). - media: venus: hfi: add check to handle incorrect queue size (git-fixes). - media: venus: hfi_parser: refactor hfi packet parsing logic (git-fixes). - media: venus: hfi_parser: add check to avoid out of bound access (git-fixes). - media: visl: Fix ERANGE error when setting enum controls (git-fixes). - media: platform: allgro-dvt: unregister v4l2_device on the error path (git-fixes). - media: verisilicon: HEVC: Initialize start_bit field (git-fixes). - media: i2c: adv748x: Fix test pattern selection mask (git-fixes). - media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO (git-fixes). - media: i2c: ov7251: Set enable GPIO low in probe (git-fixes). - media: i2c: ccs: Set the device's runtime PM status correctly in remove (git-fixes). - media: streamzap: prevent processing IR data on URB failure (git-fixes). - media: streamzap: fix race between device disconnection and urb callback (git-fixes). - auxdisplay: panel: Fix an API misuse in panel.c (git-fixes). - mmc: omap: Fix memory leak in mmc_omap_new_slot (git-fixes). - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (git-fixes). - mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD (git-fixes). - spi: cadence-qspi: Fix probe on AM62A LP SK (git-fixes). - thermal: int340x: Add NULL check for adev (git-fixes). - PM: sleep: Fix handling devices with direct_complete set on errors (git-fixes). - PM: sleep: Adjust check before setting power.must_resume (git-fixes). - selftests/x86/syscall: Fix coccinelle WARNING recommending the use of ARRAY_SIZE() (git-fixes). - commit d741ce2 - smb: client: Add check for next_buffer in receive_encrypted_standard() (CVE-2025-21844 bsc#1239512) - commit 5413aee - smb: client: destroy cfid_put_wq on module exit (git-fixes). - commit c180144 - ipv6: mcast: extend RCU protection in igmp6_send() (CVE-2025-21759 bsc#1238738). - commit 400a352 - ndisc: extend RCU protection in ndisc_send_skb() (CVE-2025-21760 bsc#1238763). - commit 156bf64 - vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791 bsc#1238512). - commit f01aefb - openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761 bsc#1238775). - commit 742de46 - arp: use RCU protection in arp_xmit() (CVE-2025-21762 bsc#1238780). - commit 816de2a - neighbour: use RCU protection in __neigh_notify() (CVE-2025-21763 bsc#1237897). - commit f8fc7e4 - ndisc: use RCU protection in ndisc_alloc_skb() (bsc#1239994). - commit d3f8de7 - ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() (bsc#1239994). - commit 60e0c13 - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers (git-fixes). - commit 8abe0aa - x86/cpu: Allow reducing x86_phys_bits during early_identify_cpu() (git-fixes). - commit 095440f - intel_idle: Add ibrs_off module parameter to force-disable IBRS (git-fixes). - commit c35924e - intel_idle: Use __update_spec_ctrl() in intel_idle_ibrs() (git-fixes). - Refresh patches.suse/x86-Fix-CPUIDLE_FLAG_IRQ_ENABLE-leaking-timer-reprogram.patch. - commit d3998f0 - x86/idle: Disable IBRS when CPU is offline to improve single-threaded performance (git-fixes). - commit 317b615 - x86/speculation: Add __update_spec_ctrl() helper (git-fixes). - commit 3276cd3 - lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*() (git-fixes). - kbuild: hdrcheck: fix cross build with clang (git-fixes). - commit 77968cd - ipv6: Use RCU in ip6_input() (bsc#1239994). - commit 29ec493 - ipv6: icmp: convert to dev_net_rcu() (bsc#1239994). - commit 4c35517 - flow_dissector: use RCU protection to fetch dev_net() (bsc#1239994). - commit a0e50a6 - ipv6: use RCU protection in ip6_default_advmss() (CVE-2025-21765 bsc#1237906). - commit c531d1f - ipv4: use RCU protection in rt_is_expired() (bsc#1239994). - commit 48756fc - ipv4: use RCU protection in ipv4_default_advmss() (bsc#1239994). - commit 81b29a5 - ipv4: use RCU protection in inet_select_addr() (bsc#1239994). - commit 5eecff1 - ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (bsc#1239994). - commit 6188164 - ipv4: use RCU protection in __ip_rt_update_pmtu() (CVE-2025-21766 bsc#1238754). - commit 03eaa8b - ipv4: add RCU protection to ip4_dst_hoplimit() (bsc#1239994). - commit 95bdee3 - net: add dev_net_rcu() helper (bsc#1239994). - commit 63dac1b - net: mana: Support holes in device list reply msg (git-fixes). - net: mana: cleanup mana struct after debugfs_remove() (git-fixes). - Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() (git-fixes). - clockevents/drivers/i8253: Fix stop sequence for timer 0 (git-fixes). - commit a640830 - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sle_version was obsoleted for SLE16. It has to be combined with suse_version check. - commit cbd5de3 - kABI workaround for intel-ish-hid (git-fixes). - commit c1e0e59 - HID: intel-ish-hid: Send clock sync message immediately after reset (stable-fixes). - commit bb56845 - kABI workaround for soc_mixer_control changes (git-fixes). - commit 41b23df - i2c: amd-mp2: drop free_irq() of devm_request_irq() allocated irq (git-fixes). - USB: serial: ftdi_sio: add support for Altera USB Blaster 3 (stable-fixes). - USB: serial: option: fix Telit Cinterion FE990A name (stable-fixes). - USB: serial: option: add Telit Cinterion FE990B compositions (stable-fixes). - USB: serial: option: match on interface class for Telit FN990B (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for more devices (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for several devices (stable-fixes). - Input: i8042 - add required quirks for missing old boardnames (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ (stable-fixes). - Input: xpad - rename QH controller to Legion Go S (stable-fixes). - Input: xpad - add support for TECNO Pocket Go (stable-fixes). - Input: xpad - add support for ZOTAC Gaming Zone (stable-fixes). - Input: xpad - add multiple supported devices (stable-fixes). - Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers (stable-fixes). - ASoC: ops: Consistently treat platform_max as control value (git-fixes). - drm/i915/cdclk: Do cdclk post plane programming later (stable-fixes). - drm/atomic: Filter out redundant DPMS calls (stable-fixes). - drm/amd/display: Assign normalized_pix_clk when color depth = 14 (stable-fixes). - drm/amd/display: Restore correct backlight brightness after a GPU reset (stable-fixes). - drm/amd/display: Disable unneeded hpd interrupts during dm_init (stable-fixes). - drm/hyperv: Fix address space leak when Hyper-V DRM device is removed (git-fixes). - HID: apple: disable Fn key handling on the Omoton KB066 (git-fixes). - drm/nouveau: Do not override forced connector status (stable-fixes). - drm/vkms: Round fixp2int conversion in lerp_u16 (stable-fixes). - ASoC: tas2764: Set the SDOUT polarity correctly (stable-fixes). - ASoC: tas2764: Fix power control mask (stable-fixes). - ASoC: tas2770: Fix volume scale (stable-fixes). - net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors (stable-fixes). - ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE (stable-fixes). - ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module (stable-fixes). - ASoC: arizona/madera: use fsleep() in up/down DAPM event delays (stable-fixes). - usb: phy: generic: Use proper helper for property detection (stable-fixes). - platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles (stable-fixes). - platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e (stable-fixes). - HID: apple: fix up the F6 key on the Omoton KB066 keyboard (stable-fixes). - HID: hid-apple: Apple Magic Keyboard a3203 USB-C support (stable-fixes). - HID: topre: Fix n-key rollover on Realforce R3S TKL boards (stable-fixes). - HID: ignore non-functional sensor in HP 5MP Camera (stable-fixes). - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell (stable-fixes). - ACPI: resource: IRQ override for Eluktronics MECH-17 (stable-fixes). - vboxsf: fix building with GCC 15 (stable-fixes). - platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() (stable-fixes). - commit 3767537 - regulator: dummy: force synchronous probing (git-fixes). - regulator: core: Fix deadlock in create_regulator() (git-fixes). - commit 74ce27f - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - commit b89838c - Refresh patches.suse/udp-Deal-with-race-between-UDP-socket-address-change-and-r.patch. - commit 4648743 - tools: move alignment-related macros to new &lt;linux/align.h&gt; (git-fixes). Fix tools/ build breakage introduced by suse commit 3d6cb93162fd &quot;bitmap: introduce generic optimized bitmap_size() (git-fixes)&quot; - commit a17c3c2 - memblock tests: fix warning: &quot;__ALIGN_KERNEL&quot; redefined (git-fixes). Fix tools/ build breakage introduced by suse commit 3d6cb93162fd &quot;bitmap: introduce generic optimized bitmap_size() (git-fixes)&quot; - commit 2860902 - kABI: ufshcd: add ufshcd_dealloc_host back (CVE-2025-21739 bsc#1238506). - commit 722da19 - KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (CVE-2024-58083 bsc#1239036). - commit bbd863b - nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() (CVE-2025-21848 bsc#1239479). - commit bd498df - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid (bsc#1237530). - commit f46ae1f - udp: Deal with race between UDP socket address change and rehash (CVE-2024-57974 bsc#1238532). - commit d248d8d - drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() (git-fixes). - gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU (git-fixes). - accel/qaic: Fix integer overflow in qaic_validate_req() (git-fixes). - accel/qaic: Fix possible data corruption in BOs &gt; 2G (git-fixes). - drm/v3d: Don't run jobs that have errors flagged in its fence (git-fixes). - drm/sched: Fix fence reference count leak (git-fixes). - batman-adv: Ignore own maximum aggregation size during RX (git-fixes). - Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters (git-fixes). - Bluetooth: Fix error code in chan_alloc_skb_cb() (git-fixes). - can: flexcan: disable transceiver during system PM (git-fixes). - can: flexcan: only change CAN state when link up in system PM (git-fixes). - can: rcar_canfd: Fix page entries in the AFL list (git-fixes). - can: ucan: fix out of bound read in strscpy() source (git-fixes). - mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops (git-fixes). - mmc: atmel-mci: Add missing clk_disable_unprepare() (git-fixes). - commit fa047d8 - RDMA/hns: Fix wrong value of max_sge_rd (git-fixes) - commit be0fccb - RDMA/hns: Fix missing xa_destroy() (git-fixes) - commit 7560f3b - RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() (git-fixes) - commit fae22e5 - RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() (git-fixes) - commit 4a61cfc - RDMA/hns: Fix soft lockup during bt pages loop (git-fixes) - commit d7a5712 - RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path (git-fixes) - commit 1c0ffc5 - RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() (git-fixes) - commit fb56cee - RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx (git-fixes) - commit d9ad94d - RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests (git-fixes) - commit 3a68d14 - scsi: ufs: core: Fix use-after free in init error and remove paths (CVE-2025-21739 bsc#1238506). - commit f971898 - btrfs: use a separate end_io handler for extent_buffer writing (bsc#1239045). - btrfs: don't use btrfs_bio_ctrl for extent buffer writing (bsc#1239045). - btrfs: remove the mirror_num argument to btrfs_submit_compressed_read (bsc#1239045). - btrfs: subpage: fix error handling in end_bio_subpage_eb_writepage (bsc#1239045). - commit 5ca42b7 - ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() (git-fixes). - commit a7b4ac3 - ata: sata_sil: Rename sil_blacklist to sil_quirks (git-fixes). - commit c17a6ef - ata: pata_serverworks: Do not use the term blacklist (git-fixes). - commit cdc9008 - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf (git-fixes). - commit cf84546 - ata: libata-scsi: Remove redundant sense_buffer memsets (git-fixes). - commit 3ff83f7 - ata: ahci: Add mask_port_map module parameter (git-fixes). - commit f3d1fc7 - ata: pata_parport: fit3: implement IDE command set registers (git-fixes). - commit b753758 - arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou (git-fixes) - commit e6786aa - ata: pata_parport: add custom version of wait_after_reset (git-fixes). - commit 92ba445 - arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board (git-fixes) - commit d1b0425 - arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi (git-fixes) - commit b541e7c - arm64: dts: rockchip: Remove undocumented sdmmc property from (git-fixes) - commit 4d05cf3 - arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou (git-fixes) - commit cfcc878 - arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to (git-fixes) - commit e1ac37c - arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply (git-fixes) - commit 86fe977 - arm64: mm: Populate vmemmap at the page level if not section aligned (git-fixes) - commit 9a15b23 - arm64: dts: rockchip: add rs485 support on uart5 of (git-fixes) - commit 674715a - mm: zswap: move allocations during CPU init outside the lock (git-fixes). - commit 4a03990 - netem: Update sch-&gt;q.qlen before qdisc_tree_reduce_backlog() (git-fixes CVE-2025-21703 bsc#1237313). - commit ca9c9ec - iommu/vt-d: Fix suspicious RCU usage (git-fixes). - commit 57c0aea - net_sched: sch_sfq: handle bigger packets (git-fixes). - Refresh patches.suse/net_sched-sch_sfq-don-t-allow-1-packet-limit.patch. - commit e8a43b7 - net/sched: act_api: rely on rcu in tcf_idr_check_alloc (git-fixes). - Refresh patches.suse/net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch. - commit b0f7ecb - net_sched: Prevent creation of classes with TC_H_ROOT (git-fixes). - net/sched: cls_api: fix error handling causing NULL dereference (git-fixes CVE-2025-21857 bsc#1239478). - net/sched: netem: account for backlog updates from child qdisc (git-fixes CVE-2024-56770 bsc#1235637). - net/sched: tbf: correct backlog statistic for GSO packets (git-fixes). - net/sched: cbs: Fix integer overflow in cbs_set_port_rate() (git-fixes). - net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers (git-fixes). - net/sched: taprio: make q-&gt;picos_per_byte available to fill_sched_entry() (git-fixes). - net/sched: adjust device watchdog timer to detect stopped queue at right time (git-fixes). - net_sched: sch_sfq: annotate data-races around q-&gt;perturb_period (git-fixes). - net/sched: flower: Add lock protection when remove filter handle (git-fixes). - net/sched: cls_u32: replace int refcounts with proper refcounts (git-fixes). - commit a5cca5e - powerpc/pseries/eeh: move pseries_eeh_err_inject() outside CONFIG_DEBUG_FS block (bsc#1239573). - powerpc/pseries/eeh: Fix pseries_eeh_err_inject (bsc#1239573). - powerpc: Stop using no_llseek (bsc#1239573). - commit 5b9a0f5 - wifi: rtl8xxxu: Perform update_beacon_work when beaconing is enabled (git-fixes). - commit 39d5ea8 - kABI fix for netlink: terminate outstanding dump on socket close (git-fixes). - commit b2fd571 - usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c (bsc#1232389 CVE-2024-50056). - commit e07e4ef - netlink: terminate outstanding dump on socket close (CVE-2024-53140 bsc#1234222). - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (CVE-2024-53057 bsc#1233551). - commit b824575 - usb: gadget: uvc: fix try format returns on uncompressed formats (bsc#1232389 CVE-2024-50056). - commit d2b161f - mm: zswap: properly synchronize freeing resources during CPU hotunplug (bsc#1237029 CVE-2025-21693). - commit 215e0dc - series.conf: temporarily disable patches.suse/md-md-bitmap-fix-writing-non-bitmap-pages-ab99.patch (bsc#1238212) - commit bc1d649 - initramfs: fix hardlink hash leak without TRAILER (bsc#1232848). - initramfs: allocate heap buffers together (bsc#1232848). - init: add initramfs_internal.h (bsc#1232848). - commit f42c132 - net: stmmac: fix TSO DMA API usage causing oops (CVE-2024-56719 bsc#1235591) - commit 66963e5 - Documentation: qat: fix auto_reset attribute details (git-fixes). - Documentation: qat: fix auto_reset section (git-fixes). - commit f832e33 - supported.conf: add now-included qat_420xx (external, intel) - commit 85940df - net: constify sk_dst_get() and __sk_dst_get() argument (git-fixes). - commit a24981b - crypto: qat - Fix missing destroy_workqueue in adf_init_aer() (jsc#PED-12416). - crypto: qat - Fix typo &quot;accelaration&quot; (jsc#PED-12416). - crypto: qat - Constify struct pm_status_row (jsc#PED-12416). - crypto: qat - remove unused adf_devmgr_get_first (jsc#PED-12416). - crypto: qat/qat_420xx - fix off by one in uof_get_name() (jsc#PED-12416). - crypto: iaa - Remove potential infinite loop in check_completion() (jsc#PED-12416). - crypto: qat - Remove trailing space after \n newline (jsc#PED-12416). - crypto: qat - fix &quot;Full Going True&quot; macro definition (jsc#PED-12416). - crypto: qat - Use static_assert() to check struct sizes (jsc#PED-12416). - crypto: qat - allow disabling SR-IOV VFs (jsc#PED-12416). - crypto: qat - ensure correct order in VF restarting handler (jsc#PED-12416). - crypto: qat - fix recovery flow for VFs (jsc#PED-12416). - crypto: qat - preserve ADF_GENERAL_SEC (jsc#PED-12416). - crypto: qat - initialize user_input.lock for rate_limiting (jsc#PED-12416). - crypto: qat - make adf_ctl_class constant (jsc#PED-12416). - crypto: qat - Fix typo (jsc#PED-12416). - crypto: qat - fix linking errors when PCI_IOV is disabled (jsc#PED-12416). - crypto: iaa - Use kmemdup() instead of kzalloc() and memcpy() (jsc#PED-12416). - crypto: qat - validate slices count returned by FW (jsc#PED-12416). - crypto: qat - improve error message in adf_get_arbiter_mapping() (jsc#PED-12416). - crypto: qat - implement dh fallback for primes &gt; 4K (jsc#PED-12416). - crypto: iaa - Use cpumask_weight() when rebalancing (jsc#PED-12416). - crypto: qat - Fix spelling mistake &quot;Invalide&quot; -&gt; &quot;Invalid&quot; (jsc#PED-12416). - crypto: qat - Avoid -Wflex-array-member-not-at-end warnings (jsc#PED-12416). - crypto: iaa - Change iaa statistics to atomic64_t (jsc#PED-12416). - crypto: iaa - Add global_stats file and remove individual stat files (jsc#PED-12416). - crypto: iaa - Remove comp/decomp delay statistics (jsc#PED-12416). - crypto: iaa - fix decomp_bytes_in stats (jsc#PED-12416). - crypto: qat - implement interface for live migration (jsc#PED-12416). - crypto: qat - add interface for live migration (jsc#PED-12416). - crypto: qat - add bank save and restore flows (jsc#PED-12416). - crypto: qat - expand CSR operations for QAT GEN4 devices (jsc#PED-12416). - crypto: qat - rename get_sla_arr_of_type() (jsc#PED-12416). - crypto: qat - relocate CSR access code (jsc#PED-12416). - crypto: qat - move PFVF compat checker to a function (jsc#PED-12416). - crypto: qat - relocate and rename 4xxx PF2VM definitions (jsc#PED-12416). - crypto: qat - adf_get_etr_base() helper (jsc#PED-12416). - crypto: iaa - fix the missing CRYPTO_ALG_ASYNC in cra_flags (jsc#PED-12416). - crypto: iaa - Fix comp/decomp delay statistics (jsc#PED-12416). - crypto: qat - make ring to service map common for QAT GEN4 (jsc#PED-12416). - crypto: qat - fix ring to service map for dcc in 420xx (jsc#PED-12416). - crypto: qat - fix comment structure (jsc#PED-12416). - crypto: qat - remove unnecessary description from comment (jsc#PED-12416). - crypto: qat - uninitialized variable in adf_hb_error_inject_write() (jsc#PED-12416). - crypto: qat - improve aer error reset handling (jsc#PED-12416). - crypto: qat - limit heartbeat notifications (jsc#PED-12416). - crypto: qat - add auto reset on error (jsc#PED-12416). - crypto: qat - add fatal error notification (jsc#PED-12416). - crypto: qat - re-enable sriov after pf reset (jsc#PED-12416). - crypto: qat - update PFVF protocol for recovery (jsc#PED-12416). - crypto: qat - disable arbitration before reset (jsc#PED-12416). - crypto: qat - add fatal error notify method (jsc#PED-12416). - crypto: qat - add heartbeat error simulator (jsc#PED-12416). - crypto: qat - use kcalloc_node() instead of kzalloc_node() (jsc#PED-12416). - crypto: iaa - Remove unnecessary debugfs_create_dir() error check in iaa_crypto_debugfs_init() (jsc#PED-12416). - crypto: iaa - Remove header table code (jsc#PED-12416). - crypto: qat - avoid memcpy() overflow warning (jsc#PED-12416). - crypto: qat - fix arbiter mapping generation algorithm for QAT 402xx (jsc#PED-12416). - crypto: qat - generate dynamically arbiter mappings (jsc#PED-12416). - crypto: qat - add support for ring pair level telemetry (jsc#PED-12416). - commit 5d1d9ed - crypto: qat - add support for device telemetry (jsc#PED-12416). - Refresh patches.suse/crypto-qat-disable-IOV-in-adf_dev_stop.patch. - Refresh patches.suse/crypto-qat-remove-check-after-debugfs_create_dir.patch. - commit 3d131da - crypto: qat - add admin msgs for telemetry (jsc#PED-12416). - crypto: qat - include pci.h for GET_DEV() (jsc#PED-12416). - crypto: iaa - remove unneeded semicolon (jsc#PED-12416). - crypto: iaa - Remove unneeded newline in update_max_adecomp_delay_ns() (jsc#PED-12416). - crypto: iaa - Change desc-&gt;priv to 0 (jsc#PED-12416). - crypto: qat - add support for 420xx devices (jsc#PED-12416). - crypto: qat - move fw config related structures (jsc#PED-12416). - crypto: qat - relocate portions of qat_4xxx code (jsc#PED-12416). - crypto: qat - change signature of uof_get_num_objs() (jsc#PED-12416). - seq_file: add helper macro to define attribute for rw file (jsc#PED-12416). - commit 8fbb076 - Update config files for PED-12416: QAT_420XX=m on x86, disable error injection. - commit bbce3cc - mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx (bsc#1237029 CVE-2025-21693). - commit 0b762e3 - usb: gadget: uvc: Fix use-after-free for inflight usb_requests (bsc#1232389 CVE-2024-50056). - commit 2525765 - usb: gadget: uvc: move video disable logic to its own function (bsc#1232389 CVE-2024-50056). - commit 2ceecdc - usb: gadget: uvc: Allocate uvc_requests one at a time (bsc#1232389 CVE-2024-50056). - commit 4e4b74d - usb: gadget: uvc: prevent use of disabled endpoint (bsc#1232389 CVE-2024-50056). - commit fe7e829 - usb: gadget: uvc: clean up comments and styling in video_pump (bsc#1232389 CVE-2024-50056). - commit c00889e - Bluetooth: Improve setsockopt() handling of malformed user input (git-fixes). - commit b7abeef - btrfs: drop the backref cache during relocation if we commit (bsc#1239605). - btrfs: check delayed refs when we're checking if a ref exists (bsc#1239605). - commit cfc9247 - xhci: dbc: Fix STALL transfer event handling (git-fixes). - commit cae0f76 - Update patches.suse/net-sched-use-RCU-read-side-critical-section-in-taprio_dump.patch (CVE-2024-50126 bsc#1232895). - commit 4fbfb83 - xhci: dbc: Replace custom return value with proper Linux error code (git-fixes). - commit 8f2f3fe - xhci: dbc: Check for errors first in xhci_dbc_stop() (git-fixes). - commit 393eaad - xhci: dbc: Use ATTRIBUTE_GROUPS() (git-fixes). - commit c847619 - xhci: dbc: Use sysfs_emit() to instead of scnprintf() (git-fixes). - commit fdc638e - xhci: dbc: Convert to use sysfs_streq() (git-fixes). - commit de56eef - xhci: dbc: Drop duplicate checks for dma_free_coherent() (git-fixes). - commit b4ff421 - Update patches.suse/xhci-Combine-two-if-statements-for-Etron-xHCI-host.patch (git-fixes). - Update patches.suse/xhci-Don-t-issue-Reset-Device-command-to-Etron-xHCI-.patch (git-fixes). Fix false references introduced by reusing patches for SP7 needed for a feature - commit f1a52b1 - ila: serialize calls to nf_register_net_hooks() (CVE-2024-57900 bsc#1235973). - commit a940895 - efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 (bsc#1239349). - commit 4c2eac0 - kABI fix for tcp: replace tcp_time_stamp_raw() (git-fixes). - kABI fix for tcp: fix cookie_init_timestamp() overflows (git-fixes). - commit e3c259b - ubi: Add a check for ubi_num (git-fixes). - ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty (git-fixes). - ubi: wl: Put source PEB into correct list if trying locking LEB failed (git-fixes). - ubi: block: fix null-pointer-dereference in ubiblock_create() (git-fixes). - ubi: eba: properly rollback inside self_check_eba (git-fixes). - ubi: correct the calculation of fastmap size (stable-fixes). - ubi: block: Fix use-after-free in ubiblock_cleanup (git-fixes). - ubi: fastmap: may_reserve_for_fm: Don't reserve PEB if fm_anchor exists (git-fixes). - ubi: fastmap: Fix missed ec updating after erasing old fastmap data block (git-fixes). - commit 123f0f1 - soc: qcom: pdr: Fix the potential deadlock (git-fixes). - firmware: imx-scu: fix OF node leak in .probe() (git-fixes). - commit cbadc13 - tcp: introduce tcp_clock_ms() (git-fixes). - commit ef89ad4 - include/linux/mmzone.h: clean up watermark accessors (bsc#1239600). - commit 9cc8558 - mm: create promo_wmark_pages and clean up open-coded sites (bsc#1239600). - commit 9684a94 - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP (git-fixes). - tcp: reduce accepted window in NEW_SYN_RECV state (git-fixes). - tcp: replace tcp_time_stamp_raw() (git-fixes). - commit 3bc54d8 - mm: accept to promo watermark (bsc#1239600). - commit 1ee3b42 - mm: fix endless reclaim on machines with unaccepted memory (bsc#1239600). - commit 2f9ff68 - dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature (git-fixes). - commit a688092 - kABI fix for tcp: drop secpath at the same time as we currently drop (CVE-2025-21864 bsc#1239482). - commit 79a237f - usb: xhci: Enable the TRB overfetch quirk on VIA VL805 (git-fixes). - commit f5ad85e - xhci: pci: Use standard pattern for device IDs (git-fixes). - Refresh patches.suse/xhci-pci-Fix-indentation-in-the-PCI-device-ID-defini.patch. - commit 6e83d36 - xhci: Don't perform Soft Retry for Etron xHCI host (git-fixes). - commit 9beb310 - xhci: Don't issue Reset Device command to Etron xHCI host (jsc#PED-10701). - commit 5ad7a28 - xhci: Combine two if statements for Etron xHCI host (jsc#PED-10701). - commit 68c16e1 - xhci: Cleanup Candence controller PCI device and vendor ID usage (git-fixes). - commit df43775 - usb: xHCI: add XHCI_RESET_ON_RESUME quirk for Phytium xHCI host (git-fixes). - commit 1479d30 - usb: xhci: remove 'retval' from xhci_pci_resume() (git-fixes). - commit 6f73c8c - xhci: Apply XHCI_RESET_TO_DEFAULT quirk to TGL (git-fixes). - commit 32a2ce7 - xhci: pci: Use PCI_VENDOR_ID_RENESAS (git-fixes). - commit 02e0809 - xhci: pci: Group out Thunderbolt xHCI IDs (git-fixes). - commit 3ebb63d - xhci: pci: Use full names in PCI IDs for Intel platforms (git-fixes). - commit 38d020d - ila: call nf_unregister_net_hooks() sooner (CVE-2024-46782 bsc#1230769). - commit e9d9715 - Input: iqs7222 - preserve system status register (git-fixes). - commit 1f2a9a2 - Input: iqs7222 - add support for IQS7222D v1.1 and v1.2 (git-fixes). - commit 9ee6aed - Input: iqs7222 - add support for Azoteq IQS7222D (git-fixes). - commit 6fedbfd - Update patches.suse/ASoC-SOF-stream-ipc-Check-for-cstream-nullity-in-sof.patch (git-fixes CVE-2025-21847 bsc#1239471). - Update patches.suse/HID-multitouch-Add-NULL-check-in-mt_input_configured.patch (git-fixes CVE-2024-58020 bsc#1239346). - Update patches.suse/USB-gadget-f_midi-f_midi_complete-to-call-queue_work.patch (git-fixes CVE-2025-21859 bsc#1239467). - Update patches.suse/acct-perform-last-write-from-workqueue.patch (git-fixes CVE-2025-21846 bsc#1239508). - Update patches.suse/block-don-t-revert-iter-for-EIOCBQUEUED.patch (git-fixes CVE-2025-21832 bsc#1239105). - Update patches.suse/fbdev-omap-use-threaded-IRQ-for-LCD-DMA.patch (stable-fixes CVE-2025-21821 bsc#1239174). - Update patches.suse/nfsd-clear-acl_access-acl_default-after-releasing-them.patch (git-fixes CVE-2025-21796 bsc#1238716). - Update patches.suse/nvmet-Fix-crash-when-a-namespace-is-disabled.patch (git-fixes CVE-2025-21850 bsc#1239477). - Update patches.suse/orangefs-fix-a-oob-in-orangefs_debug_write.patch (git-fixes CVE-2025-21782 bsc#1239117). - Update patches.suse/partitions-mac-fix-handling-of-bogus-partition-table.patch (git-fixes CVE-2025-21772 bsc#1238911). - Update patches.suse/powerpc-code-patching-Fix-KASAN-hit-by-not-flagging-.patch (bsc#1215199 CVE-2025-21866 bsc#1239473). - commit d74c347 - nvkm/gsp: correctly advance the read pointer of GSP message queue (bsc#1238997 CVE-2024-58019) - commit 73aa11f - i2c: sis630: Fix an error handling path in sis630_probe() (git-fixes). - i2c: ali15x3: Fix an error handling path in ali15x3_probe() (git-fixes). - i2c: ali1535: Fix an error handling path in ali1535_probe() (git-fixes). - i2c: omap: fix IRQ storms (git-fixes). - commit a2963cf - Input: ads7846 - fix gpiod allocation (git-fixes). - commit 829ae40 - ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model (stable-fixes). - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx (stable-fixes). - commit 10b7907 - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() (git-fixes). - ASoC: rt722-sdca: add missing readable registers (git-fixes). - drm/dp_mst: Fix locking when skipping CSN before topology probing (git-fixes). - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() (git-fixes). - drm/amd/display: Fix slab-use-after-free on hdcp_work (git-fixes). - commit 866bbeb - Refresh patches.suse/mptcp-fix-rcv-buffer-auto-tuning.patch. - Refresh patches.suse/mptcp-move-__mptcp_error_report-in-protocol.c.patch. - Refresh patches.suse/tcp-define-initial-scaling-factor-value-as-a-macro.patch. - Refresh patches.suse/tcp-increase-the-default-TCP-scaling-ratio.patch. After discussing with @jwiesner: re-introduce b8dc6d6ce (&quot;mptcp: fix rcv buffer auto-tuning&quot;) - commit 2c38df3 - mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() (CVE-2025-21861 bsc#1239483). - commit 2aaf230 - mm: migrate_device: use more folio in migrate_device_finalize() (CVE-2025-21861 bsc#1239483 dependency). - commit 6c15dfd - geneve: Suppress list corruption splat in geneve_destroy_tunnels() (CVE-2025-21858 bsc#1239468). - gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl() (CVE-2025-21865 bsc#1239481). - ibmvnic: Don't reference skb after sending to VIOS (CVE-2025-21858 bsc#1239468). - geneve: Fix use-after-free in geneve_find_dev() (CVE-2025-21858 bsc#1239468). - commit 37714b5 - drm/amdgpu: Check extended configuration space register when system uses large bar (stable-fixes). - Refresh patches.suse/drm-amdgpu-disable-BAR-resize-on-Dell-G5-SE.patch. - commit 3119f0d - wifi: cfg80211: cancel wiphy_work before freeing wiphy (git-fixes). - wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms (git-fixes). - Bluetooth: hci_event: Fix enabling passive scanning (git-fixes). - usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader (stable-fixes). - intel_th: pci: Add Panther Lake-P/U support (stable-fixes). - intel_th: pci: Add Panther Lake-H support (stable-fixes). - intel_th: pci: Add Arrow Lake support (stable-fixes). - mei: me: add panther lake P DID (stable-fixes). - gpio: rcar: Use raw_spinlock to protect register access (stable-fixes). - platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e (stable-fixes). - drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M (stable-fixes). - drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL (git-fixes). - xhci: pci: Fix indentation in the PCI device ID definitions (stable-fixes). - drm/i915/xe2lpd: Move D2D enable/disable (stable-fixes). - commit afdffc3 - Delete patches.suse/APEI-GHES-Have-GHES-honor-the-panic-setting.patch (bsc#1239615) The panic-on-reboot behavior change is too surprsing as an update, better to be reverted during SP - commit 38b0ca3 - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - commit dbe8ca2 - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - commit 41b72ba - dm-crypt: track tag_offset in convert_context (git-fixes). - commit e418c3f - dm-crypt: don't update io-&gt;sector after kcryptd_crypt_write_io_submit() (git-fixes). - commit 4e42a0d - dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY (git-fixes). - commit d656a3c - dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) (git-fixes). mwilck: some hand editing because d95e2c34a3ca (&quot;dm verity: Fix IO priority lost when reading FEC and hash&quot;) is missing - commit 952c7af - dm array: fix cursor index when skipping across block boundaries (git-fixes). - commit 9559a70 - dm array: fix unreleased btree blocks on closing a faulty array cursor (git-fixes). - commit 3401ff8 - dm thin: Add missing destroy_work_on_stack() (git-fixes). - commit b8c64af - dm: Fix typo in error message (git-fixes). - commit 085bad2 - dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow (git-fixes). - commit 9289690 - Revert &quot;dm: requeue IO if mapping table not yet available&quot; (git-fixes). - commit 5102f1f - dm-integrity: fix a race condition when accessing recalc_sector (git-fixes). - commit f9223d3 - dm persistent data: fix memory allocation failure (git-fixes). - commit 6ad0a55 - dm resume: don't return EINVAL when signalled (git-fixes). - commit b83910f - dm suspend: return -ERESTARTSYS instead of -EINTR (git-fixes). - commit d18f8de - dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume (git-fixes). - commit 6d3fcd8 - dm init: Handle minors larger than 255 (git-fixes). - commit 73dcd27 - bitmap: introduce generic optimized bitmap_size() (git-fixes). - commit 3d6cb93 - dm-delay: fix max_delay calculations (git-fixes). - commit 9bd5588 - dm-delay: fix hung task introduced by kthread mode (git-fixes). - commit c232aae - dm-delay: fix workqueue delay_timer race (git-fixes). - commit d3bc4cb - dm integrity: fix out-of-range warning (git-fixes). - commit 94146a8 - dm-integrity: align the outgoing bio in integrity_recheck (git-fixes). - commit 8ef7f34 - tcp: Defer ts_recent changes until req is owned (git-fixes). - tcp: adjust rcvq_space after updating scaling ratio (git-fixes). - tcp: Annotate data-race around sk-&gt;sk_mark in tcp_v4_send_reset (git-fixes). - tcp: check space before adding MPTCP SYN options (git-fixes). - commit 3e8333c - tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out (git-fixes). - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe (git-fixes). - tcp: fix to allow timestamp undo if no retransmits were sent (git-fixes). - commit 057626d - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process (git-fixes). - commit b709352 - tcp: fix forever orphan socket caused by tcp_abort (git-fixes). - commit ee5bb6a - tcp: Update window clamping condition (git-fixes). - commit 21c2df7 - tcp: Adjust clamping window for applications specifying SO_RCVBUF (git-fixes). - commit 45a6b13 - tcp: Don't drop SYN+ACK for simultaneous connect() (git-fixes). - commit d347622 - tcp: fix races in tcp_v_err() (git-fixes). - commit 7d8961a - tcp: fix races in tcp_abort() (git-fixes). - commit 57c21f2 - tcp: fix race in tcp_write_err() (git-fixes). - commit f7c5a0b - tcp: add tcp_done_with_error() helper (git-fixes). - commit 67b079b - tcp: fix incorrect undo caused by DSACK of TLP retransmit (git-fixes). - commit 7fc3dc6 - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() (git-fixes). - commit 481ef49 - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO (git-fixes). - commit e0d6e17 - tcp: clear tp-&gt;retrans_stamp in tcp_rcv_fastopen_synack() (git-fixes). - commit 2f9ac53 - tcp: fix race in tcp_v6_syn_recv_sock() (git-fixes). - commit debc800 - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB (git-fixes). - commit e578c32 - tcp: remove 64 KByte limit for initial tp-&gt;rcv_wnd value (git-fixes). - commit a0f87a0 - tcp: avoid premature drops in tcp_add_backlog() (git-fixes). - commit 9d8f16e - tcp: increase the default TCP scaling ratio (git-fixes). - commit 37d2a56 - tcp: annotate data-races around tp-&gt;window_clamp (git-fixes). - Refresh patches.suse/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch. - commit baccd3e - tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses (git-fixes). - commit 10a8fd3 - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() (git-fixes). - commit 2c65748 - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function (git-fixes). - commit 1b71f1e - tcp: Add memory barrier to tcp_push() (git-fixes). - commit 9e18439 - tcp: fix mid stream window clamp (git-fixes). - commit 1da9c62 - tcp: define initial scaling factor value as a macro (git-fixes). - Refresh patches.suse/tcp-get-rid-of-sysctl_tcp_adv_win_scale.patch. - Refresh patches.suse/tcp-reorganize-tcp_sock-fast-path-variables.patch. - commit 5d65891 - tcp: fix cookie_init_timestamp() overflows (git-fixes). - commit 35f4bde - tcp: derive delack_max from rto_min (git-fixes). - commit 681cef6 - tcp: check mptcp-level constraints for backlog coalescing (git-fixes). - commit f47afe8 - s390/traps: Fix test_monitor_call() inline assembly (git-fixes bsc#1239595). - commit e1c229c - s390/stackleak: Use exrl instead of ex in __stackleak_poison() (git-fixes bsc#1239594). - commit bf5ac4c - s390/ism: add release function for struct device (git-fixes CVE-2025-21856 bsc#1239486). - commit ae9aecd - tcp: drop secpath at the same time as we currently drop dst (CVE-2025-21864 bsc#1239482). - commit 068f76d - tcp: properly terminate timers for kernel sockets (CVE-2024-35910 bsc#1224489). - commit cd84ccc - net: sched: use RCU read-side critical section in taprio_dump() (CVE-2024-50140 bsc#1233060). - commit 481b06f - spi: microchip-core: Use helper function devm_clk_get_enabled() (git-fixes). - commit ba5bb35 - spi: microchip-core: Clean up redundant dev_err_probe() (git-fixes). - Refresh patches.suse/spi-microchip-core-switch-to-use-modern-name.patch. - commit e92f46c - net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg (CVE-2024-49571 bsc#1235733). - commit d49e720 - kABI: bpf: Prevent tailcall infinite loop caused by freplace kABI workaround (bsc#1235712 CVE-2024-47794). - commit b659789 - bpf: Prevent tailcall infinite loop caused by freplace (bsc#1235712 CVE-2024-47794). - commit 594a2b0 - netdev: prevent accessing NAPI instances from another namespace (CVE-2025-21659 bsc#1236206). - commit 4814e4a - ice: Remove and readd netdev during devlink reload (bsc#1230497 bsc#1239518). - Refresh patches.suse/ice-add-ice_adapter-for-shared-data-across-PFs-on-th.patch. - commit fac3f79 - HID: hid-steam: Fix use-after-free when detaching device (git-fixes). - HID: appleir: Fix potential NULL dereference at raw event handle (git-fixes). - HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (git-fixes). - HID: google: fix unused variable warning under !CONFIG_ACPI (git-fixes). - HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend (stable-fixes). - commit 66671e7 - pinctrl: bcm281xx: Fix incorrect regmap max_registers value (git-fixes). - commit e9a08e4 - net: mana: Allow variable size indirection table (bsc#1239016). - Refresh patches.suse/net-mana-Enable-debugfs-files-for-MANA-device.patch. - commit 987aac3 - net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Fix memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Avoid open coded arithmetic (bsc#1239016). - RDMA/mana_ib: Prefer struct_size over open coded arithmetic (bsc#1239016). - net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2 (bsc#1239016). - net: mana: Assigning IRQ affinity on HT cores (bsc#1239015). - net: mana: add a function to spread IRQs per CPUs (bsc#1239015). - cpumask: define cleanup function for cpumasks (bsc#1239015). - cpumask: add cpumask_weight_andnot() (bsc#1239015). - commit 99e576d - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash (bsc#1239435). - af_unix: Annotate data-race of sk-&gt;sk_state in unix_stream_read_skb() (bsc#1239435). - commit 53fc06a - padata: fix sysfs store callback check (git-fixes). - commit 9e53996 - netpoll: Fix race condition in netpoll_owner_active (CVE-2024-41005 bsc#1227858). - commit edbf839 - sched/membarrier: Fix redundant load of membarrier_state (bsc#1232743). - commit 4b4693f - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind (git-fixes). - commit acac4ee - selftests/bpf: Add test case for the freeing of bpf_timer (bsc#1238971 CVE-2025-21825). - bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT (bsc#1238971 CVE-2025-21825). - commit d0cb4f3 - kABI fix for l2tp: prevent possible tunnel refcount underflow (CVE-2024-49940 bsc#1232812). - commit d6225ab - powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory (bsc#1239167 ltc#211055). - commit 1543fff - l2tp: fix lockdep splat (git-fixes). - commit 1b614a9 - l2tp: fix ICMP error handling for UDP-encap sockets (git-fixes). - commit 9f93194 - net l2tp: drop flow hash on forward (git-fixes). - commit c98f745 - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function (git-fixes). - commit 33af351 - net_sched: sch_sfq: don't allow 1 packet limit (CVE-2024-57996 bsc#1239076). - commit 8f719fe - ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params (CVE-2024-58012 bsc#1239104). - commit 3d2e163 - usb: gadget: Check bmAttributes only if configuration is valid (git-fixes). - usb: gadget: Fix setting self-powered state on suspend (git-fixes). - commit 1151d65 - usb: typec: ucsi: Fix NULL pointer access (git-fixes). - usb: hub: lack of clearing xHC resources (git-fixes). - usb: renesas_usbhs: Flush the notify_hotplug_work (git-fixes). - usb: renesas_usbhs: Use devm_usb_get_phy() (git-fixes). - usb: renesas_usbhs: Call clk_put() (git-fixes). - usb: dwc3: gadget: Prevent irq storm when TH re-executes (git-fixes). - usb: typec: ucsi: increase timeout for PPM reset operations (git-fixes). - usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality (git-fixes). - usb: gadget: Set self-powered based on MaxPower and bmAttributes (git-fixes). - usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails (git-fixes). - usb: atm: cxacru: fix a flaw in existing endpoint checks (git-fixes). - drivers: core: fix device leak in __fw_devlink_relax_cycles() (git-fixes). - Revert &quot;drivers/card_reader/rtsx_usb: Restore interrupt based detection&quot; (git-fixes). - bus: simple-pm-bus: fix forced runtime PM use (git-fixes). - char: misc: deallocate static minor in error path (git-fixes). - eeprom: digsy_mtc: Make GPIO lookup table match the device (git-fixes). - drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl (git-fixes). - slimbus: messaging: Free transaction ID in delayed interrupt scenario (git-fixes). - cdx: Fix possible UAF error in driver_override_show() (git-fixes). - bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock (git-fixes). - iio: filter: admv8818: Force initialization of SDO (git-fixes). - iio: dac: ad3552r: clear reset status flag (git-fixes). - iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value (git-fixes). - commit 481095d - Update patches.suse/HID-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch (git-fixes CVE-2025-21794 bsc#1238502). - Update patches.suse/NFC-nci-Add-bounds-checking-in-nci_hci_create_pipe.patch (git-fixes CVE-2025-21735 bsc#1238497). - Update patches.suse/PCI-Avoid-putting-some-root-ports-into-D3-on-TUXEDO-.patch (git-fixes CVE-2025-21831 bsc#1239039). - Update patches.suse/PCI-rcar-ep-Fix-incorrect-variable-used-when-calling.patch (git-fixes CVE-2025-21804 bsc#1238736). - Update patches.suse/RDMA-mlx5-Fix-a-race-for-an-ODP-MR-which-leads-to-CQ.patch (git-fixes CVE-2025-21732 bsc#1237877). - Update patches.suse/RDMA-mlx5-Fix-implicit-ODP-use-after-free.patch (git-fixes CVE-2025-21714 bsc#1237890). - Update patches.suse/RDMA-rxe-Fix-the-warning-__rxe_cleanup-0x12c-0x170-r.patch (git-fixes CVE-2025-21829 bsc#1239030). - Update patches.suse/Revert-drm-amd-display-Use-HW-lock-mgr-for-PSR1.patch (stable-fixes CVE-2025-21819 bsc#1238994). - Update patches.suse/USB-hub-Ignore-non-compliant-devices-with-too-many-c.patch (stable-fixes CVE-2025-21776 bsc#1238909). - Update patches.suse/arm64-cacheinfo-Avoid-out-of-bounds-write-to-cacheinfo-array.patch (git-fixes CVE-2025-21785 bsc#1238747). - Update patches.suse/ata-libata-sff-Ensure-that-we-cannot-write-outside-t.patch (stable-fixes CVE-2025-21738 bsc#1238917). - Update patches.suse/batman-adv-Drop-unmanaged-ELP-metric-worker.patch (git-fixes CVE-2025-21823 bsc#1238475). - Update patches.suse/batman-adv-fix-panic-during-interface-removal.patch (git-fixes CVE-2025-21781 bsc#1238735). - Update patches.suse/blk-cgroup-Fix-class-block_class-s-subsystem-refcount-leakage.patch (bsc#1237558 CVE-2025-21745 bsc#1238785). - Update patches.suse/block-bfq-fix-waker_bfqq-UAF-after-bfq_split_bfqq.patch (git-fixes CVE-2025-21631 bsc#1236099). - Update patches.suse/can-ctucanfd-handle-skb-allocation-failure.patch (git-fixes CVE-2025-21775 bsc#1238501). - Update patches.suse/can-etas_es58x-fix-potential-NULL-pointer-dereferenc.patch (git-fixes CVE-2025-21773 bsc#1238762). - Update patches.suse/driver-core-class-Fix-wild-pointer-dereferences-in-A.patch (git-fixes CVE-2025-21810 bsc#1238757). - Update patches.suse/drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_s.patch (stable-fixes CVE-2025-21780 bsc#1239115). - Update patches.suse/drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch (git-fixes CVE-2025-21784 bsc#1238510). - Update patches.suse/landlock-Handle-weird-files.patch (git-fixes CVE-2025-21830 bsc#1239033). - Update patches.suse/misc-fastrpc-Fix-copy-buffer-page-size.patch (git-fixes CVE-2025-21734 bsc#1238734). - Update patches.suse/mm-compaction-fix-UBSAN-shift-out-of-bounds-warning.patch (git fixes (mm/compaction) CVE-2025-21815 bsc#1238474). - Update patches.suse/msft-hv-3160-KVM-x86-Reject-Hyper-V-s-SEND_IPI-hypercalls-if-loca.patch (git-fixes CVE-2025-21779 bsc#1238768). - Update patches.suse/nbd-don-t-allow-reconnect-after-disconnect.patch (git-fixes CVE-2025-21731 bsc#1237881). - Update patches.suse/net-rose-fix-timer-races-against-user-threads.patch (git-fixes CVE-2025-21718 bsc#1239073). - Update patches.suse/net-rose-lock-the-socket-in-rose_bind.patch (git-fixes CVE-2025-21749 bsc#1238904). - Update patches.suse/net-rose-prevent-integer-overflows-in-rose_setsockop.patch (git-fixes CVE-2025-21711 bsc#1239114). - Update patches.suse/net-usb-rtl8150-enable-basic-endpoint-checking.patch (git-fixes CVE-2025-21708 bsc#1239087). - Update patches.suse/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch (git-fixes CVE-2025-21736 bsc#1238715). - Update patches.suse/padata-avoid-UAF-for-reorder_work.patch (git-fixes CVE-2025-21726 bsc#1238865). - Update patches.suse/padata-fix-UAF-in-padata_reorder.patch (git-fixes CVE-2025-21727 bsc#1237876). - Update patches.suse/scsi-mpi3mr-Fix-possible-crash-when-setting-up-bsg-f.patch (git-fixes CVE-2025-21723 bsc#1238864). - Update patches.suse/spi-sn-f-ospi-Fix-division-by-zero.patch (git-fixes CVE-2025-21793 bsc#1238500). - Update patches.suse/tty-xilinx_uartps-split-sysrq-handling.patch (git-fixes CVE-2025-21820 bsc#1238479). - Update patches.suse/usb-cdc-acm-Check-control-transfer-buffer-size-befor.patch (git-fixes CVE-2025-21704 bsc#1237571). - Update patches.suse/usb-gadget-core-flush-gadget-workqueue-after-device-.patch (git-fixes CVE-2025-21838 bsc#1239065). - Update patches.suse/usb-gadget-f_midi-fix-MIDI-Streaming-descriptor-leng.patch (git-fixes CVE-2025-21835 bsc#1239068). - Update patches.suse/usbnet-ipheth-fix-DPE-OoB-read.patch (git-fixes CVE-2025-21741 bsc#1238767). - Update patches.suse/usbnet-ipheth-fix-possible-overflow-in-DPE-length-ch.patch (git-fixes CVE-2025-21743 bsc#1238781). - Update patches.suse/usbnet-ipheth-use-static-NDP16-location-in-URB.patch (git-fixes CVE-2025-21742 bsc#1238771). - Update patches.suse/vsock-Keep-the-binding-until-socket-destruction.patch (git-fixes CVE-2025-21756 bsc#1238876). - Update patches.suse/wifi-brcmfmac-Check-the-return-value-of-of_property_.patch (stable-fixes CVE-2025-21750 bsc#1238905). - Update patches.suse/wifi-brcmfmac-fix-NULL-pointer-dereference-in-brcmf_.patch (stable-fixes CVE-2025-21744 bsc#1238903). - Update patches.suse/wifi-mac80211-don-t-flush-non-uploaded-STAs.patch (git-fixes CVE-2025-21828 bsc#1238958). - Update patches.suse/zram-fix-potential-UAF-of-zram-table.patch (git-fixes CVE-2025-21671 bsc#1236692). - commit 0d7f015 - Update patches.suse/Bluetooth-L2CAP-handle-NULL-sock-pointer-in-l2cap_so.patch (git-fixes CVE-2024-58009 bsc#1238760). - Update patches.suse/Bluetooth-MGMT-Fix-slab-use-after-free-Read-in-mgmt_.patch (stable-fixes CVE-2024-58013 bsc#1239095). - Update patches.suse/HID-core-Fix-assumption-that-Resolution-Multipliers-.patch (git-fixes CVE-2024-57986 bsc#1237907). - Update patches.suse/HID-hid-thrustmaster-Fix-warning-in-thrustmaster_pro.patch (git-fixes CVE-2024-57993 bsc#1237894). - Update patches.suse/PCI-dwc-ep-Prevent-changing-BAR-size-flags-in-pci_ep.patch (git-fixes CVE-2024-58006 bsc#1238772). - Update patches.suse/block-Fix-page-refcounts-for-unaligned-buffers-in-__bio_release_pages.patch (git-fixes CVE-2024-35826 bsc#1224610). - Update patches.suse/block-avoid-to-reuse-hctx-not-removed-from-cpuhp-callback-list.patch (git-fixes CVE-2024-41149 bsc#1235698). - Update patches.suse/block-fix-integer-overflow-in-BLKSECDISCARD.patch (git-fixes CVE-2024-49994 bsc#1225770). - Update patches.suse/cifs-fix-potential-null-pointer-use-in-destroy_workqueue-in-init_ci.patch (bsc#1231432 CVE-2024-42307 bsc#1229361). - Update patches.suse/clk-qcom-dispcc-sm6350-Add-missing-parent_map-for-a-.patch (git-fixes CVE-2024-58080 bsc#1239027). - Update patches.suse/clk-qcom-gcc-sm6350-Add-missing-parent_map-for-two-c.patch (git-fixes CVE-2024-58076 bsc#1239037). - Update patches.suse/drm-amdgpu-Fix-potential-NULL-pointer-dereference-in.patch (git-fixes CVE-2024-58052 bsc#1238986). - Update patches.suse/drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_ge.patch (git-fixes CVE-2024-52559 bsc#1238507). - Update patches.suse/drm-v3d-Stop-active-perfmon-if-it-is-being-destroyed.patch (git-fixes CVE-2024-58086 bsc#1239038). - Update patches.suse/idpf-convert-workqueues-to-unbound.patch (git-fixes CVE-2024-58057 bsc#1238969). - Update patches.suse/ipmi-ipmb-Add-check-devm_kasprintf-returned-value.patch (git-fixes CVE-2024-58051 bsc#1238963). - Update patches.suse/media-imx-jpeg-Fix-potential-error-pointer-dereferen.patch (git-fixes CVE-2024-57978 bsc#1238523). - Update patches.suse/media-uvcvideo-Fix-crash-during-unbind-if-gpio-unit-.patch (git-fixes CVE-2024-58079 bsc#1239029). - Update patches.suse/media-uvcvideo-Fix-double-free-in-error-path.patch (git-fixes CVE-2024-57980 bsc#1237911). - Update patches.suse/media-uvcvideo-Remove-dangling-pointers.patch (git-fixes CVE-2024-58002 bsc#1238503). - Update patches.suse/media-vidtv-Fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch (stable-fixes CVE-2024-57834 bsc#1238993). - Update patches.suse/memory-tegra20-emc-fix-an-OF-node-reference-bug-in-t.patch (git-fixes CVE-2024-58034 bsc#1238773). - Update patches.suse/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-mis.patch (git-fixes CVE-2024-58078 bsc#1239034). - Update patches.suse/net-fix-removing-a-namespace-with-conflicting-altnam.patch (bsc#1233749 CVE-2024-26634 bsc#1221651). - Update patches.suse/null_blk-fix-validation-of-block-size.patch (git-fixes CVE-2024-41077 bsc#1228653). - Update patches.suse/platform-x86-int3472-Check-for-adev-NULL.patch (stable-fixes CVE-2024-58011 bsc#1239080). - Update patches.suse/powerpc-pseries-iommu-IOMMU-incorrectly-marks-MMIO-r.patch (bsc#1218470 ltc#204531 CVE-2024-57999 bsc#1238526). - Update patches.suse/printk-Fix-signed-integer-overflow-when-defining-LOG_BUF_LEN_MAX.patch (bsc#1237950 CVE-2024-58017 bsc#1239112). - Update patches.suse/rdma-cxgb4-Prevent-potential-integer-overflow-on-32b.patch (git-fixes CVE-2024-57973 bsc#1238531). - Update patches.suse/remoteproc-core-Fix-ida_free-call-while-not-allocate.patch (git-fixes CVE-2024-58056 bsc#1238981). - Update patches.suse/rtc-pcf85063-fix-potential-OOB-write-in-PCF85063-NVM.patch (git-fixes CVE-2024-58069 bsc#1238978). - Update patches.suse/scsi-hisi_sas-Fix-a-deadlock-issue-related-to-automa-3c4f53b2.patch (git-fixes CVE-2024-26873 bsc#1223047). - Update patches.suse/scsi-megaraid_sas-Fix-for-a-potential-deadlock.patch (git-fixes CVE-2024-57807 bsc#1235761). - Update patches.suse/smb-client-fix-double-put-of-cfile-in-smb2_rename_path-.patch (git-fixes CVE-2024-46736 bsc#1230728). - Update patches.suse/smb-client-fix-double-put-of-cfile-in-smb2_set_path_size-.patch (git-fixes CVE-2024-46796 bsc#1230832). - Update patches.suse/smb-client-fix-possible-double-free-in-smb2_set_ea-.patch (git-fixes CVE-2024-50152 bsc#1233033). - Update patches.suse/soc-qcom-socinfo-Avoid-out-of-bounds-read-of-serial-.patch (git-fixes CVE-2024-58007 bsc#1238511). - Update patches.suse/staging-media-max96712-fix-kernel-oops-when-removing.patch (git-fixes CVE-2024-58054 bsc#1238975). - Update patches.suse/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch (stable-fixes CVE-2024-58085 bsc#1239085). - Update patches.suse/tpm-Change-to-kvalloc-in-eventlog-acpi.c.patch (bsc#1233260 bsc#1233259 bsc#1232421 CVE-2024-58005 bsc#1237873). - Update patches.suse/ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch (git-fixes CVE-2024-58058 bsc#1238979). - Update patches.suse/usb-gadget-f_tcm-Don-t-free-command-immediately.patch (git-fixes CVE-2024-58055 bsc#1238959). - Update patches.suse/usb-xhci-Fix-NULL-pointer-dereference-on-certain-com.patch (git-fixes CVE-2024-57981 bsc#1237912). - Update patches.suse/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch (stable-fixes CVE-2024-58014 bsc#1239109). - Update patches.suse/wifi-mac80211-prohibit-deactivating-all-links.patch (git-fixes CVE-2024-58061 bsc#1238973). - Update patches.suse/wifi-mt76-mt7925-fix-off-by-one-in-mt7925_load_clc.patch (git-fixes CVE-2024-57990 bsc#1237900). - Update patches.suse/wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch (git-fixes CVE-2024-58063 bsc#1238984). - Update patches.suse/wifi-rtlwifi-remove-unused-check_buddy_priv.patch (git-fixes CVE-2024-58072 bsc#1238964). - Update patches.suse/wifi-wcn36xx-fix-channel-survey-memory-allocation-si.patch (git-fixes CVE-2024-57997 bsc#1238529). - commit fb231d1 - Update patches.suse/cpu-hotplug-Don-t-offline-the-last-non-isolated-CPU.patch (bsc#1237562 CVE-2023-52831 bsc#1225533). - Update patches.suse/io_uring-rw-split-io_read-into-a-helper.patch (bsc#1215211 CVE-2023-52926 bsc#1237565). - commit a1ecaa9 - partitions: mac: fix handling of bogus partition table (git-fixes). - block: cleanup and fix batch completion adding conditions (git-fixes). - block: don't revert iter for -EIOCBQUEUED (git-fixes). - commit 9b6ced4 - rapidio: add check for rio_add_net() in rio_scan_alloc_net() (git-fixes). - rapidio: fix an API misues when rio_add_net() fails (git-fixes). - dma: kmsan: export kmsan_handle_dma() for modules (git-fixes). - commit 6203500 - orangefs: fix a oob in orangefs_debug_write (git-fixes). - commit d83f55b - sunrpc: suppress warnings for unused procfs functions (git-fixes). - commit cd678ab - SUNRPC: Handle -ETIMEDOUT return from tlshd (git-fixes). - commit 55bec3b - SUNRPC: Prevent looping due to rpc_signal_task() races (git-fixes). - commit 033fbe6 - SUNRPC: convert RPC_TASK_* constants to enum (git-fixes). - commit 444dbb7 - nfsd: clear acl_access/acl_default after releasing them (git-fixes). - commit 44261ed - pnfs/flexfiles: retry getting layout segment for reads (git-fixes). - commit 76f556a - ALSA: hda/realtek: Fix Asus Z13 2025 audio (stable-fixes). - Refresh patches.suse/ALSA-hda-realtek-Add-support-for-various-ASUS-Laptop.patch. - commit 9363cb2 - ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using CS35L41 HDA (stable-fixes). - commit aea7c4e - Refresh patches.suse/ALSA-hda-realtek-Workaround-for-resume-on-Dell-Venue.patch A patch chunk was dropped mistakenly - commit 0e9ac09 - ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using CS35L41 HDA (stable-fixes). - commit 4ef6d55 - ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage (git-fixes). - commit 844da8a - ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Limit mic boost on Positivo ARN50 (stable-fixes). - commit 2ee2163 - ALSA: hda: intel: Add Dell ALC3271 to power_save denylist (stable-fixes). - ALSA: hda/realtek: update ALC222 depop optimize (stable-fixes). - ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform (stable-fixes). - ALSA: seq: Avoid module auto-load handling at event delivery (stable-fixes). - commit 10a77af - hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() (git-fixes). - hwmon: (ad7314) Validate leading zero bits and return error (git-fixes). - hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table (git-fixes). - hwmon: (pmbus) Initialise page count in pmbus_identify() (git-fixes). - gpio: rcar: Fix missing of_node_put() call (git-fixes). - gpio: aggregator: protect driver attr handlers against module unload (git-fixes). - ALSA: usx2y: validate nrpacks module parameter on probe (git-fixes). - ALSA: hda/realtek: Remove (revert) duplicate Ally X config (git-fixes). - drm/amd/display: Fix HPD after gpu reset (stable-fixes). - drm/amd/display: Disable PSR-SU on eDP panels (stable-fixes). - firmware: cs_dsp: Remove async regmap writes (git-fixes). - commit c757c56 - packaging: Patch Makefile to pre-select gcc version (jsc#PED-12251). When compiler different from the one which was used to configure the kernel is used to build modules a warning is issued and the build continues. This could be turned into an error but that would be too restrictive. The generated kernel-devel makefile could set the compiler but then the main Makefile as to be patched to assign CC with ?= This causes run_oldconfig failure on SUSE-2024 and kbuild config check failure on SUSE-2025. This cannot be hardcoded to one version in a regular patch because the value is expected to be configurable at mkspec time. Patch the Makefile after aplyin patches in rpm prep step instead. A check is added to verify that the sed command did indeed apply the change. - commit 6031391 - tracing/osnoise: Fix resetting of tracepoints (CVE-2025-21733 bsc#1238494). - commit 27d6e3b - btrfs: fix assertion failure when splitting ordered extent after transaction abort (CVE-2025-21754 bsc#1238496). - commit 2050c25 - kABI workaround for pps changes (CVE-2024-57979 bsc#1238521). - commit b151154 - pps: Fix a use-after-free (CVE-2024-57979 bsc#1238521). - commit c19b588 - initcall_blacklist: Does not allow kernel_lockdown be blacklisted (bsc#1237521). - commit c830a3e - drm/amd/display: Fix null check for pipe_ctx-&gt;plane_state in resource_build_scaling_params (git-fixes). - drm/sched: Fix preprocessor guard (git-fixes). - wifi: cfg80211: regulatory: improve invalid hints checking (git-fixes). - wifi: iwlwifi: limit printed string from FW file (git-fixes). - wifi: iwlwifi: mvm: don't try to talk to a dead firmware (git-fixes). - wifi: nl80211: reject cooked mode if it is set along with other flags (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() (git-fixes). - bluetooth: btusb: Initialize .owner field of force_poll_sync_fops (git-fixes). - commit ba6baa3 - net: hns3: fix oops when unload drivers paralleling (CVE-2025-21802 bsc#1238751). - commit 1e9156e - NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795 bsc#1238759). - commit b38b339 - vxlan: check vxlan_vnigroup_init() return value (CVE-2025-21790 bsc#1238753). - commit f088d3b - clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context (CVE-2025-21767 bsc#1238509). - commit 63a12d3 - vxlan: Fix uninit-value in vxlan_vnifilter_dump() (CVE-2025-21716 bsc#1237891). - commit dd55756 - mptcp: handle fastopen disconnect correctly (CVE-2025-21705 bsc#1238525). - commit fd8b648 - exfat: fix timing of synchronizing bitmap and inode (bsc#1237356). - exfat: fix appending discontinuous clusters to empty file (bsc#1237356). - commit 7d766d0 - smb: client: fix oops due to unset link speed (CVE-2025-21725 bsc#1238877). - commit b5023ae - exfat: do not zero the extended part (bsc#1237356). - commit 156857e - ipmr: do not call mr_mfc_uses_dev() for unres entries (CVE-2025-21719 bsc#1238860). - commit d4d6c1b - net: davicom: fix UAF in dm9000_drv_remove (CVE-2025-21715 bsc#1237889). - commit 0308747 - iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (CVE-2025-21724 bsc#1238863). - commit fa2cf3e - net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() (CVE-2025-21799 bsc#1238739). - commit b9602c4 - l2tp: prevent possible tunnel refcount underflow (CVE-2024-49940 bsc#1232812). - commit d920b08 - PCI/DOE: Poll DOE Busy bit for up to 1 second in pci_doe_send_req() (bsc#1237853) - commit b9248a0 - cppc_cpufreq: Use desired perf if feedback ctrs are 0 or unchanged (bsc#1237856) - commit 9a3d13e - cpufreq/cppc: Don't compare desired_perf in target() (bsc#1237856) - commit 03856df - cpufreq/cppc: Move and rename (bsc#1237856) - commit e1d3232 - cpufreq: cppc: Set fie_disabled to FIE_DISABLED if fails to create (bsc#1237856) - commit 34e3660 - cpufreq: cppc: cppc_cpufreq_get_rate() returns zero in all error (bsc#1237856) - commit b0fd1f1 - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - commit 8be63c4 - PCI/DOE: Support discovery version 2 (bsc#1237853) - commit dfb1a17 - ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() (CVE-2024-53680 bsc#1235715). - commit 0f1b770 - scsi: hisi_sas: Remove redundant checks for automatic debugfs dump (git-fixes). - scsi: hisi_sas: Fix a deadlock issue related to automatic dump (git-fixes). - commit 2531f6e - scsi: core: Do not retry I/Os during depopulation (git-fixes). - commit 4c3f2b6 - scsi: mpi3mr: Fix possible crash when setting up bsg fails (git-fixes). - commit f1f6d56 - scsi: myrb: Remove dead code (git-fixes). - commit 11c2ac0 - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request (git-fixes). - commit 3d258a5 - scsi: scsi_debug: Fix hrtimer support for ndelay (git-fixes). - commit 6998b85 - scsi: mpi3mr: Start controller indexing from 0 (git-fixes). - commit 13d0e59 - scsi: megaraid_sas: Fix for a potential deadlock (git-fixes). - commit 330c415 - scsi: qla1280: Fix hw revision numbering for ISP1020/1040 (git-fixes). - commit f2ba519 - scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset (git-fixes). - commit 1ead6e0 - scsi: st: Don't modify unknown block number in MTIOCGET (git-fixes). - commit fb5d2a0 - scsi: sg: Enable runtime power management (git-fixes). - Refresh patches.suse/scsi-sg-Fix-slab-use-after-free-read-in-sg_release.patch. - commit 89afcac - scsi: hisi_sas: Enable all PHYs that are not disabled by user during controller reset (git-fixes). - commit 27a4afa - scsi: mpi3mr: Use ida to manage mrioc ID (git-fixes). - commit 782dd6e - scsi: hisi_sas: Allocate DFX memory during dump trigger (git-fixes). - Refresh patches.suse/scsi-hisi_sas-Create-all-dump-files-during-debugfs-initialization.patch - commit 9b4cb76 - scsi: hisi_sas: Directly call register snapshot instead of using workqueue (git-fixes). - commit 1286dd4 - scsi: qedi: Fix potential deadlock on &amp;qedi_percpu-&gt;p_work_lock (git-fixes). - commit 7c8c098 - ice: pass VSI pointer into ice_vc_isvalid_q_id (bsc#1237848 bsc#1230497). - commit df06d93 - config: Set gcc version (jsc#PED-12251). - packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 (&quot;Use gcc-13 for build on SLE16 (jsc#PED-10028).&quot;) - commit b1526c1 - arm64: hugetlb: Fix flush_hugetlb_tlb_range() invalidation level (git-fixes) - commit 1ccb01b - arm64: hugetlb: enable __HAVE_ARCH_FLUSH_HUGETLB_TLB_RANGE (git-fixes) - commit a9f56ff - arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes (git-fixes) - commit 85cc91e - mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() (git-fixes) - commit 67ea9f3 - mm: hugetlb: add huge page size param to set_huge_pte_at() (git-fixes). Refresh patches.suse/s390-mm-Fix-clearing-storage-keys-for-huge-pages.patch. - commit f491ee9 - btrfs: check folio mapping after unlock in relocate_one_folio() (CVE-2024-56758 bsc#1235621) - commit 1866d3d - RDMA/mana_ib: Allocate PAGE aligned doorbell index (git-fixes). - KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (git-fixes). - commit 82bdecd - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - commit 1f1e842 - Update patches.suse/s390-pci-Fix-SR-IOV-for-PFs-initially-in-standby.patch (git-fixes bsc#1236752 bsc#1238368). - commit bf69596 - s390/pci: Fix handling of isolated VFs (git-fixes bsc#1238368). - s390/pci: Pull search for parent PF out of zpci_iov_setup_virtfn() (git-fixes bsc#1238368). - commit 0745d9f - bpf: Send signals asynchronously if !preemptible (git-fixes bsc#1237879 CVE-2025-21728). - commit 180a0da - rxrpc: Fix missing locking causing hanging calls (git-fixes bsc#1233483 CVE-2024-50294). - commit d2475e0 - scsi: lpfc: Copyright updates for 14.4.0.8 patches (bsc#1238347). - scsi: lpfc: Update lpfc version to 14.4.0.8 (bsc#1238347). - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (bsc#1238347). - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (bsc#1238347). - scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails (bsc#1238347). - scsi: lpfc: Reduce log message generation during ELS ring clean up (bsc#1238347). - commit 0a7ad68 - nvme/ioctl: add missing space in err message (git-fixes). - nvme-tcp: fix connect failure on receiving partial ICResp PDU (git-fixes). - nvme: tcp: Fix compilation warning with W=1 (git-fixes). - nvmet: Fix crash when a namespace is disabled (git-fixes). - nvme-fc: use ctrl state getter (git-fixes). - nvme: make nvme_tls_attrs_group static (git-fixes). - nvme: handle connectivity loss in nvme_set_queue_count (git-fixes). - nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk (git-fixes). - nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk (git-fixes). - commit 7d2a8bd - Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync (CVE-2024-50029 bsc#1231949). - commit 64f3840 - gup: make the stack expansion warning a bit more targeted (bsc#1238214). - commit feae374 - btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753 bsc#1237875) - commit 338e787 - phy: tegra: xusb: reset VBUS &amp; ID OVERRIDE (git-fixes). - phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk (git-fixes). - phy: rockchip: naneng-combphy: compatible reset with old DT (git-fixes). - commit 92e733c - i2c: ls2x: Fix frequency division register access (git-fixes). - i2c: npcm: disable interrupt enable bit before devm_request_irq (git-fixes). - commit 6c35b3b - drm/amdgpu: disable BAR resize on Dell G5 SE (git-fixes). - amdgpu/pm/legacy: fix suspend/resume issues (git-fixes). - commit d778b71 - soc/mediatek: mtk-devapc: Convert to platform remove callback returning void (stable-fixes). - Refresh patches.suse/soc-mediatek-mtk-devapc-Fix-leaking-IO-map-on-error-.patch. - commit b320307 - smb: client: Fix netns refcount imbalance causing leaks and use-after-free (git-fixes). - commit 7fb2f0e - scsi: core: Clear driver private data when retrying request (git-fixes). - md/md-bitmap: add 'sync_size' into struct md_bitmap_stats (git-fixes). - md/md-cluster: fix spares warnings for __le64 (git-fixes). - md/md-bitmap: replace md_bitmap_status() with a new helper md_bitmap_get_stats() (git-fixes). - scsi: core: Handle depopulation and restoration in progress (git-fixes). - commit 72dfeb6 - cifs: Fix parsing reparse point with native symlink in SMB1 non-UNICODE session (git-fixes). - commit 37da1d3 - ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2 (stable-fixes). - commit 1b4de08 - usbnet: gl620a: fix endpoint checking in genelink_bind() (git-fixes). - Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response (git-fixes). - ASoC: es8328: fix route from DAC to output (git-fixes). - ALSA: hda/realtek: Fix microphone regression on ASUS N705UD (git-fixes). - ALSA: hda/realtek: Fix wrong mic setup for ASUS VivoBook 15 (git-fixes). - ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports (git-fixes). - soc: loongson: loongson2_guts: Add check for devm_kstrdup() (git-fixes). - drm/i915/dp: Fix error handling during 128b/132b link training (stable-fixes). - drm/i915: Make sure all planes in use by the joiner have their crtc included (stable-fixes). - soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove (git-fixes). - drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() (git-fixes). - drm/msm/gem: Demote userspace errors to DRM_UT_DRIVER (stable-fixes). - commit 73ebe5d - md/raid5: Wait sync io to finish before changing group cnt (git-fixes). - md/md-bitmap: Add missing destroy_work_on_stack() (git-fixes). - md: Don't flush sync_work in md_write_start() (git-fixes). - md: convert comma to semicolon (git-fixes). - md/raid1: don't free conf on raid0_run failure (git-fixes). - md/raid0: don't free conf on raid0_run failure (git-fixes). - commit b66645f - kabi: hide adding RCU head into struct netdev_name_node (bsc#1233749). - net: free altname using an RCU callback (bsc#1233749). - net: fix removing a namespace with conflicting altnames (bsc#1233749). - net: do not send a MOVE event when netdev changes netns (bsc#1233749). - net: Fix undefined behavior in netdev name allocation (bsc#1233749). - net: remove else after return in dev_prep_valid_name() (bsc#1233749). - net: remove dev_valid_name() check from __dev_alloc_name() (bsc#1233749). - net: trust the bitmap in __dev_alloc_name() (bsc#1233749). - net: reduce indentation of __dev_alloc_name() (bsc#1233749). - net: make dev_alloc_name() call dev_prep_valid_name() (bsc#1233749). - net: don't use input buffer of __dev_alloc_name() as a scratch space (bsc#1233749). - net: move altnames together with the netdevice (bsc#1233749). - net: avoid UAF on deleted altname (bsc#1233749). - net: check for altname conflicts when changing netdev's netns (bsc#1233749). - net: fix ifname in netlink ntf during netns move (bsc#1233749). - net: core: Use the bitmap API to allocate bitmaps (bsc#1233749). - commit ff5990f - smb: client: handle STATUS_IO_REPARSE_TAG_NOT_HANDLED (git-fixes). - commit 23d3ebd - smb: client: handle path separator of created SMB symlinks (git-fixes). - Refresh patches.suse/smb-client-move-most-of-reparse-point-handling-code-to-common-file.patch. - commit c241ea6 - smb: client: ignore unhandled reparse tags (git-fixes). - commit f2d26a5 - smb: client: fix double put of @cfile in smb2_rename_path() (git-fixes). - commit 4ac349c - smb: client: fix double put of @cfile in smb2_set_path_size() (git-fixes). - commit 647e9ab - cifs: Remove intermediate object of failed create reparse call (git-fixes). - commit fa14b80 - netfilter: nft_inner: incorrect percpu area handling under softirq (CVE-2024-56638 bsc#1235524). - commit 4c882b9 - ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() (CVE-2024-57994 bsc#1237901). - commit e5a0226 - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX (bsc#1237950). - commit 1ff6bc3 - add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE. - commit f9b0903 - af_packet: do not call packet_read_pending() from tpacket_destruct_skb() (bsc#1237849). - commit 4ff6762 - zram: fix potential UAF of zram table (git-fixes). - commit b9770a4 - Fix memory-hotplug regression (bsc#1237504) Refreshed patches.suse/mm-memory_hotplug-add-missing-mem_hotplug_lock.patch - commit 248260f - kernel-source: Also replace bin/env - commit dc2037c - net: do not delay dst_entries_add() in dst_release() (CVE-2024-50036 bsc#1231912). - commit 1203cd1 - RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers (git-fixes) - commit 72d0292 - RDMA/mlx5: Fix bind QP error cleanup flow (git-fixes) - commit a50daa9 - RDMA/mlx5: Fix AH static rate parsing (git-fixes) - commit d0d2370 - RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes) - commit c4c267b - RDMA/bnxt_re: Fix the statistics for Gen P7 VF (git-fixes) - commit 2106458 - RDMA/hns: Fix mbox timing out by adding retry mechanism (git-fixes) - commit a795049 - RDMA/mlx5: Fix a WARN during dereg_mr for DM type (git-fixes) - commit 8f2604e - RDMA/mlx5: Fix a race for DMABUF MR which can lead to CQE with error (git-fixes) - commit d076f6b - IB/mlx5: Set and get correct qp_num for a DCT QP (git-fixes) - commit 92c60dc - RDMA/mlx5: Fix the recovery flow of the UMR QP (git-fixes) - commit 06e0da5 - zram: fix uninitialized ZRAM not releasing backing device (git-fixes). - zram: refuse to use zero sized block device as backing device (git-fixes). - zram: clear IDLE flag in mark_idle() (git-fixes). - zram: clear IDLE flag after recompression (git-fixes). - zram: do not mark idle slots that cannot be idle (git-fixes). - commit ef8009a - blk-cgroup: Properly propagate the iostat update up the hierarchy (bsc#1225606). - commit fb4fada - Refresh patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch. Fix the `-Wparentheses` build warning. ../fs/btrfs/extent_map.c: In function 'mergable_maps': ../fs/btrfs/extent_map.c:219:48: warning: suggest parentheses around comparison in operand of '&amp;' [-Wparentheses] - commit a88d495 - smb: client: fix corruption in cifs_extend_writeback (bsc#1235609). - commit 7111675 - Move upstreamed ACPI patch into sorted section - commit 34b98f4 - btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1237232). - btrfs: fix extent map merging not happening for adjacent extents (bsc#1237232). - commit a57c147 - zram: split memory-tracking and ac-time tracking (git-fixes). - Update config files. - commit d2eb9a9 - KVM: arm64: Fix alignment of kvm_hyp_memcache allocations (git-fixes). - commit 0b597f1 - KVM: arm64: Flush hyp bss section after initialization of variables in bss (git-fixes). - commit 7a0da9b - KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR (git-fixes). - commit 361bd1c - KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (git-fixes). - commit eb69c06 - KVM: arm64: Don't eagerly teardown the vgic on init error (git-fixes). - commit 09d2069 - KVM: nSVM: Enter guest mode before initializing nested NPT MMU (git-fixes). - commit b54256b - KVM: x86: Avoid double RDPKRU when loading host/guest PKRU (git-fixes). - commit 497fc9a - KVM: x86: Zero out PV features cache when the CPUID leaf is not present (git-fixes). - commit b3e323a - KVM: x86: Account for KVM-reserved CR4 bits when passing through CR4 on VMX (git-fixes). - commit fe0be3a - padata: Clean up in padata_do_multithreaded() (bsc#1237563). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - cpu/hotplug: Don't offline the last non-isolated CPU (bsc#1237562). - cpu/hotplug: Prevent self deadlock on CPU hot-unplug (bsc#1237562). - commit 285ec7d - KVM: VMX: Fix comment of handle_vmx_instruction() (git-fixes). - commit 986c213 - KVM: VMX: Allow toggling bits in MSR_IA32_RTIT_CTL when enable bit is cleared (git-fixes). - commit 19b003b - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init (git-fixes). - commit c214d6b - KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB (git-fixes). - commit 08a45f2 - KVM: x86: Fix a comment inside __kvm_set_or_clear_apicv_inhibit() (git-fixes). - commit dc6e2e8 - blk-cgroup: Fix class @block_class's subsystem refcount leakage (bsc#1237558). - commit 908404a - KVM: x86/mmu: Skip the &quot;try unsync&quot; path iff the old SPTE was a leaf SPTE (git-fixes). - commit d7ef6bb - KVM: x86: Unconditionally set irr_pending when updating APICv state (jsc#PED-348). - commit 7089ba6 - KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled (jsc#PED-348 git-fixes). - commit ce778dd - KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset() (jsc#PED-348 git-fixes). - commit 57ae6ea - vhost/net: Set num_buffers for virtio 1.0 (git-fixes). - commit 3cc9281 - virtio_blk: reverse request order in virtio_queue_rqs (git-fixes). - commit 08ef4d5 - x86/xen: allow larger contiguous memory regions in PV guests (git-fixes). - commit cbf742d - xen/swiotlb: relax alignment requirements (git-fixes). - commit 85ac962 - x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes). - commit 23eecda - x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes). - commit e343881 - Grab mm lock before grabbing pt lock (git-fixes). - commit ae619e6 - platform/x86/intel-uncore-freq: Increase minor number support (bsc#1237452). - commit 43ac95b - platform/x86/intel-uncore-freq: Ignore minor version change (bsc#1237452). - commit 6b5df6d - x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (git-fixes). - commit 904b0d7 - platform/x86: ISST: Ignore minor version change (bsc#1237452). - commit 17cda63 - platform/x86/intel/tpmi: Add defines to get version information (bsc#1237452). - commit 1c56c6e - KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (git-fixes). - commit 129191d - x86/bugs: Add SRSO_USER_KERNEL_NO support (git-fixes). - commit 1052c36 - RDMA/efa: Reset device on probe failure (git-fixes) - commit c120211 - selftest: hugetlb_dio: fix test naming (git-fixes). - commit 303d120 - selftests: hugetlb_dio: fixup check for initial conditions to skip in the start (git-fixes). - commit 35f33c3 - selftests: hugetlb_dio: check for initial conditions to skip in the start (git-fixes). - commit 89353b1 - selftest: mm: Test if hugepage does not get leaked during __bio_release_pages() (git-fixes). - commit 56d43b6 - mtd: rawnand: cadence: fix unchecked dereference (git-fixes). - commit f3e10b9 - drm/msm/dpu: Don't leak bits_per_component into random DSC_ENC fields (git-fixes). - drm/msm/dpu: Disable dither in phys encoder cleanup (git-fixes). - drm/msm: Avoid rounding up to one jiffy (git-fixes). - drm/nouveau/pmu: Fix gp10b firmware guard (git-fixes). - nouveau/svm: fix missing folio unlock + put after make_device_exclusive_range() (git-fixes). - mtd: rawnand: cadence: fix incorrect device in dma_unmap_single (git-fixes). - mtd: rawnand: cadence: use dma_map_resource for sdma address (git-fixes). - mtd: rawnand: cadence: fix error code in cadence_nand_init() (git-fixes). - USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist (stable-fixes). - USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone (stable-fixes). - USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI (stable-fixes). - USB: serial: option: drop MeiG Smart defines (stable-fixes). - USB: serial: option: fix Telit Cinterion FN990A name (stable-fixes). - USB: serial: option: add Telit Cinterion FN990B compositions (stable-fixes). - USB: serial: option: add MeiG Smart SLM828 (stable-fixes). - USB: hub: Ignore non-compliant devices with too many configs or interfaces (stable-fixes). - usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI bind retries (git-fixes). - gpiolib: acpi: Add a quirk for Acer Nitro ANV14 (stable-fixes). - efi: Avoid cold plugged memory for placing the kernel (stable-fixes). - drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (stable-fixes). - batman-adv: Drop unmanaged ELP metric worker (git-fixes). - batman-adv: Ignore neighbor throughput metrics in error case (stable-fixes). - HID: hid-steam: Don't use cancel_delayed_work_sync in IRQ context (git-fixes). - HID: hid-steam: Move hidraw input (un)registering to work (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V (stable-fixes). - ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V (stable-fixes). - selftests: gpio: gpio-sim: Fix missing chip disablements (stable-fixes). - PCI: switchtec: Add Microchip PCI100X device IDs (stable-fixes). - PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P (stable-fixes). - media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread (stable-fixes). - media: uvcvideo: Add Kurokesu C1 PRO camera (stable-fixes). - media: uvcvideo: Add new quirk definition for the Sonix Technology Co. 292a camera (stable-fixes). - media: uvcvideo: Implement dual stream quirk to fix loss of usb packets (stable-fixes). - media: cxd2841er: fix 64-bit division on gcc-9 (stable-fixes). - soc/tegra: fuse: Update Tegra234 nvmem keepout list (stable-fixes). - fbdev: omap: use threaded IRQ for LCD DMA (stable-fixes). - HID: hid-steam: Make sure rumble work is canceled on removal (stable-fixes). - selftests: rtnetlink: update netdevsim ipsec output format (stable-fixes). - HID: hid-steam: Add Deck IMU support (stable-fixes). - HID: hid-steam: Fix cleanup in probe() (git-fixes). - HID: hid-steam: remove pointless error message (stable-fixes). - HID: hid-steam: Add gamepad-only mode switched to by holding options (stable-fixes). - HID: hid-steam: Update list of identifiers from SDL (stable-fixes). - HID: hid-steam: Clean up locking (stable-fixes). - HID: hid-steam: Disable watchdog instead of using a heartbeat (stable-fixes). - HID: hid-steam: Avoid overwriting smoothing parameter (stable-fixes). - commit df6a4bb - block: avoid to reuse `hctx` not removed from cpuhp callback list (git-fixes). - block: use the right type for stub rq_integrity_vec() (git-fixes). - block: Fix page refcounts for unaligned buffers in __bio_release_pages() (git-fixes). - commit 27674be - devlink: avoid potential loop in devlink_rel_nested_in_notify_work() (bsc#1237234). - commit 3a39566 - power: supply: da9150-fg: fix potential overflow (git-fixes). - commit 859fe45 - ocfs2: fix incorrect CPU endianness conversion causing mount failure (bsc#1236138). re-enable patch ocfs2-fix-UBSAN-warning-in-ocfs2_verify_volume.patch (bsc#1236138). - commit 1f4d40a - iommu/arm-smmu-v3: Clean up more on probe failure (stable-fixes). - commit f5873b7 - ice: fold ice_ptp_read_time into ice_ptp_gettimex64 (bsc#1237415). - ice: avoid the PTP hardware semaphore in gettimex64 path (bsc#1237415). - ice: add ice_adapter for shared data across PFs on the same NIC (bsc#1237415). - commit 9bb3389 - Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 (&quot;Use gcc-13 for build on SLE16 (jsc#PED-10028).&quot;) - commit 07542ae - kasan: don't call find_vm_area() in a PREEMPT_RT kernel (git-fixes). - lib/iov_iter: fix import_iovec_ubuf iovec management (git-fixes). - lib: stackinit: hide never-taken branch from compiler (stable-fixes). - commit 08ac036 - KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state (git-fixes) - commit 484a6fb - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (git-fixes) - commit d8f1799 - arm64: Handle .ARM.attributes section in linker scripts (git-fixes) - commit 44f383d - arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes) - commit 13bd685 - block: copy back bounce buffer to user-space correctly in case of split (git-fixes). - partitions: ldm: remove the initial kernel-doc notation (git-fixes). - nbd: don't allow reconnect after disconnect (git-fixes). - block: retry call probe after request_module in blk_request_module (git-fixes). - block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (git-fixes). - blk-iocost: Avoid using clamp() on inuse in __propagate_weights() (git-fixes). - blk-mq: move cpuhp callback registering out of q-&gt;sysfs_lock (git-fixes). - blk-mq: register cpuhp callback after hctx is added to xarray table (git-fixes). - ublk: fix error code for unsupported command (git-fixes). - block: return unsigned int from bdev_io_min (git-fixes). - block: fix bio_split_rw_at to take zone_write_granularity into account (git-fixes). - ublk: fix ublk_ch_mmap() for 64K page size (git-fixes). - blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long (git-fixes). - block: fix ordering between checking BLK_MQ_S_STOPPED request adding (git-fixes). - block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding (git-fixes). - block: fix missing dispatching request when queue is started or unquiesced (git-fixes). - Revert &quot;blk-throttle: Fix IO hang for a corner case&quot; (git-fixes). - block: fix sanity checks in blk_rq_map_user_bvec (git-fixes). - block: Fix elevator_get_default() checking for NULL q-&gt;tag_set (git-fixes). - blk_iocost: remove some duplicate irq disable/enables (git-fixes). - block: fix integer overflow in BLKSECDISCARD (git-fixes). - ublk: move zone report data out of request pdu (git-fixes). - bio-integrity: don't restrict the size of integrity metadata (git-fixes). - block: Fix lockdep warning in blk_mq_mark_tag_wait (git-fixes). - rbd: don't assume rbd_is_lock_owner() for exclusive mappings (git-fixes). - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings (git-fixes). - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (git-fixes). - loop: don't set QUEUE_FLAG_NOMERGES (git-fixes). - block: change rq_integrity_vec to respect the iterator (git-fixes). - block: remove the blk_flush_integrity call in blk_integrity_unregister (git-fixes). - block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() (git-fixes). - null_blk: fix validation of block size (git-fixes). - null_blk: Do not allow runt zone with zone capacity smaller then zone size (git-fixes). - null_blk: Print correct max open zones limit in null_init_zoned_dev() (git-fixes). - nbd: Fix signal handling (git-fixes). - nbd: Improve the documentation of the locking assumptions (git-fixes). - block: support to account io_ticks precisely (git-fixes). - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() (git-fixes). - block: fix and simplify blkdevparts= cmdline parsing (git-fixes). - block: add a partscan sysfs attribute for disks (git-fixes). - block: add a disk_has_partscan helper (git-fixes). - null_blk: Fix missing mutex_destroy() at module removal (git-fixes). - block: propagate partition scanning errors to the BLKRRPART ioctl (git-fixes). - block: Clear zone limits for a non-zoned stacked queue (git-fixes). - rbd: don't move requests to the running list on errors (git-fixes). - commit 267ddd1 - null_blk: Remove usage of the deprecated ida_simple_xx() API (git-fixes). - Refresh patches.suse/null_blk-fix-null-ptr-dereference-while-configuring-.patch. - commit cea38e9 - kabi: fix group_cpus_evenly (bsc#1236897). - kabi: fix bus type (bsc#1236896). - commit 175404f - PCI: imx6: Simplify clock handling by using clk_bulk*() function (git-fixes). - Refresh patches.suse/PCI-imx6-Fix-suspend-resume-support-on-i.MX6QDL.patch. - Refresh patches.suse/PCI-imx6-Skip-controller_id-generation-logic-for-i.M.patch. - commit f03d03e - PCI: Use downstream bridges for distributing resources (bsc#1237325). - commit 7c0294f - usb: quirks: Add NO_LPM quirk for TOSHIBA TransMemory-Mx device (git-fixes). - commit bbb24b0 - ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED (stable-fixes). - commit 5d15622 - ALSA: seq: Drop UMP events when no UMP-conversion is set (git-fixes). - ALSA: hda/cirrus: Correct the full scale volume set logic (git-fixes). - ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() (git-fixes). - ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close (git-fixes). - ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (git-fixes). - ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB] (git-fixes). - ASoC: fsl_micfil: Enable default case in micfil_set_quality() (git-fixes). - ALSA: hda/realtek: Fixup ALC225 depop procedure (git-fixes). - commit 6fb0aa0 - block: ensure we hold a queue reference when using queue limits (git-fixes). - Refresh patches.suse/block-Fix-where-bio-IO-priority-gets-set.patch. - commit 36d897c - null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS (git-fixes). - block: add check of 'minors' and 'first_minor' in device_add_disk() (git-fixes). - block: Set memalloc_noio to false on device_add_disk() error path (git-fixes). - block: Remove special-casing of compound pages (git-fixes). - blk-mq: don't count completed flush data request as inflight in case of quiesce (git-fixes). - ublk: move ublk_cancel_dev() out of ub-&gt;mutex (git-fixes). - block: Provide bdev_open_* functions (git-fixes). - commit 3e547cf - doc: update managed_irq documentation (bsc#1236897). - blk-mq: issue warning when offlining hctx with online isolcpus (bsc#1236897). - blk-mq: use hk cpus only when isolcpus=managed_irq is enabled (bsc#1236897). - lib/group_cpus: honor housekeeping config when grouping CPUs (bsc#1236897). - virtio: blk/scsi: use block layer helpers to calculate num of queues (bsc#1236897). - scsi: use block layer helpers to calculate num of queues (bsc#1236897). - nvme-pci: use block layer helpers to calculate num of queues (bsc#1236897). - blk-mq: add number of queue calc helper (bsc#1236897). - lib/group_cpus: let group_cpu_evenly return number initialized masks (bsc#1236897). - commit 3a935fa - blk-mq: create correct map for fallback case (bsc#1236896). - virtio: blk/scsi: replace blk_mq_virtio_map_queues with blk_mq_map_hw_queues (bsc#1236896). - nvme: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - blk-mq: introduce blk_mq_map_hw_queues (bsc#1236896). - virtio: hookup irq_get_affinity callback (bsc#1236896). - PCI: hookup irq_get_affinity callback (bsc#1236896). - driver core: bus: add irq_get_affinity callback to bus_type (bsc#1236896). - commit 1f8d7a5 - Update patches.suse/USB-serial-quatech2-fix-null-ptr-deref-in-qt2_proces.patch (CVE-2025-21689 bsc#1237017). - Update patches.suse/drm-v3d-Assign-job-pointer-to-NULL-before-signaling-.patch (CVE-2025-21688 bsc#1237007 - Update patches.suse/drm-v3d-Ensure-job-pointer-is-set-to-NULL-after-job-.patch (CVE-2025-21697 bsc#1237132) - Update patches.suse/gfs2-Truncate-address-space-when-flipping-GFS2_DIF_JDATA-flag.patch (CVE-2025-21699 bsc#1237139) - Update patches.suse/gpio-xilinx-Convert-gpio_lock-to-raw-spinlock.patch (CVE-2025-21684 bsc#1236952) - Update patches.suse/msft-hv-3155-scsi-storvsc-Ratelimit-warning-logs-to-prevent-VM-de.patch (CVE-2025-21690 bsc#1237025) - commit a20ee68 - kABI fix for mptcp: fix inconsistent state on fastopen race (CVE-2024-26708 bsc#1222672). Upstream commit 4fd19a307016 (&quot;mptcp: fix inconsistent state on fastopen race&quot;) introduced three breaking changes, which are handled in this patch. * a new variable `pending_state` was added to `struct mptcp_sock`, which is now moved into a hole. * a new define replaces an old one, so renumber the new one and re-add the old one. * an API function was removed, so re-add it again. ``` u8 in_accept_queue:1; /* 1562: 4 1 */ /* XXX 3 bits hole, try to pack */ /* XXX 5 bytes hole, try to pack */ struct work_struct work; /* 1568 32 */ ``` - commit a4771c0 - bpf, sockmap: Several fixes to bpf_msg_pop_data (CVE-2024-56720 bsc#1235592). - commit a218d9d - net: Fix icmp host relookup triggering ip_rt_bug (CVE-2024-56647 bsc#1235435). - commit 713c9c9 - USB: Fix the issue of task recovery failure caused by USB status when S4 wakes up (git-fixes). - commit 686e836 - powerpc/64s/mm: Move __real_pte stubs into hash-4k.h (bsc#1215199). - commit 73fb25c - powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC (bsc#1215199). - powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline (bsc#1215199). - powerpc/code-patching: Disable KASAN report during patching via temporary mm (bsc#1215199). - commit cb15126 - usbnet: ipheth: document scope of NCM implementation (stable-fixes). - wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() (stable-fixes). - wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH (stable-fixes). - wifi: rtw88: sdio: Fix disconnection after beacon loss (stable-fixes). - wifi: iwlwifi: avoid memory leak (stable-fixes). - wifi: brcmfmac: Check the return value of of_property_read_string_index() (stable-fixes). - wifi: rtw89: add crystal_cap check to avoid setting as overflow value (stable-fixes). - wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (stable-fixes). - commit b67568f - acct: block access to kernel internal filesystems (git-fixes). - acct: perform last write from workqueue (git-fixes). - drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes (stable-fixes). - drm/i915: Fix page cleanup on DMA remap failure (git-fixes). - Revert &quot;drm/amd/display: Use HW lock mgr for PSR1&quot; (stable-fixes). - selftests: mptcp: connect: -f: no reconnect (git-fixes). - net: rose: lock the socket in rose_bind() (git-fixes). - scripts/gdb: fix aarch64 userspace detection in get_current_task (stable-fixes). - drm/amdkfd: only flush the validate MES contex (stable-fixes). - drm/amd/pm: Mark MM activity as unsupported (stable-fixes). - ata: libata-sff: Ensure that we cannot write outside the allocated buffer (stable-fixes). - cpufreq: s3c64xx: Fix compilation warning (stable-fixes). - drm/modeset: Handle tiled displays in pan_display_atomic (stable-fixes). - efi: libstub: Use '-std=gnu11' to fix build with GCC 15 (stable-fixes). - ASoC: amd: Add ACPI dependency to fix build error (stable-fixes). - platform/x86: acer-wmi: Ignore AC events (stable-fixes). - Input: allocate keycode for phone linking (stable-fixes). - platform/x86: int3472: Check for adev == NULL (stable-fixes). - tomoyo: don't emit warning in tomoyo_write_control() (stable-fixes). - HID: Wacom: Add PCI Wacom device support (stable-fixes). - APEI: GHES: Have GHES honor the panic= setting (stable-fixes). - clk: sunxi-ng: a100: enable MMC clock reparenting (git-fixes). - clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg (git-fixes). - clk: qcom: clk-alpha-pll: fix alpha mode configuration (git-fixes). - clk: qcom: dispcc-sm6350: Add missing parent_map for a clock (git-fixes). - clk: qcom: gcc-sm6350: Add missing parent_map for two clocks (git-fixes). - clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate (git-fixes). - clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable() (git-fixes). - clk: mediatek: mt2701-img: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-mm: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-bdp: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe (git-fixes). - clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe (git-fixes). - i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz (stable-fixes). - mmc: sdhci-msm: Correctly set the load for the regulator (stable-fixes). - mmc: core: Respect quirk_max_rate for non-UHS SDIO card (stable-fixes). - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id (stable-fixes). - spi: atmel-qspi: Memory barriers after memory-mapped I/O (git-fixes). - spi: atmel-quadspi: Create `atmel_qspi_ops` to support newer SoC families (stable-fixes). - selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() (stable-fixes). - Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (stable-fixes). - net: wwan: iosm: Fix hibernation by re-binding the driver around it (stable-fixes). - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor (stable-fixes). - drm/bridge: it6505: fix HDCP CTS KSV list wait timer (stable-fixes). - drm/bridge: it6505: fix HDCP CTS compare V matching (stable-fixes). - drm/bridge: it6505: fix HDCP encryption when R0 ready (stable-fixes). - drm/bridge: it6505: fix HDCP Bstatus check (stable-fixes). - drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT (stable-fixes). - drm/virtio: New fence for every plane update (stable-fixes). - lockdep: Fix upper limit for LOCKDEP_*_BITS configs (stable-fixes). - commit 32eeef9 - net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700 bsc#1237159). - commit fd65855 - sctp: sysctl: cookie_hmac_alg: avoid using current-&gt;nsproxy (CVE-2025-21640 bsc#1236123) - commit 7a3b711 - sctp: sysctl: rto_min/max: avoid using current-&gt;nsproxy (CVE-2025-21639 bsc#1236122) - commit e818833 - pktgen: Avoid out-of-bounds access in get_imix_entries (CVE-2025-21680 bsc#1236700). - commit 8cb9ad2 - sctp: sysctl: auth_enable: avoid using current-&gt;nsproxy (CVE-2025-21638 bsc#1236115) - commit e4e9666 - sctp: sysctl: udp_port: avoid using current-&gt;nsproxy (CVE-2025-21637 bsc#1236114) - commit b35279d - sctp: sysctl: plpmtud_probe_interval: avoid using current-&gt;nsproxy (CVE-2025-21636 bsc#1236113) - commit 3f71e7d - add bug reference to hv_storvsc change (bsc#1237025 CVE-2025-21690). - commit 45e9861 - kABI fix for mptcp: handle consistently DSS corruption (CVE-2024-50185 bsc#1233109) - commit d478aac - idpf: fix VF dynamic interrupt ctl register initialization (git-fixes). - Refresh patches.suse/idpf-add-support-for-SW-triggered-interrupts.patch. - commit da462e1 - igc: Set buffer type for empty frames in igc_init_empty_frame (git-fixes). - igc: Fix HW RX timestamp when passed by ZC XDP (git-fixes). - idpf: call set_real_num_queues in idpf_open (bsc#1236661). - idpf: fix handling rsc packet with a single segment (git-fixes). - ice: stop storing XDP verdict within ice_rx_buf (git-fixes). - ice: gather page_count()'s of each frag right before XDP prog call (git-fixes). - ice: put Rx buffers after being done with current frame (git-fixes). - iavf: allow changing VLAN state without calling PF (git-fixes). - idpf: convert workqueues to unbound (git-fixes). - idpf: add read memory barrier when checking descriptor done bit (git-fixes). - net/mlx5e: Always start IPsec sequence number from 1 (git-fixes). - net/mlx5e: Rely on reqid in IPsec tunnel mode (git-fixes). - net/mlx5: SF, Fix add port error handling (git-fixes). - net/mlx5: Fix RDMA TX steering prio (git-fixes). - igc: return early when failing to read EECD register (git-fixes). - ice: fix incorrect PHY settings for 100 GB/s (git-fixes). - ice: fix max values for dpll pin phase adjust (git-fixes). - eth: gve: use appropriate helper to set xdp_features (git-fixes). - cxgb4: Avoid removal of uninserted tid (git-fixes). - bnxt_en: Fix possible memory leak when hwrm_req_replace fails (git-fixes). - net: sfc: Correct key_len for efx_tc_ct_zone_ht_params (git-fixes). - net/mlx5e: macsec: Maintain TX SA from encoding_sa (git-fixes). - chelsio/chtls: prevent potential integer overflow on 32bit (git-fixes). - cxgb4: use port number to set mac addr (git-fixes). - bnxt_en: Unregister PTP during PCI shutdown and suspend (git-fixes). - bnxt_en: Refactor bnxt_ptp_init() (git-fixes). - net/mlx5: Verify support for scheduling element and TSAR type (git-fixes). - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset (git-fixes). - ice: use internal pf id instead of function number (git-fixes). - ice: Skip PTP HW writes during PTP reset procedure (git-fixes). - net/mlx5: Correct TASR typo into TSAR (git-fixes). - commit a2c0ed6 - Use gcc-13 for build on SLE16 (jsc#PED-10028). - commit 51dacec - kbuild: userprogs: fix bitsize and target detection on clang (git-fixes). - tools: fix annoying &quot;mkdir -p ...&quot; logs when building tools in parallel (git-fixes). - serial: 8250: Fix fifo underflow on flush (git-fixes). - usb: roles: set switch registered flag early on (git-fixes). - usb: gadget: core: flush gadget workqueue after device removal (git-fixes). - USB: gadget: f_midi: f_midi_complete to call queue_work (git-fixes). - usb: core: fix pipe creation for get_bMaxPacketSize0 (git-fixes). - usb: dwc3: Fix timeout issue during controller enter/exit from halt state (git-fixes). - USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk (git-fixes). - usb: cdc-acm: Fix handling of oversized fragments (git-fixes). - usb: cdc-acm: Check control transfer buffer size before access (git-fixes). - usb: gadget: f_midi: fix MIDI Streaming descriptor lengths (git-fixes). - usb: dwc2: gadget: remove of_node reference upon udc_stop (git-fixes). - usb: gadget: udc: renesas_usb3: Fix compiler warning (git-fixes). - commit f681ca5 - gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock (git-fixes). - gpio: bcm-kona: Add missing newline to dev_err format string (git-fixes). - gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ (git-fixes). - gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 (git-fixes). - commit 72e2a5f - exfat: fix file being changed by unaligned direct write (git-fixes). - commit c5a2490 - exfat: fix zero the unwritten part for dio read (git-fixes). - commit ab0ec4f - hfs: Sanity check the root record (git-fixes). - commit 6977b91 - dlm: fix srcu_read_lock() return type to int (git-fixes). - commit 3303370 - exfat: fix out-of-bounds access of directory entries (bsc#1234857 CVE-2024-53147). - commit 8127e11 - exfat: change to get file size from DataLength (bsc#1234857 CVE-2024-53147). - commit 34f63a5 - exfat: convert to ctime accessor functions (git-fixes). - commit 430eb66 - mmc: mtk-sd: Fix register settings for hs400(es) mode (git-fixes). - commit 0e84651 - smb: client: instantiate when creating SFU files (git-fixes). - commit 1658f01 - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support (git-fixes). - commit eacadae - smb: client: return reparse type in /proc/mounts (git-fixes). - commit 5c949e8 - smb: client: set correct d_type for reparse DFS/DFSR and mount point (git-fixes). - commit 99477ce - smb: client: Fix a NULL vs IS_ERR() check in wsl_set_xattrs() (git-fixes). - commit dcd4483 - smb: client: parse uid, gid, mode and dev from WSL reparse points (git-fixes). - commit 86b1707 - smb: client: introduce SMB2_OP_QUERY_WSL_EA (git-fixes). - Refresh patches.suse/smb-client-fix-potential-UAF-in-cifs_debug_files_proc_show-.patch. - commit 6f30059 - smb: client: get rid of smb311_posix_query_path_info() (git-fixes). - commit 08f4b23 - smb: client: add support for WSL reparse points (git-fixes). - commit 4773bbe - smb: client: reduce number of parameters in smb2_compound_op() (git-fixes). - commit 5bf06b7 - smb: client: retry compound request without reusing lease (git-fixes). - commit 44ecf42 - smb: client: reuse file lease key in compound operations (git-fixes). - commit e1d39cc - smb: client: parse owner/group when creating reparse points (git-fixes). - commit 2b1f34d - cifs: open_cached_dir(): add FILE_READ_EA to desired access (git-fixes). - commit f59c050 - cifs: update the same create_guid on replay (git-fixes). - commit 651496d - smb: client: reduce stack usage in smb2_query_reparse_point() (git-fixes). - commit a2f52a1 - cifs: update desired access while requesting for directory lease (git-fixes). - commit 3577933 - smb: client: move most of reparse point handling code to common file (git-fixes). - commit 90c5825 - smb: client: handle special files and symlinks in SMB3 POSIX (git-fixes). - commit 7ddb775 - smb: client: cleanup smb2_query_reparse_point() (git-fixes). - commit 56a04ed - smb: client: fix OOB in smb2_query_reparse_point() (git-fixes). - commit a9edfbd - smb: client: allow creating symlinks via reparse points (git-fixes). - commit 93e7dee - smb: client: fix hardlinking of reparse points (git-fixes). - commit 6805b33 - drm/i915/selftests: avoid using uninitialized context (git-fixes). - drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() (git-fixes). - spi: sn-f-ospi: Fix division by zero (git-fixes). - regmap-irq: Add missing kfree() (git-fixes). - batman-adv: fix panic during interface removal (git-fixes). - can: etas_es58x: fix potential NULL pointer dereference on udev-&gt;serial (git-fixes). - can: c_can: fix unbalanced runtime PM disable in error path (git-fixes). - can: ctucanfd: handle skb allocation failure (git-fixes). - can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero (git-fixes). - wifi: ath12k: fix handling of 6 GHz rules (git-fixes). - commit 30daf36 - smb: client: fix missing mode bits for SMB symlinks (git-fixes). - commit 8fa207f - smb: client: stop revalidating reparse points unnecessarily (git-fixes). - commit ce08be7 - smb: client: fix potential broken compound request (git-fixes). - commit a4415de - smb: client: fix renaming of reparse points (git-fixes). - commit 32e853e - smb: client: optimise reparse point querying (git-fixes). - commit a53eec6 - smb: client: allow creating special files via reparse points (git-fixes). - commit 74e26d4 - smb: client: introduce cifs_sfu_make_node() (git-fixes). - commit 39b0787 - smb: client: set correct file type from NFS reparse points (git-fixes). - Delete patches.suse/cifs-Fix-buffer-overflow-when-parsing-NFS-reparse-points.patch. (deleted patch will be added later) - commit 7b28133 - smb: client: introduce -&gt;parse_reparse_point() (git-fixes). - commit 5e66e50 - smb3: fix creating FIFOs when mounting with &quot;sfu&quot; mount option (git-fixes). - commit 82c7e6d - mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow (CVE-2024-50085 bsc#1232508) - commit 25971ed - smb: client: Fix minor whitespace errors and warnings (git-fixes). - commit 1eedc39 - smb: use kernel_connect() and kernel_bind() (git-fixes). - commit 6936009 - smb: client: introduce reparse mount option (git-fixes). - commit e5a8c1e - smb: client: implement -&gt;query_reparse_point() for SMB1 (git-fixes). - commit 2615bfd - smb: cilent: set reparse mount points as automounts (git-fixes). - commit da6e3c8 - smb: client: do not query reparse points twice on symlinks (git-fixes). - commit b7e62c9 - s390/futex: Fix FUTEX_OP_ANDN implementation (git-fixes bsc#1237158). - commit 3e00897 - KVM: s390: vsie: fix some corner-cases when grabbing vsie pages (git-fixes bsc#1237155). - commit 6d87f47 - net/smc: support ipv4 mapped ipv6 addr client for smc-r v2 (bsc#1236994). - net: smc: fix spurious error message from __sock_release() (bsc#1237126). - commit 2c0a5e1 - mptcp: fix data races on local_id (git-fixes) - Refresh patches.suse/mptcp-fix-data-races-on-remote_id.patch - commit 661ea6e - mptcp: pm: fullmesh: select the right ID later (git-fixes) - commit 1d30f2b - mptcp: pm: only in-kernel cannot have entries with ID 0 (git-fixes) - commit 8638b2c - mptcp: unify pm set_flags interfaces (git-fixes) - commit 493b268 - mptcp: unify pm get_flags_and_ifindex_by_id (git-fixes) - commit 57ae267 - mptcp: unify pm get_local_id interfaces (git-fixes) - commit f1f0e12 - mptcp: export local_address (git-fixes) - commit 2e22243 - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR (git-fixes) - commit 9c72df8 - mptcp: pm: only decrement add_addr_accepted for MPJ req (CVE-2024-45009 bsc#1230438) - commit 9337031 - mptcp: pm: only mark 'subflow' endp as available (CVE-2024-45010 bsc#1230439) - commit 9e1f869 - mptcp: pm: remove mptcp_pm_remove_subflow (git-fixes) - commit 0d1e602 - Update config files. Use the upstream default for TSX_MODE. - commit 55bbd12 - mptcp: pm: re-using ID of unused flushed subflows (git-fixes) - commit 2798558 - mptcp: pm: re-using ID of unused removed subflows (git-fixes) - commit 405e62f - mptcp: pm: re-using ID of unused removed ADD_ADDR (git-fixes) - commit 42e63a4 - mptcp: fix NL PM announced address accounting (git-fixes) - commit 28d5efa - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID (git-fixes) - commit adfc1dd - mptcp: pm: avoid possible UaF when selecting endp (CVE-2024-44974 bsc#1230235) - commit e827535 - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set (git-fixes) - commit 262fe7b - mptcp: pm: deny endp with signal + subflow + port (git-fixes) - commit 20e7fdf - mptcp: fully established after ADD_ADDR echo on MPJ (git-fixes) - commit 54ad8c1 - mptcp: pm: don't try to create sf if alloc failed (git-fixes) - commit 9185902 - mptcp: pm: reduce indentation blocks (git-fixes) - commit a393115 - mptcp: pass addr to mptcp_pm_alloc_anno_list (git-fixes) - commit 71a0164 - mptcp: handle consistently DSS corruption (CVE-2024-50185 bsc#1233109) - commit 01e9763 - powerpc/pseries/iommu: Split Dynamic DMA Window to be used in Hybrid mode (ltc#210895 bsc#1235933 ltc#210896 bsc#1235932). - Refresh patches.suse/powerpc-pseries-iommu-IOMMU-incorrectly-marks-MMIO-r.patch - commit d8f69df - usb: dwc3: core: Defer the probe until USB power supply ready (git-fixes). - commit f3ecf26 - vfio/platform: check the bounds of read/write syscalls (bsc#1237045 CVE-2025-21687). - commit e52d676 - xhci: dbgtty: remove kfifo_out() wrapper (git-fixes). - commit 806156f - net: sched: fix ets qdisc OOB Indexing (bsc#1237028 CVE-2025-21692). - commit 1b093fe - RDMA/rxe: Improve newline in printing messages (git-fixes) - Refresh patches.suse/RDMA-rxe-Fix-mismatched-max_msg_sz.patch - Pickup RXE code change introduced by upstream merge: af96134dc856 (&quot;Merge tag 'rcu.2023.06.22a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu&quot;) - commit 1492681 - smb: client: fix possible double free in smb2_set_ea() (git-fixes). - commit b6cd961 - powerpc/trace: Add support for HAVE_FUNCTION_ARG_ACCESS_API (bsc#1236967 ltc#210988). - Update config files. - commit 83bff51 - Update &quot;drm/mgag200: Added support for the new device G200eH5&quot; (jsc#PED-12094) Update to match upstream commit 6636c58b946c (&quot;drm/mgag200: Added support for the new device G200eH5&quot;). - commit 7ba9f89 - usb: xhci: Fix NULL pointer dereference on certain command aborts (git-fixes). - commit 8628513 - util_macros.h: fix/rework find_closest() macros (git-fixes). - commit 01b2939 - s390/topology: Improve topology detection (bsc#1236591). - commit 101e515 - HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() (git-fixes). - HID: multitouch: Add NULL check in mt_input_configured (git-fixes). - pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware (git-fixes). - commit 1dbe333 - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - commit 93c01ea - net/mlx5: Fix msix vectors to respect platform limit (bsc#1225981). - commit b7a2367 - s390/pci: Fix SR-IOV for PFs initially in standby (git-fixes bsc#1236752). - commit dcf85a0 - s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails (bsc#1236752). - s390/pci: Ignore RID for isolated VFs (bsc#1236752). - s390/pci: Use topology ID for multi-function devices (bsc#1236752). - s390/pci: Sort PCI functions prior to creating virtual busses (bsc#1236752). - commit 004cfd2 - iommu/arm-smmu: Make instance lookup robust (bsc#1235032, CVE-2024-56568). - commit 8f1b23e - selftests/bpf: add fp-leaking precise subprog result tests (git-fixes). - bpf: prevent r10 register from being marked as precise (git-fixes). - bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie (git-fixes). - selftests/bpf: Fix flaky test btf_map_in_map/lookup_update (git-fixes). - selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh (git-fixes). - bpf: Fix a verifier verbose message (git-fixes). - commit dfce816 - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array (git-fixes). - selftests/bpf: Fix flaky selftest lwt_redirect/lwt_reroute (git-fixes). - bpf: Use -Wno-error in certain tests when building with GCC (git-fixes). - commit 3243439 - Update patches.suse/ALSA-6fire-Release-resources-at-card-release.patch (git-fixes CVE-2024-53239 bsc#1235054 bsc#1234853). - Update patches.suse/Bluetooth-L2CAP-Fix-uaf-in-l2cap_connect.patch (CVE-2024-49950 bsc#1232159 bsc#1225742). - Update patches.suse/Bluetooth-L2CAP-do-not-leave-dangling-sk-pointer-on-.patch (stable-fixes CVE-2024-56605 bsc#1235061 bsc#1234853). - Update patches.suse/KVM-nSVM-Ignore-nCR3-4-0-when-loading-PDPTEs-from-me.patch (CVE-2024-50115 bsc#1232919 bsc#1225742). - Update patches.suse/NFSv4.0-Fix-a-use-after-free-problem-in-the-asynchronous-open.patch (git-fixes CVE-2024-53173 bsc#1234891 bsc#1234853). - Update patches.suse/RDMA-hns-Fix-NULL-pointer-derefernce-in-hns_roce_map.patch (git-fixes CVE-2024-53226 bsc#1236576). - Update patches.suse/ext4-avoid-OOB-when-system.data-xattr-changes-undern.patch (bsc#1231920 CVE-2024-47701 bsc#1225742). - Update patches.suse/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch (bsc#1232201 CVE-2024-49884 bsc#1232198 bsc#1225742). - Update patches.suse/hfsplus-don-t-query-the-device-logical-block-size-multiple-times.patch (git-fixes CVE-2024-56548 bsc#1235073 bsc#1234853). - Update patches.suse/mac802154-check-local-interfaces-before-deleting-sda.patch (stable-fixes CVE-2024-57948 bsc#1236677). - Update patches.suse/media-amphion-Set-video-drvdata-before-register-vide.patch (git-fixes CVE-2024-56579 bsc#1236575). - Update patches.suse/mm-prevent-derefencing-NULL-ptr-in-pfn_section_valid.patch (git-fixes CVE-2024-41055 bsc#1228521). - Update patches.suse/pinctrl-mcp23s08-Fix-sleeping-in-atomic-context-due-.patch (git-fixes CVE-2024-57889 bsc#1236573). - Update patches.suse/tty-n_gsm-Fix-use-after-free-in-gsm_cleanup_mux.patch (stable-fixes CVE-2024-50073 bsc#1232520 bsc#1225742). - Update patches.suse/vfio-pci-Lock-external-INTx-masking-ops.patch (bsc#1222803 CVE-2024-26810). - Update patches.suse/wifi-mwifiex-Fix-memcpy-field-spanning-write-warning-d241a13.patch (git-fixes CVE-2024-56539 bsc#1234963 bsc#1234853). - commit 2e394be - Update patches.suse/netfilter-nf_tables-don-t-fail-inserts-if-dupl.patch (bsc#1012628 CVE-2023-52925 bsc#1236822). - Update patches.suse/netfilter-nf_tables-don-t-skip-expired-element.patch (bsc#1012628 CVE-2023-52924 bsc#1236821). - commit 6257a48 - tg3: Disable tg3 PCIe AER on system reboot (bsc#1219367). - commit 43ff004 - wifi: mt76: mt7915: improve hardware restart reliability (stable-fixes). - commit 8478fb6 - ASoC: Intel: avs: Prefix SKL/APL-specific members (stable-fixes). - Refresh patches.suse/ASoC-Intel-avs-Fix-theoretical-infinite-loop.patch. - commit 01a2134 - serial: sc16is7xx: use device_property APIs when configuring irda mode (stable-fixes). - Refresh patches.suse/serial-sc16is7xx-remove-global-regmap-from-struct-sc.patch. - commit 5b3248c - ASoC: Intel: avs: Do not readq() u32 registers (git-fixes). - ALSA: seq: Make dependency on UMP clearer (git-fixes). - crypto: hisilicon/sec2 - fix for aead invalid authsize (git-fixes). - crypto: hisilicon/sec2 - fix for aead icv error (git-fixes). - wifi: mt76: mt7915: fix omac index assignment after hardware reset (git-fixes). - drm/rockchip: vop2: include rockchip_drm_drv.h (git-fixes). - drm/rockchip: vop2: Fix the windows switch between different layers (git-fixes). - wifi: mt76: connac: move mt7615_mcu_del_wtbl_all to connac (stable-fixes). - ASoC: Intel: avs: Abstract IPC handling (stable-fixes). - ALSA: seq: remove redundant 'tristate' for SND_SEQ_UMP_CLIENT (stable-fixes). - drm/rockchip: vop2: set bg dly and prescan dly at vop2_post_config (stable-fixes). - drm/rockchip: vop2: Set YUV/RGB overlay mode (stable-fixes). - drm/rockchip: move output interface related definition to rockchip_drm_drv.h (stable-fixes). - crypto: hisilicon/sec2 - optimize the error return process (stable-fixes). - commit 21fab4a - drm/i915/dp: Iterate DSC BPP from high to low on all platforms (git-fixes). - drm/i915/guc: Debug print LRC state entries only if the context is pinned (git-fixes). - drm/i915/pmu: Fix zero delta busyness issue (git-fixes). - gpu: drm_dp_cec: fix broken CEC adapter properties check (git-fixes). - drm/komeda: Add check for komeda_get_layer_fourcc_list() (git-fixes). - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry (git-fixes). - ACPI: property: Fix return value for nval == 0 in acpi_data_prop_read() (git-fixes). - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - gpio: pca953x: Improve interrupt support (git-fixes). - commit e018ad6 - mptcp: fix recvbuffer adjust on sleeping rcvmsg (git-fixes) - commit 4ce1907 - filemap: avoid truncating 64-bit offset to 32 bits (CVE-2025-21665 bsc#1236684). - commit 597c6a3 - smb: client: fix double free of TCP_Server_Info::hostname (CVE-2025-21673 bsc#1236689). - commit 3139e94 - openvswitch: fix lockup on tx to unregistering netdev with carrier (CVE-2025-21681 bsc#1236702). - commit b85304e - pmdomain: imx8mp-blk-ctrl: add missing loop break condition (CVE-2025-21668 bsc#1236682). - commit 99dbd95 - iomap: avoid avoid truncating 64-bit offset to 32 bits (CVE-2025-21667 bsc#1236681). - commit e233a3c - cpufreq: qcom-nvmem: add support for IPQ8064 (git-fixes). - Refresh patches.suse/cpufreq-qcom-nvmem-Enable-virtual-power-domain-devices.patch. - commit f530449 - drm/amdgpu: fix UVD contiguous CS mapping problem (bsc#1236759). - commit 785700c - cpufreq: mediatek-hw: Don't error out if supply is not found (git-fixes). - commit 8cc17c1 - mptcp: error out earlier on disconnect (CVE-2024-53123 bsc#1234070) - commit b7c16f4 - drop_monitor: replace spin_lock by raw_spin_lock (CVE-2024-40980 bsc#1227937) - commit 72b4850 - xfrm: validate new SA's prefixlen using SA family when sel.family is unset (CVE-2024-50142 bsc#1233028) - commit 821a08b - selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap (bsc#1235485 CVE-2024-56633). - tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg (bsc#1235485 CVE-2024-56633). - commit 92f3cb7 - smb: During unmount, ensure all cached dir instances drop their dentry (bsc#1231432, bsc#1234894, CVE-2024-53176). - commit c66b2d4 - smb: client: reduce stack usage in smb2_set_ea() (bsc#1231432). - Refresh patches.suse/smb-client-fix-potential-UAF-in-cifs_debug_files_proc_show-.patch. - commit b56ad4e - smb: client: properly close cfids on umount (bsc#1231432, bsc#1232299, bsc#1235599, bsc#1234896). - commit 189365b - drm/mgag200: Added support for the new device G200eH5 (jsc#PED-12094) - commit 5e11827 - cpufreq: qcom-nvmem: drop pvs_ver for format a fuses (git-fixes). - commit 60005f6 - cpufreq: qcom: Implement clk_ops::determine_rate() for qcom_cpufreq* clocks (git-fixes). - cpufreq: qcom: Fix qcom_cpufreq_hw_recalc_rate() to query LUT if LMh IRQ is not available (git-fixes). - commit 3e10296 - cpufreq: mediatek-hw: Wait for CPU supplies before probing (git-fixes). - commit b08f9e8 - sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647 bsc#1236133). - commit 1f1bc5f - locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() (git-fixes). - commit c137ed9 - lockdep: fix deadlock issue between lockdep and rcu (git-fixes). - commit d6daab7 - locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers (git-fixes). - commit 1366984 - selftests/futex: pass _GNU_SOURCE without a value to the compiler (git-fixes). - commit 6c47425 - futex: Don't include process MM in futex key on no-MMU (git-fixes). - commit 925398b - cpufreq: qcom-nvmem: use helper to get SMEM SoC ID (git-fixes). - cpufreq: qcom-nvmem: use SoC ID-s from bindings (git-fixes). - soc: qcom: smem: introduce qcom_smem_get_soc_id() (git-fixes). - soc: qcom: socinfo: move SMEM item struct and defines to a header (git-fixes). - commit 870636f - selftests/bpf: Test the update operations for htab of maps (bsc#1235244 CVE-2024-56592). - selftests/bpf: Move ENOTSUPP from bpf_util.h (bsc#1235244 CVE-2024-56592). - bpf: Call free_htab_elem() after htab_unlock_bucket() (bsc#1235244 CVE-2024-56592). - selftests/bpf: Clean up open-coded gettid syscall invocations (bsc#1235244 CVE-2024-56592). - commit 1ed8f4f - usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() (git-fixes). - commit 243c2cb - vsock: Keep the binding until socket destruction (git-fixes) - commit 545191e - vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] (CVE-2025-21666 bsc#1236680) - commit 5667481 - vsock: reset socket state when de-assigning the transport (git-fixes) - commit 70de10a - vsock/virtio: cancel close work in the destructor (git-fixes) - commit b47a8e2 - vsock/bpf: return early if transport is not assigned (CVE-2025-21670 bsc#1236685) - commit 938e02d - vsock/virtio: discard packets if the transport changes (CVE-2025-21669 bsc#1236683) - commit 01b1ae3 - net/mlx5: Clear port select structure when fail to create (bsc#1236694 CVE-2025-21675) - commit 97050c4 - mptcp: fix TCP options overflow. (bsc#1235914 CVE-2024-57882) - commit bfacfe0 - mptcp: pm: Fix uaf in __timer_delete_sync (bsc#1231088 CVE-2024-46858) - commit 2b80245 - kABI fix for net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441) - commit fd18f29 - net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441). - commit 5df7b43 - net: mana: Add get_link and get_link_ksettings in ethtool (bsc#1236761). - commit 037abed - virtio-mem: check if the config changed before fake offlining memory (git-fixes). - commit 7c5b67f - virtio-mem: keep retrying on offline_and_remove_memory() errors in Sub Block Mode (SBM) (git-fixes). - commit 50036f1 - virtio-mem: convert most offline_and_remove_memory() errors to -EBUSY (git-fixes). - commit cf4a9ad - virtio-mem: remove unsafe unplug in Big Block Mode (BBM) (git-fixes). - commit 7506a2e - media: ov08x40: Fix hblank out of range issue (git-fixes). - commit 6e44a14 - media: firewire: firedtv-avc.c: replace BUG with proper, error return (git-fixes). - commit 658942c - media: dvb: mb86a16: check the return value of mb86a16_read() (git-fixes). - commit fc29200 - tty: xilinx_uartps: split sysrq handling (git-fixes). - commit 1d9d1fd - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path (bsc#1231432). - commit 21eeced - smb: cached directories can be more than root file handle (bsc#1231432). - commit 2629c95 - smb3: retrying on failed server close (bsc#1231432). - commit f1f31c8 - smb: prevent use-after-free due to open_cached_dir error paths (bsc#1231432, bsc#1234896, CVE-2024-53177). - commit 741a327 - smb: Don't leak cfid when reconnect races with open_cached_dir (bsc#1231432, bsc#1234895, CVE-2024-53178). - commit e22906f - smb3: request handle caching when caching directories (bsc#1231432). - commit 186ab6d - cifs: new mount option called retrans (bsc#1231432). - commit 000ea56 - cifs: open_cached_dir should not rely on primary channel (bsc#1231432). - commit 056e43b - cifs: commands that are retried should have replay flag set (bsc#1231432). - commit d12c685 - cifs: helper function to check replayable error codes (bsc#1231432). - commit 4a4d52e - smb: client: extend smb2_compound_op() to accept more commands (bsc#1231432). - commit e198fe7 - smb: client: reduce stack usage in smb2_query_info_compound() (bsc#1231432). - commit 267f6c8 - smb: client: parse reparse point flag in create response (bsc#1231432). - commit 1f48f01 - smb: client: make smb2_compound_op() return resp buffer on success (bsc#1231432). - commit 14ca1d2 - smb: client: move some params to cifs_open_info_data (bsc#1231432). - commit e3cf607 - smb: client: fix OOB in SMB2_query_info_init() (bsc#1231432). - commit 1ebc808 - mm/compaction: fix UBSAN shift-out-of-bounds warning (git fixes (mm/compaction)). - commit 6473a2a - vfio/pci: Lock external INTx masking ops (bsc#1222803). - commit 8c537c0 - gtp: Destroy device along with udp socket's netns dismantle (CVE-2025-21678 bsc#1236698). - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp() (git-fixes). - net: mana: Cleanup &quot;mana&quot; debugfs dir after cleanup of all children (bsc#1236760). - r8169: enable SG/TSO on selected chip versions per default (bsc#1235874). - net: mana: Enable debugfs files for MANA device (bsc#1236758). - net: netvsc: Update default VMBus channels (bsc#1236757). - commit 2caa23f - cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily (git-fixes). - cpufreq: imx6q: don't warn for disabling a non-existing frequency (git-fixes). - commit 42b12da - Update patches.suse/nvme-tcp-Fix-I-O-queue-cpu-spreading-for-multiple-co.patch (git-fixes bsc#1224049). - commit 6783feb - cpufreq: qcom-nvmem: fix memory leaks in probe error paths (git-fixes). - commit 3d6407c - cpufreq: qcom-nvmem: Enable virtual power domain devices (git-fixes). - commit b63737d - xfs: Add error handling for xfs_reflink_cancel_cow_range (git-fixes). - commit 1aaaa62 - xfs: Propagate errors from xfs_reflink_cancel_cow_range in xfs_dax_write_iomap_end (git-fixes). - commit f8ad9a2 - net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel (CVE-2025-21674 bsc#1236688). - net: fec: handle page_pool_dev_alloc_pages error (CVE-2025-21676 bsc#1236696). - eth: bnxt: always recalculate features after XDP clearing, fix null-deref (CVE-2025-21682 bsc#1236703). - commit a806d7c - cpufreq: qcom-nvmem: Simplify driver data allocation (stable-fixes). - commit dc928a8 - NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE (git-fixes). - commit 151b149 - NFSv4.2: fix COPY_NOTIFY xdr buf size calculation (git-fixes). - commit b286575 - ubifs: skip dumping tnc tree when zroot is null (git-fixes). - commit f58c1e4 - afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call (git-fixes). - commit a1514a4 - afs: Fix cleanup of immediately failed async calls (git-fixes). - commit addff98 - afs: Fix directory format encoding struct (git-fixes). - commit 595632c - afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY (git-fixes). - commit 39c4f67 - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag (git-fixes). - commit e9c67fd - nilfs2: fix possible int overflows in nilfs_fiemap() (git-fixes). - commit 2d81bbb - ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() (CVE-2024-50304 bsc#1233522). - commit 0aac3e1 - arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma (git-fixes) - commit 6bedda5 - arm64: tegra: Fix Tegra234 PCIe interrupt-map (git-fixes) - commit 5678238 - arm64: tegra: Disable Tegra234 sce-fabric node (git-fixes) - commit 3ba529a - arm64: tegra: Fix typo in Tegra234 dce-fabric compatible (git-fixes) - commit fe1f6b4 - arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented (git-fixes) - commit 79b2b46 - netfilter: nft_payload: sanitize offset and length before calling skb_checksum() (CVE-2024-50251 bsc#1233248). - commit d7e2f51 - net: fix crash when config small gso_max_size/gso_ipv4_max_size (CVE-2024-50258 bsc#1233221 CVE-2024-50258 bsc#1233221). - commit a93195b - arm64/sme: Move storage of reg_smidr to __cpuinfo_store_cpu() (git-fixes) - commit 43c09a7 - arm64: Kconfig: Make SME depend on BROKEN for now (git-fixes bsc#1236245) Update arm64 default configuration file - commit 1003b05 - arm64: dts: rockchip: Add sdmmc/sdio/emmc reset controls for RK3328 (git-fixes) - commit cbbcd61 - net: inet6: do not leave a dangling sk pointer in inet6_create() (CVE-2024-56600 bsc#1235217). - commit d23e8d7 - printk: Defer legacy printing when holding printk_cpu_sync (bsc#1236733). - commit 8ea5df4 - printk: Add is_printk_legacy_deferred() (bsc#1236733). - commit 15926fc - nvme: fix bogus kzalloc() return check in nvme_init_effects_log() (git-fixes). - commit ab15bce - scsi: storvsc: Ratelimit warning logs to prevent VM denial of service (git-fixes). - hyperv: Do not overlap the hvcall IO areas in get_vtl() (git-fixes). - commit 20e731b - nvme: Add error path for xa_store in nvme_init_effects (git-fixes). - nvme: Add error check for xa_store in nvme_get_effects_log (git-fixes). - nvme-tcp: Fix I/O queue cpu spreading for multiple controllers (git-fixes). - nvmet: propagate npwg topology (git-fixes). - commit f7cc3e5 - usbnet: ipheth: fix DPE OoB read (git-fixes). - commit 9d2e9a7 - usbnet: ipheth: break up NCM header size computation (git-fixes). - commit 2cdc4a6 - usbnet: ipheth: refactor NCM datagram loop (git-fixes). - commit aade1ad - workqueue: Add rcu lock check at the end of work item execution (bsc#1236732). - commit 4c72d5a - Move upstreamed sound patch into sorted section - commit ca47985 - Input: atkbd - map F23 key to support default copilot shortcut (stable-fixes). - Input: xpad - add unofficial Xbox 360 wireless receiver clone (stable-fixes). - Input: xpad - add support for wooting two he (arm) (stable-fixes). - Input: xpad - improve name of 8BitDo controller 2dc8:3106 (stable-fixes). - Input: xpad - add QH Electronics VID/PID (stable-fixes). - Input: xpad - add support for Nacon Evol-X Xbox One Controller (stable-fixes). - Input: xpad - add support for Nacon Pro Compact (stable-fixes). - hwmon: (drivetemp) Set scsi command timeout to 10s (stable-fixes). - drm/amd/display: Use HW lock mgr for PSR1 (stable-fixes). - seccomp: Stub for !CONFIG_SECCOMP (stable-fixes). - ASoC: samsung: Add missing depends on I2C (git-fixes). - ASoC: samsung: Add missing selects for MFD_WM8994 (stable-fixes). - ASoC: wm8994: Add depends on MFD core (stable-fixes). - ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf() (stable-fixes). - commit c243755 - ASoC: acp: Support microphone from Lenovo Go S (stable-fixes). - ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro (stable-fixes). - commit 7bec8fa - kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST (git-fixes). - genksyms: fix memory leak when the same symbol is read from * .symref file (git-fixes). - genksyms: fix memory leak when the same symbol is added from source (git-fixes). - ASoC: rockchip: i2s_tdm: Re-add the set_sysclk callback (git-fixes). - commit 472aca3 - kABI workaround for struct auto_pin_cfg_item change (git-fixes). - commit 43b97fb - ALSA: hda: Fix headset detection failure due to unstable sort (git-fixes). - commit 6dcca9b - blacklist.conf: Not affected by CVE-2024-44932 and CVE-2024-44964 - Delete patches.suse/idpf-fix-UAFs-when-destroying-the-queues.patch. - Delete patches.suse/idpf-fix-memory-leaks-and-crashes-while-performing-a.patch. This fixes bsc#1236628 - commit 3ac3069 - kcsan: Turn report_filterlist_lock into a raw_spinlock (CVE-2024-56610 bsc#1235390). - commit d41073a - io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period (CVE-2025-21655 bsc#1236163). - commit 4487b43 - Refresh patches.suse/io_uring-check-for-overflows-in-io_pin_pages.patch. There was an error on my backport of this patch that caused an Oops as soon as a pbuf is registered. - commit 83010fb - cpuidle: Avoid potential overflow in integer multiplication (git-fixes). - commit 0568366 - cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock (git-fixes). - commit ade7f79 - cpufreq: amd-pstate: remove global header file (git-fixes). - commit be74a4f - mm/rodata_test: use READ_ONCE() to read const variable (git-fixes). - commit 915b6ed - cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing (git-fixes). - commit 1e10ad3 - cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back (git-fixes). - commit dd83446 - cpufreq: ACPI: Fix max-frequency computation (git-fixes). - commit 54e5cf5 - cpufreq: Don't unregister cpufreq cooling on CPU hotplug (git-fixes). - commit d893e3e - rtc: zynqmp: Fix optional clock name property (git-fixes). - rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read (git-fixes). - PM: hibernate: Add error handling for syscore_suspend() (git-fixes). - Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection (git-fixes). - Bluetooth: btnxpuart: Fix glitches seen in dual A2DP streaming (git-fixes). - usbnet: ipheth: use static NDP16 location in URB (git-fixes). - usbnet: ipheth: check that DPE points past NCM header (git-fixes). - usbnet: ipheth: fix possible overflow in DPE length check (git-fixes). - net: usb: rtl8150: enable basic endpoint checking (git-fixes). - net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset (git-fixes). - net: rose: fix timer races against user threads (git-fixes). - NFC: nci: Add bounds checking in nci_hci_create_pipe() (git-fixes). - docs: power: Fix footnote reference for Toshiba Satellite P10-554 (git-fixes). - gpio: mxc: remove dead code after switch to DT-only (git-fixes). - pm:cpupower: Add missing powercap_set_enabled() stub function (git-fixes). - commit d7c0bf6 - io_uring: check for overflows in io_pin_pages (CVE-2024-53187 bsc#1234947). - commit 5155778 - brd: defer automatic disk creation until module initialization succeeds (CVE-2024-56693 bsc#1235418). - commit b6cdeb6 - powerpc/pseries/eeh: Fix get PE state translation (bsc#1215199). - commit b41af30 - ALSA: hda/realtek: Workaround for resume on Dell Venue 11 Pro 7130 (bsc#1235686). - commit 63a2d06 - Correct typos in patch-mainline versions in previous patches - commit 9e305bb - dmaengine: ti: edma: fix OF node reference leaks in edma_driver (git-fixes). - regulator: core: Add missing newline character (git-fixes). - commit a55a5c7 - Delete patches.suse/iommu-arm-smmu-Defer-probe-of-clients-after-smmu-dev.patch Reverted upstream by 97cb1fa02726 iommu/arm-smmu: Retire probe deferral workaround. - commit 2dda00e - virtio-blk: don't keep queue frozen during system suspend (CVE-2024-57946 bsc#1236247). - commit bc49326 - netfilter: x_tables: fix LED ID check in led_tg_check() (CVE-2024-56650 bsc#1235430). - commit e2ba4f9 - netfilter: nf_tables: validate family when identifying table via handle (bsc#1233778 ZDI-24-1454). - commit 8a5e7e8 - tpm: send_data: Wait longer for the TPM to become ready (bsc#1235870). - commit 564c005 - driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() (git-fixes). - devcoredump: cleanup some comments (git-fixes). - serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use (git-fixes). - serial: sh-sci: Drop __initdata macro for port_cfg (git-fixes). - serial: 8250: Adjust the timeout for FIFO mode (git-fixes). - commit 3ee6c35 - VFS: use system_unbound_wq for delayed_mntput (bsc#1234683). - commit 8e0a712 - RDMA/mlx5: Fix implicit ODP use after free (git-fixes) - commit 45ca433 - RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (git-fixes) - commit 2c0d67d - RDMA/rxe: Fix the warning &quot;__rxe_cleanup+0x12c/0x170 [rdma_rxe]&quot; (git-fixes) - commit d370cc3 - RDMA/mlx5: Fix indirect mkey ODP page count (git-fixes) - commit fffca3b - RDMA/bnxt_re: Fix to drop reference to the mmap entry in case of error (git-fixes) - commit 95b5d71 - RDMA/srp: Fix error handling in srp_add_port (git-fixes) - commit d17536e - RDMA/rxe: Fix mismatched max_msg_sz (git-fixes) - commit 0c1e11b - rdma/cxgb4: Prevent potential integer overflow on 32bit (git-fixes) - commit c001bb0 - RDMA/mlx4: Avoid false error about access to uninitialized gids array (git-fixes) - commit 61636fb - RDMA/bnxt_re: Fix to export port num to ib_query_qp (git-fixes) - commit 14d9179 - rcu/tree: Defer setting of jiffies during stall reset (git-fixes) - commit 97d4114 - rcu-tasks: Pull sampling of -&gt;percpu_dequeue_lim out of loop (git-fixes) - commit 46965f9 - srcu: Only accelerate on enqueue time (git-fixes) - commit 61de5d1 - srcu: Fix srcu_struct node grpmask overflow on 64-bit systems (git-fixes) - commit 2ff5969 - rcu: Eliminate rcu_gp_slow_unregister() false positive (git-fixes) - commit 0aacfbc - rcu: Dump memory object info if callback function is invalid (git-fixes) - commit a054e16 - rcuscale: Move rcu_scale_writer() (git-fixes) - commit f5a8f5c - README.BRANCH: Update maintainers - commit 41fd1b2 - PCI: microchip: Set inbound address translation for coherent or non-coherent mode (git-fixes). - PCI: imx6: Deassert apps_reset in imx_pcie_deassert_core_reset() (git-fixes). - PCI: imx6: Skip controller_id generation logic for i.MX7D (git-fixes). - PCI: endpoint: pci-epf-test: Fix check for DMA MEMCPY test (git-fixes). - PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() (git-fixes). - PCI: dwc: ep: Write BAR_MASK before iATU registers in pci_epc_set_bar() (git-fixes). - genirq: Make handle_enforce_irqctx() unconditionally available (git-fixes). - commit 9d69135 - x86/mm: Carve out INVLPG inline asm for use by others (git-fixes). - commit af61fc0 - x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB (git-fixes). - commit 1b67735 - x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation (git-fixes). - commit a22f80f - x86/asm: Make serialize() always_inline (git-fixes). - commit 7e805b9 - ibmvnic: Free any outstanding tx skbs during scrq reset (bsc#1226980). - commit 82833f0 - drm/v3d: Assign job pointer to NULL before signaling the fence (git-fixes). - iio: light: as73211: fix channel handling in only-color triggered buffer (git-fixes). - intel_th: core: fix kernel-doc warnings (git-fixes). - bus: mhi: host: Free mhi_buf vector inside mhi_alloc_bhie_table() (git-fixes). - iio: iio-mux: kzalloc instead of devm_kzalloc to ensure page alignment (git-fixes). - iio: adc: ad_sigma_delta: Handle CS assertion as intended in ad_sd_read_reg_raw() (git-fixes). - misc: fastrpc: Fix copy buffer page size (git-fixes). - misc: fastrpc: Fix registered buffer page address (git-fixes). - misc: fastrpc: Deregister device nodes properly in error scenarios (git-fixes). - VMCI: fix reference to ioctl-number.rst (git-fixes). - drivers/card_reader/rtsx_usb: Restore interrupt based detection (git-fixes). - uio: uio_dmem_genirq: check the return value of devm_kasprintf() (git-fixes). - uio: Fix return value of poll (git-fixes). - misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors (git-fixes). - Revert &quot;usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null&quot; (stable-fixes). - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() (git-fixes). - usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE (git-fixes). - usb: host: xhci-plat: Assign shared_hcd-&gt;rsrc_start (git-fixes). - usb: dwc3-am62: Fix an OF node leak in phy_syscon_pll_refclk() (git-fixes). - usb: gadget: f_tcm: Don't prepare BOT write request twice (git-fixes). - usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint (git-fixes). - usb: gadget: f_tcm: Fix Get/SetInterface return value (git-fixes). - usb: gadget: f_tcm: Decrement command ref count on cleanup (git-fixes). - usb: gadget: f_tcm: Translate error to sense (git-fixes). - usb: gadget: f_tcm: Don't free command immediately (git-fixes). - power: ip5xxx_power: Fix return value on ADC read errors (git-fixes). - pps: add an error check in parport_attach (git-fixes). - pps: remove usage of the deprecated ida_simple_xx() API (stable-fixes). - commit 15d6406 - Move upstreamed lpfc patches into sorted section - commit c33f2a8 - Revert 0dd78566990 (&quot;Disable ceph (jsc#PED-7242)&quot;) Apparently, jsc#PED-7242 is only deprecate ceph for 15-SP6 and disable for 15-SP7. Revert the disabling. - commit 4573861 - padata: add pd get/put refcnt helper (git-fixes). - commit c209bf7 - padata: avoid UAF for reorder_work (git-fixes). - padata: fix UAF in padata_reorder (git-fixes). - commit 9cec1e0 - net: stmmac: dwmac-tegra: Read iommu stream id from device tree (CVE-2025-21663 bsc#1236260). - commit fc91755 - selftests/mm/cow: modify the incorrect checking parameters (git-fixes). - maple_tree: simplify split calculation (git-fixes). - latencytop: use correct kernel-doc format for func params (git-fixes). - lib/inflate.c: remove dead code (git-fixes). - commit 2970302 - remoteproc: core: Fix ida_free call while not allocated (git-fixes). - mtd: spinand: Remove write_enable_op() in markbad() (git-fixes). - mtd: onenand: Fix uninitialized retlen in do_otp_read() (git-fixes). - PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() (git-fixes). - PCI: dwc: Always stop link in the dw_pcie_suspend_noirq (git-fixes). - PCI: endpoint: pci-epf-test: Set dma_chan_rx pointer to NULL on error (git-fixes). - PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf() (git-fixes). - PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() (git-fixes). - PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 (git-fixes). - media: dvb-usb-v2: af9035: fix ISO C90 compilation error on af9035_i2c_master_xfer (git-fixes). - staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() (git-fixes). - media: nxp: imx8-isi: fix v4l2-compliance test errors (git-fixes). - media: uvcvideo: Propagate buf-&gt;error to userspace (git-fixes). - media: uvcvideo: Remove dangling pointers (git-fixes). - media: uvcvideo: Remove redundant NULL assignment (git-fixes). - media: uvcvideo: Only save async fh if success (git-fixes). - media: uvcvideo: Support partial control reads (git-fixes). - media: uvcvideo: Fix event flags in uvc_ctrl_send_events (git-fixes). - media: uvcvideo: Fix double free in error path (git-fixes). - media: uvcvideo: Fix crash during unbind if gpio unit is in use (git-fixes). - staging: media: max96712: fix kernel oops when removing module (git-fixes). - media: camif-core: Add check for clk_enable() (git-fixes). - media: mipi-csis: Add check for clk_enable() (git-fixes). - media: ov5640: fix get_light_freq on auto (git-fixes). - media: mc: fix endpoint iteration (git-fixes). - media: i2c: ov9282: Correct the exposure offset (git-fixes). - media: ccs: Fix cleanup order in ccs_probe() (git-fixes). - media: imx296: Add standby delay during probe (git-fixes). - media: i2c: imx412: Add missing newline to prints (git-fixes). - media: ccs: Clean up parsed CCS static data on parse failure (git-fixes). - media: ccs: Fix CCS static data parsing for large block sizes (git-fixes). - media: marvell: Add check for clk_enable() (git-fixes). - media: lmedm04: Handle errors for lme2510_int_read (git-fixes). - media: rc: iguanair: handle timeouts (git-fixes). - media: rkisp1: Fix unused value issue (git-fixes). - media: imx-jpeg: Fix potential error pointer dereference in detach_pm() (git-fixes). - commit 059dbb0 - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14s-fq1xxx (stable-fixes). - ALSA: usb-audio: Add delay quirk for USB Audio Device (stable-fixes). - ALSA: hda/realtek: Enable headset mic on Positivo C6400 (stable-fixes). - commit 744cb45 - mailbox: tegra-hsp: Clear mailbox before using message (git-fixes). - soc: qcom: socinfo: Avoid out of bounds read of serial number (git-fixes). - soc: qcom: smem_state: fix missing of_node_put in error path (git-fixes). - soc: mediatek: mtk-devapc: Fix leaking IO map on error paths (git-fixes). - memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() (git-fixes). - soc: atmel: fix device_node release in atmel_soc_device_init() (git-fixes). - fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() (git-fixes). - ASoC: Intel: avs: Fix theoretical infinite loop (git-fixes). - ASoC: sun4i-spdif: Add clock multiplier settings (git-fixes). - ALSA: hda/realtek - Fixed headphone distorted sound on Acer Aspire A115-31 laptop (git-fixes). - crypto: iaa - Fix IAA disabling that occurs when sync_mode is set to 'async' (git-fixes). - crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto() (git-fixes). - crypto: qce - fix priority to be less than ARMv8 CE (git-fixes). - crypto: qce - unregister previously registered algos in error path (git-fixes). - crypto: qce - fix goto jump in error path (git-fixes). - crypto: caam - use JobR's space to access page 0 regs (git-fixes). - pinctrl: amd: Take suspend type into consideration which pins are non-wake (git-fixes). - pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails (git-fixes). - commit b034543 - Move upstreamed ppc patch into sorted section - commit d058975 - Move upstreamed TPM patch into sorted section - commit ccb7b48 - octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c (CVE-2024-56728 bsc#1235656) - commit acc444a - octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c (CVE-2024-56727 bsc#1235583) - commit b6e61cf - octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c (CVE-2024-56726 bsc#1235582) - commit ac2994c - octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c (CVE-2024-56725 bsc#1235578) - commit 4f995f2 - octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c (CVE-2024-56707 bsc#1235545) - commit 67e8754 - octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c (CVE-2024-56679 bsc#1235498) - commit becbeeb - drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' (CVE-2024-56608 bsc#1235487) - commit df4e9dd - dm thin: make get_first_thin use rcu-safe list first function (CVE-2025-21664 bsc#1236262) - commit 83d356e - selinux: ignore unknown extended permissions (CVE-2024-57931 bsc#1236192) - commit 4334198 - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute (CVE-2025-21653 bsc#1236161) - commit 9089d3b - ipvlan: Fix use-after-free in ipvlan_get_iflink() (CVE-2025-21652 bsc#1236160) - commit 8201e7e - net/sctp: Prevent autoclose integer overflow in sctp_association_init() (CVE-2024-57938 bsc#1236182) - commit 338cf1f - topology: Keep the cpumask unchanged when printing cpumap (CVE-2024-57917 bsc#1236127) - commit 1d17273 - mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() (CVE-2024-57884 bsc#1235948) - commit abc82c3 - netrom: check buffer length before accessing it (CVE-2024-57802 bsc#1235941) - commit 606eed5 - ionic: Fix netdev notifier unregister on failure (CVE-2024-56715 bsc#1235612) - commit 28b55e0 - sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat -kabi (bsc#1235865). - commit a0069bc - wifi: ath12k: fix tx power, max reg power update to firmware (git-fixes). - wifi: mt76: mt7996: fix ldpc setting (git-fixes). - wifi: mt76: mt7996: fix definition of tx descriptor (git-fixes). - wifi: mt76: mt7996: fix incorrect indexing of MIB FW event (git-fixes). - wifi: mt76: mt7996: fix HE Phy capability (git-fixes). - wifi: mt76: mt7996: fix the capability of reception of EHT MU PPDU (git-fixes). - wifi: mt76: mt7996: add max mpdu len capability (git-fixes). - wifi: mt76: mt7996: fix register mapping (git-fixes). - wifi: mt76: mt7915: fix register mapping (git-fixes). - wifi: mt76: mt7915: firmware restart on devices with a second pcie link (git-fixes). - wifi: mt76: mt7996: fix rx filter setting for bfee functionality (git-fixes). - wifi: mt76: mt7915: fix overflows seen when writing limit attributes (git-fixes). - wifi: mt76: mt7996: fix overflows seen when writing limit attributes (git-fixes). - wifi: mt76: mt7915: add module param to select 5 GHz or 6 GHz on MT7916 (git-fixes). - wifi: mt76: mt7921: fix using incorrect group cipher after disconnection (git-fixes). - wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO (git-fixes). - commit f15e8b4 - tools: Sync if_xdp.h uapi tooling header (git-fixes). - selftests/landlock: Fix error message (git-fixes). - selftests: harness: fix printing of mismatch values in __EXPECT() (git-fixes). - spi: zynq-qspi: Add check for clk_enable() (git-fixes). - wifi: mt76: mt7915: Fix mesh scan on MT7916 DBDC (git-fixes). - wifi: mt76: mt7925: fix off by one in mt7925_load_clc() (git-fixes). - wifi: rtw89: mcc: consider time limits not divisible by 1024 (git-fixes). - wifi: rtlwifi: rtl8821ae: Fix media status report (git-fixes). - wifi: cfg80211: adjust allocation of colocated AP data (git-fixes). - wifi: mac80211: don't flush non-uploaded STAs (git-fixes). - wifi: mac80211: Fix common size calculation for ML element (git-fixes). - wifi: mac80211: fix tid removal during mesh forwarding (git-fixes). - wifi: mac80211: prohibit deactivating all links (git-fixes). - wifi: iwlwifi: fw: read STEP table from correct UEFI var (git-fixes). - wifi: wlcore: fix unbalanced pm_runtime calls (git-fixes). - wifi: rtlwifi: pci: wait for firmware loading before releasing memory (git-fixes). - wifi: rtlwifi: fix memory leaks and invalid access at probe error path (git-fixes). - wifi: rtlwifi: destroy workqueue at rtl_deinit_core (git-fixes). - wifi: rtlwifi: remove unused check_buddy_priv (git-fixes). - wifi: rtlwifi: usb: fix workqueue leak when probe fails (git-fixes). - wifi: rtlwifi: fix init_sw_vars leak when probe fails (git-fixes). - wifi: rtlwifi: wait for firmware loading before releasing memory (git-fixes). - wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step (git-fixes). - wifi: rtlwifi: do not complete firmware loading needlessly (git-fixes). - wifi: rtlwifi: rtl8821ae: phy: restore removed code to fix infinite loop (git-fixes). - wifi: brcmfmac: add missing header include for brcmf_dbg (git-fixes). - wifi: ath11k: cleanup struct ath11k_mon_data (git-fixes). - wifi: wcn36xx: fix channel survey memory allocation size (git-fixes). - wifi: ath11k: Fix unexpected return buffer manager error for WCN6750/WCN6855 (git-fixes). - selinux: Fix SCTP error inconsistency in selinux_socket_bind() (git-fixes). - commit 40f350b - ktest.pl: Fix typo &quot;accesing&quot; (git-fixes). - ktest.pl: Fix typo in comment (git-fixes). - ktest.pl: Remove unused declarations in run_bisect_test function (git-fixes). - ktest.pl: Check kernelrelease return in get_version (git-fixes). - landlock: Handle weird files (git-fixes). - samples/landlock: Fix possible NULL dereference in parse_path() (git-fixes). - selftests: timers: clocksource-switch: Adapt progress to kselftest framework (git-fixes). - selftest: media_tests: fix trivial UAF typo (git-fixes). - Input: davinci-keyscan - remove leftover header (git-fixes). - HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (git-fixes). - HID: fix generic desktop D-Pad controls (git-fixes). - HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check (git-fixes). - HID: multitouch: fix support for Goodix PID 0x01e9 (git-fixes). - Revert &quot;HID: multitouch: Add support for lenovo Y9000P Touchpad&quot; (stable-fixes). - ipmi: ssif_bmc: Fix new request loss when bmc ready for a response (git-fixes). - ipmi: ipmb: Add check devm_kasprintf() returned value (git-fixes). - pwm: stm32: Add check for clk_enable() (git-fixes). - pwm: stm32-lp: Add check for clk_enable() (git-fixes). - leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata() (git-fixes). - leds: lp8860: Write full EEPROM, not only half of it (git-fixes). - HID: hid-sensor-hub: don't use stale platform-data on remove (git-fixes). - regulator: of: Implement the unwind path of of_regulator_match() (git-fixes). - net/rose: prevent integer overflows in rose_setsockopt() (git-fixes). - drm/msm: don't clean up priv-&gt;kms prematurely (git-fixes). - selftests/powerpc: Fix argument order to timer_sub() (git-fixes). - selftests/alsa: Fix circular dependency involving global-timer (stable-fixes). - ktest.pl: Avoid false positives with grub2 skip regex (stable-fixes). - ktest: force $buildonly = 1 for 'make_warnings_file' test type (stable-fixes). - commit 3e5bf1b - drm/msm: Check return value of of_dma_configure() (git-fixes). - drm/msm/dpu: link DSPP_2/_3 blocks on SM8550 (git-fixes). - drm/msm/dpu: link DSPP_2/_3 blocks on SM8350 (git-fixes). - drm/msm/dpu: link DSPP_2/_3 blocks on SM8250 (git-fixes). - drm/msm/dpu: link DSPP_2/_3 blocks on SC8180X (git-fixes). - drm/msm/dpu: link DSPP_2/_3 blocks on SM8150 (git-fixes). - drm/msm/dp: set safe_to_exit_level before printing it (git-fixes). - drm/amdgpu: tear down ttm range manager for doorbell in amdgpu_ttm_fini() (git-fixes). - drm/etnaviv: Fix page property being used for non writecombine buffers (git-fixes). - Revert &quot;drm/i915/dpt: Make DPT object unshrinkable&quot; (stable-fixes). - drm/amdgpu: simplify return statement in amdgpu_ras_eeprom_init (git-fixes). - drm/amdgpu/vcn: reset fw_shared under SRIOV (git-fixes). - drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table (git-fixes). - drm/amd/pm: Fix an error handling path in vega10_enable_se_edc_force_stall_config() (git-fixes). - drm/bridge: it6505: Change definition of AUX_FIFO_MAX_SIZE (git-fixes). - drm/rockchip: vop2: Check linear format for Cluster windows on rk3566/8 (git-fixes). - drm/rcar-du: dsi: Fix PHY lock bit check (git-fixes). - drm/rockchip: vop2: Fix the mixer alpha setup for layer 0 (git-fixes). - drm/rockchip: vop2: Fix cluster windows alpha ctrl regsiters offset (git-fixes). - commit 2f1e321 - ACPI: fan: cleanup resources in the error path of .probe() (git-fixes). - cpupower: fix TSC MHz calculation (git-fixes). - Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc (git-fixes). - Align git commit ID abbreviation guidelines and checks (git-fixes). - drm/tidss: Clear the interrupt status for interrupts being disabled (git-fixes). - drm/tidss: Fix issue in irq handling causing irq-flood issue (git-fixes). - drm/v3d: Stop active perfmon if it is being destroyed (git-fixes). - drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() (git-fixes). - commit 737a47e - Input: bbnsm_pwrkey - add remove hook (git-fixes). - drm/i915/fb: Relax clear color alignment to 64 bytes (stable-fixes). - drm/amdgpu: always sync the GFX pipe on ctx switch (stable-fixes). - ACPI: resource: acpi_dev_irq_override(): Check DMI match last (stable-fixes). - mac802154: check local interfaces before deleting sdata list (stable-fixes). - selftests: tc-testing: reduce rshift value (stable-fixes). - kheaders: Ignore silly-rename files (stable-fixes). - commit cbbd806 - Drop PCI patch that caused a regression Deleted: patches.suse/PCI-Use-preserve_config-in-place-of-pci_flags.patch - commit 30fb9e7 - sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat (bsc#1235865). - commit 9837653 - Update patches.suse/ALSA-seq-oss-Fix-races-at-processing-SysEx-messages.patch (stable-fixes CVE-2024-57893 bsc#1235920). - Update patches.suse/RDMA-bnxt_re-Fix-max-SGEs-for-the-Work-Request.patch (git-fixes CVE-2024-57936 bsc#1236181). - Update patches.suse/RDMA-hns-Fix-accessing-invalid-dip_ctx-during-destro.patch (git-fixes CVE-2024-57935 bsc#1236180). - Update patches.suse/RDMA-rtrs-Ensure-ib_sge-list-is-accessible.patch (git-fixes CVE-2024-36476 bsc#1235902). - Update patches.suse/RDMA-uverbs-Prevent-integer-overflow-issue.patch (git-fixes CVE-2024-57890 bsc#1235919). - Update patches.suse/afs-Fix-the-maximum-cell-name-length.patch (git-fixes CVE-2025-21646 bsc#1236168). - Update patches.suse/arm64-ptrace-fix-partial-SETREGSET-for-NT_ARM_TAGGED_ADDR_CTRL.patch (git-fixes CVE-2024-57874 bsc#1235808). - Update patches.suse/cpufreq-CPPC-Fix-possible-null-ptr-deref-for-cppc_ge.patch (git-fixes CVE-2024-53230 bsc#1235976). - Update patches.suse/cpufreq-CPPC-Fix-possible-null-ptr-deref-for-cpufreq.patch (git-fixes CVE-2024-53231 bsc#1235977). - Update patches.suse/drm-adv7511-Fix-use-after-free-in-adv7533_attach_dsi.patch (git-fixes CVE-2024-57887 bsc#1235952). - Update patches.suse/drm-amd-display-Add-check-for-granularity-in-dml-cei.patch (stable-fixes CVE-2024-57922 bsc#1236080). - Update patches.suse/drm-amdkfd-Correct-the-migration-DMA-map-direction.patch (stable-fixes CVE-2024-57897 bsc#1235969). - Update patches.suse/drm-dp_mst-Ensure-mst_primary-pointer-is-valid-in-dr.patch (stable-fixes CVE-2024-57798 bsc#1235818). - Update patches.suse/drm-dp_mst-Fix-resetting-msg-rx-state-after-topology.patch (git-fixes CVE-2024-57876 bsc#1235806). - Update patches.suse/drm-mediatek-Set-private-all_drm_private-i-drm-to-NU.patch (git-fixes CVE-2024-57926 bsc#1236082). - Update patches.suse/exfat-fix-the-infinite-loop-in-exfat_readdir.patch (git-fixes CVE-2024-57940 bsc#1236227). - Update patches.suse/hwmon-drivetemp-Fix-driver-producing-garbage-data-wh.patch (git-fixes CVE-2025-21656 bsc#1236248). - Update patches.suse/iio-adc-at91-call-input_free_device-on-allocated-iio.patch (git-fixes CVE-2024-57904 bsc#1236078). - Update patches.suse/iio-adc-rockchip_saradc-fix-information-leak-in-trig.patch (git-fixes CVE-2024-57907 bsc#1236090). - Update patches.suse/iio-adc-ti-ads8688-fix-information-leak-in-triggered.patch (git-fixes CVE-2024-57906 bsc#1236088). - Update patches.suse/iio-dummy-iio_simply_dummy_buffer-fix-information-le.patch (git-fixes CVE-2024-57911 bsc#1236098). - Update patches.suse/iio-imu-kmx61-fix-information-leak-in-triggered-buff.patch (git-fixes CVE-2024-57908 bsc#1236091). - Update patches.suse/iio-light-vcnl4035-fix-information-leak-in-triggered.patch (git-fixes CVE-2024-57910 bsc#1236097). - Update patches.suse/iio-pressure-zpa2326-fix-information-leak-in-trigger.patch (git-fixes CVE-2024-57912 bsc#1236101). - Update patches.suse/jffs2-Prevent-rtime-decompress-memory-corruption.patch (git-fixes CVE-2024-57850 bsc#1235812). - Update patches.suse/misc-microchip-pci1xxxx-Resolve-kernel-panic-during-.patch (git-fixes CVE-2024-57916 bsc#1236125). - Update patches.suse/net-wwan-t7xx-Fix-FSM-command-timeout-issue.patch (git-fixes CVE-2024-39282 bsc#1235903). - Update patches.suse/netfilter-nf_tables-adapt-set-backend-to-use-G.patch (bsc#1012628 CVE-2023-52923 bsc#1236104). - Update patches.suse/nilfs2-prevent-use-of-deleted-inode.patch (git-fixes CVE-2024-53690 bsc#1235842). - Update patches.suse/platform-x86-amd-pmc-Only-disable-IRQ1-wakeup-where-.patch (git-fixes CVE-2025-21645 bsc#1236131). - Update patches.suse/powerpc-pseries-vas-Add-close-callback-in-vas_vm_ops.patch (bsc#1234825 CVE-2024-56765 bsc#1235643). - Update patches.suse/s390-cpum_sf-Handle-CPU-hotplug-remove-during-sampling.patch (git-fixes CVE-2024-57849 bsc#1235814). - Update patches.suse/usb-gadget-f_fs-Remove-WARN_ON-in-functionfs_bind.patch (git-fixes CVE-2024-57913 bsc#1236102). - Update patches.suse/usb-gadget-u_serial-Disable-ep-before-setting-port-t.patch (git-fixes CVE-2024-57915 bsc#1236120). - Update patches.suse/wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch (stable-fixes CVE-2024-57899 bsc#1235924). - Update patches.suse/workqueue-Do-not-warn-when-cancelling-WQ_MEM_RECLAIM-work-from-WQ_MEM_RECLAIM-worker.patch (bsc#1235416 CVE-2024-57888 bsc#1235918). - commit 56e243f - net: inet: do not leave a dangling sk pointer in inet_create() (CVE-2024-56601 bsc#1235230). - commit 959586f - usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() (bsc#1235001) - commit 8b4d1ad - usb: typec: fix potential array underflow in ucsi_ccg_sync_control() (CVE-2024-53203 bsc#1235001) - commit 601cb11 - net: add more sanity checks to qdisc_pkt_len_init() (CVE-2024-49948 bsc#1232161). - commit 940829f - bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog (CVE-2024-56665 bsc#1235489) - commit b2f97f8 - gso: fix udp gso fraglist segmentation after pull from frag_list (CVE-2024-49978 bsc#1232101). - commit 8453570 - powerpc/powernv/pci: Remove last IODA1 defines (bsc#1220711 ltc#205755). - powerpc/powernv/pci: Remove MVE code (bsc#1220711 ltc#205755). - powerpc/powernv/pci: Remove ioda1 support (bsc#1220711 ltc#205755). - commit 5733e6d - powerpc/iommu: Move pSeries specific functions to pseries/iommu.c (bsc#1220711 ltc#205755). - powerpc/iommu: Only build sPAPR access functions on pSeries (bsc#1220711 ltc#205755). - commit 1165a9d - ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() (bsc#1228592). - commit b40380c - doc/README.SUSE: Point to the updated version of LKMPG - commit 624b259 - Input: bbnsm_pwrkey - fix missed key press after suspend (git-fixes). - commit 51a70b3 - x86/fpu: Ensure shadow stack is active before &quot;getting&quot; registers (CVE-2025-21632 bsc#1236106). - commit 6ea3a8f - net: restrict SO_REUSEPORT to inet sockets (bsc#1235967 CVE-2024-57903) - commit 0b70e79 - net: hns3: fix kernel crash when 1588 is sent on HIP08 devices (bsc#1236143 CVE-2025-21649) - commit ab51b8f - net/mlx5: Fix variable not being completed when function returns (bsc#1236198 CVE-2025-21662) - commit 766ce3e - net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue (CVE-2025-21650 bsc#1236144). - net: hns3: Support tlv in regs data for HNS3 VF driver (CVE-2025-21650 bsc#1236144). - commit d07cfee - tracing: Prevent bad count for tracing_cpumask_write (CVE-2024-56763 bsc#1235638) - commit b7a1a0d - dccp: Fix memory leak in dccp_feat_change_recv (CVE-2024-56643 bsc#1235132) - commit 13d2c8a - iommu/arm-smmu: Defer probe of clients after smmu device bound (CVE-2024-56568 bsc#1235032) - commit cd5e85b - EDAC/igen6: Avoid segmentation fault on module unload (CVE-2024-56708 bsc#1235564) - commit cbccd47 - net/smc: initialize close_work early to avoid warning (CVE-2024-56641 bsc#1235526) - commit 075f0f7 - EDAC/{i10nm,skx,skx_common}: Support UV systems (bsc#1234693). - commit 6767706 - net: hns3: don't auto enable misc vector (CVE-2025-21651 bsc#1236145). - gve: guard XSK operations on the existence of queues (CVE-2024-57933 bsc#1236178). - gve: guard XDP xmit NDO on existence of xdp queues (CVE-2024-57932 bsc#1236190). - commit 4cf5801 - mm: memory-failure: remove unneeded PageHuge() check (git-fixes). - commit 7ff9700 - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - commit 7a7f1e1 - mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu (git-fixes). - commit 25daa9d - mm/memory-failure: fix crash in split_huge_page_to_list from soft_offline_page (git-fixes). - commit 044809f - memory-failure: use a folio in me_huge_page() (git-fixes). - commit a51c830 - mm/memory-failure: cast index to loff_t before shifting it (git-fixes). - commit 4552d04 - mm/memory-failure: check the mapcount of the precise page (git-fixes). - commit 08d463b - mm/memory-failure: pass the folio and the page to collect_procs() (git-fixes). - commit e29780e - mm: convert DAX lock/unlock page to lock/unlock folio (git-fixes). - commit 4b2c66d - mm: memory-failure: fix potential page refcnt leak in memory_failure() (git-fixes). - commit 2df790d - mm: memory-failure: fix race window when trying to get hugetlb folio (git-fixes). - commit fdf1377 - mm: memory-failure: fetch compound head after extra page refcnt is held (git-fixes). - commit dea0e54 - mm: memory-failure: ensure moving HWPoison flag to the raw error pages (git-fixes). - commit 8250e5e - mm/migrate: make migrate_pages_batch() stats consistent (git-fixes). Refreshed: patches.suse/mm-migrate-fix-deadlock-in-migrate_pages_batch-on-la.patch - commit 69ecdc4 - s390/cio: rename bitmap_size() -&gt; idset_bitmap_size() (git-fixes bsc#1236205). - commit 07eeeda - s390/vfio-ap: Remove gmap_convert_to_secure() from vfio_ap_ops (git-fixes bsc#1236203). - commit 950d01b - s390/iucv: fix receive buffer virtual vs physical address confusion (git-fixes bsc#1236200). - commit 976f377 - s390/smp,mcck: fix early IPI handling (git-fixes bsc#1236199). - commit 686f749 - KVM: x86: Play nice with protected guests in complete_hypercall_exit() (CVE-2024-55881 bsc#1235745). - commit 4bd067f - netfilter: ipset: Hold module reference while requesting a module (CVE-2024-56637 bsc#1235523) - commit 53ff17c - btrfs: fix use-after-free when COWing tree bock and tracing is enabled (bsc#1235645 CVE-2024-56759). - btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount (bsc#1235965 CVE-2024-57896). - btrfs: rename and export __btrfs_cow_block() (bsc#1235645 CVE-2024-56759). - btrfs: use round_down() to align block offset at btrfs_cow_block() (bsc#1235645 CVE-2024-56759). - btrfs: remove noinline attribute from btrfs_cow_block() (bsc#1235645 CVE-2024-56759). - commit 503809f - geneve: do not assume mac header is set in geneve_xmit_skb() (CVE-2024-56636 bsc#1235520) - commit 3073d9c - net: avoid potential UAF in default_operstate() (CVE-2024-56635 bsc#1235519) - commit 37cf286 - dm array: fix releasing a faulty array block twice in dm_array_cursor_end (bsc#1236096, CVE-2024-57929). - commit 38c0041 - net: lapb: increase LAPB_HEADER_LEN (CVE-2024-56659 bsc#1235439) - commit e4681a0 - net: enetc: Do not configure preemptible TCs if SIs do not support (CVE-2024-56649 bsc#1235449) - commit 4181889 - smb: Initialize cfid-&gt;tcon before performing network ops (CVE-2024-56729 bsc#1235503) - commit fd558fd - mm/migrate: fix kernel BUG at mm/compaction.c:2761! (git-fixes). Refreshed: patches.suse/mm-migrate-fix-deadlock-in-migrate_pages_batch-on-la.patch - commit 7d17ae8 - series.conf: temporarily disable upstream patch patches.suse/ocfs2-fix-UBSAN-warning-in-ocfs2_verify_volume.patch (bsc#1236138) - commit 9179570 - mm/migrate: putback split folios when numa hint migration fails (git-fixes). - commit 0acef71 - vmscan,migrate: fix page count imbalance on node stats when demoting pages (git-fixes). - commit 4d259d3 - memory tiering: count PGPROMOTE_SUCCESS when mem tiering is enabled (git-fixes). - commit 86638ef - mm/migrate: fix deadlock in migrate_pages_batch() on large folios (git-fixes). - commit a0d118b - mm/migrate: split source folio if it is on deferred split list (git-fixes). - commit 0fa5f5f - mm/migrate: correct nr_failed in migrate_pages_sync() (git-fixes). - commit 3743659 - mm,page_owner: don't remove __GFP_NOLOCKDEP in add_stack_record_to_list (git-fixes). - commit 26a8c23 - mm/page_owner: remove free_ts from page_owner output (git-fixes). - commit dfa6a27 - stackdepot: respect __GFP_NOLOCKDEP allocation flag (git-fixes). - commit a04bd5d - stackdepot: rename pool_index to pool_index_plus_1 (git-fixes). - commit ff2e445 - lib/stackdepot: print disabled message only if truly disabled (git-fixes). - commit cfe7741 - RDMA/bnxt_re: Fix max SGEs for the Work Request (git-fixes) - commit 7879380 - RDMA/bnxt_re: Fix MSN table size for variable wqe mode (git-fixes) - commit fe21e4e - RDMA/bnxt_re: Add send queue size check for variable wqe (git-fixes) - commit 3178b0e - RDMA/bnxt_re: Fix the max WQEs used in Static WQE mode (git-fixes) - commit eeedd44 - RDMA/bnxt_re: Fix the max WQE size for static WQE support (git-fixes) - commit a1e1198 - mm/memory_hotplug: use pfn math in place of direct struct page manipulation (git-fixes). - commit 120d675 - mm/memory_hotplug: add missing mem_hotplug_lock (git-fixes). - commit 86cb612 - mm/memory_hotplug: fix error handling in add_memory_resource() (git-fixes). - commit 3ebdf6a - mm/memory_hotplug: prevent accessing by index=-1 (git-fixes). - commit c68beb1 - RDMA/bnxt_re: Add support for Variable WQE in Genp7 adapters (git-fixes) Refresh patches: - patches.suse/RDMA-bnxt_re-Disable-use-of-reserved-wqes.patch - patches.suse/RDMA-bnxt_re-Fix-the-max-CQ-WQEs-for-older-adapters.patch - commit c3e9f58 - RDMA/bnxt_re: Allow MSN table capability check (git-fixes) Refresh patches: - patches.suse/RDMA-bnxt_re-Fix-the-GID-table-length.patch - patches.suse/RDMA-bnxt_re-Remove-always-true-dattr-validity-check.patch - commit 1ac774c - RDMA/hns: Remove unused parameters and variables (git-fixes) Refresh patches.suse/RDMA-hns-Fix-mapping-error-of-zero-hop-WQE-buffer.patch - commit ad435f0 - RDMA/hns: Refactor mtr find (git-fixes) Refresh patches.suse/RDMA-hns-Use-macro-instead-of-magic-number.patch - commit de53bbe - bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx (CVE-2024-53091 bsc#1233638). - commit 313e9b6 - ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv (bsc#1235964 CVE-2024-57892). - ocfs2: correct return value of ocfs2_local_free_info() (bsc#1235964 CVE-2024-57892). - commit d27bf4b - Revert &quot;mtd: spi-nor: core: replace dummy buswidth from addr to data&quot; (git-fixes). - hwmon: (tmp513) Fix division of negative numbers (git-fixes). - gpio: xilinx: Convert gpio_lock to raw spinlock (git-fixes). - i2c: rcar: fix NACK handling when being a target (git-fixes). - i2c: mux: demux-pinctrl: check initial mux selection, too (git-fixes). - i2c: core: fix reference leak in i2c_register_adapter() (git-fixes). - USB: serial: option: add Neoway N723-EA support (stable-fixes). - USB: serial: option: add MeiG Smart SRM815 (stable-fixes). - USB: serial: cp210x: add Phoenix Contact UPS Device (stable-fixes). - usb-storage: Add max sectors quirk for Nokia 208 (stable-fixes). - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] (stable-fixes). - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] (stable-fixes). - drm/amd/display: Add check for granularity in dml ceil/floor helpers (stable-fixes). - drm/amd/display: increase MAX_SURFACES to the value supported by hw (stable-fixes). - ASoC: mediatek: disable buffer pre-allocation (stable-fixes). - ASoC: rt722: add delay time to wait for the calibration procedure (stable-fixes). - commit 356d535 - KVM: arm64: Get rid of userspace_irqchip_in_use (CVE-2024-53195 bsc#1234957). - commit 9fc6672 - cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU (bsc#1235429 CVE-2024-56617). - commit 9e688fc - s390/entry: Mark IRQ entries to fix stack depot warnings (CVE-2024-57838 bsc#1235798). - commit 17604ac - KVM: arm64: Don't retire aborted MMIO instruction (CVE-2024-53196 bsc#1234906). - commit 8dbc3ed - xen: Fix the issue of resource not being properly released in xenbus_dev_probe() (CVE-2024-53198 bsc#1234923). - commit aeb4569 - Refresh patches.suse/x86-xen-don-t-do-PV-iret-hypercall-through-hypercall.patch. - commit 745fddd - x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 (git-fixes). - commit cbe946f - drm/v3d: Ensure job pointer is set to NULL after job completion (git-fixes). - drm/vmwgfx: Add new keep_resv BO param (git-fixes). - selftests: mptcp: avoid spurious errors on disconnect (git-fixes). - commit 5e7e8a8 - ftrace: Fix regression with module command in stack_trace_filter (CVE-2024-56569 bsc#1235031). - commit fe237c2 - Move upstreamed DRM patch into sorted section - commit 9ec91cd - scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs (CVE-2024-57804 bsc#1235779). - block: fix uaf for flush rq while iterating tags (CVE-2024-53170 bsc#1234888). - scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() (CVE-2024-56747 bsc#1234934). - scsi: bfa: Fix use-after-free in bfad_im_module_exit() (CVE-2024-53227 bsc#1235011). - scsi: hisi_sas: Create all dump files during debugfs initialization (CVE-2024-56588 bsc#1235123). - commit 2865882 - RDMA/siw: Remove direct link to net_device (bsc#1235946 CVE-2024-57857) - commit c33e2ed - RDMA/rxe: Remove the direct link to net_device (bsc#1235906 CVE-2024-57795) - commit 03de29b - net/mlx5e: Skip restore TC rules for vport rep without loaded flag (CVE-2024-57801 bsc#1235940). - commit 2c1c8f0 - tpm: Map the ACPI provided event log (bsc#1233260 bsc#1233259 bsc#1232421). - commit dfc801e - Drop downstream TPM fix patch (bsc#1233260 bsc#1233259 bsc#1232421) Deleted (to be replaced with the newer upstream fix): patches.suse/tpm-eventlog-Limit-memory-allocations-for-event-logs.patch - commit 39b3b52 - ALSA: hda/realtek: Add support for Galaxy Book2 Pro (NP950XEE) (stable-fixes). - Refresh patches.suse/ALSA-hda-realtek-Add-support-for-Samsung-Galaxy-Book.patch. - commit 231fb10 - ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio (stable-fixes). - commit 4039f17 - bpf: fix recursive lock when verdict program return SK_PASS (CVE-2024-56694 bsc#1235412) - commit 19cb085 - bpf: fix OOB devmap writes when deleting elements (CVE-2024-56615 bsc#1235426) - commit 2f8d474 - xsk: fix OOB map writes when deleting elements (CVE-2024-56614 bsc#1235424) - commit 5188b69 - mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM (CVE-2024-56611 bsc#1235391) - commit 2731a92 - netdevsim: prevent bad user input in nsim_dev_health_break_write() (bsc#1235587 CVE-2024-56716). - commit 28d54d6 - bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors (bsc#1235555 CVE-2024-56675). - commit 403c5dd - xsk: Free skb when TX metadata options are invalid (bsc#1235000 CVE-2024-53236). - commit 7d68164 - ipc: fix memleak if msg_init_ns failed in create_ipc_ns (bsc#1234893 CVE-2024-53175). - commit 5f77971 - i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request (CVE-2024-45828 bsc#1235705) - commit 6a03a5a - ceph: give up on paths longer than PATH_MAX (CVE-2024-53685 bsc#1235720) - commit cd5b8ed - btrfs: add a sanity check for btrfs root in btrfs_search_slot() (CVE-2024-56774 bsc#1235653). - commit cd76b1a - bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again (CVE-2024-48881 bsc#1235727) - commit 5c5ddcb - net/smc: check return value of sock_recvmsg when draining clc data (CVE-2024-57791 bsc#1235759). - commit a343ecd - scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() (CVE-2024-56748 bsc#1235627) - commit 75f84ca - scsi: ufs: core: sysfs: Prevent div by zero (CVE-2024-56622 bsc#1235251) - commit 8bc4baa - cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() (bsc#1234619). - commit f5b59a5 - cpufreq: intel_pstate: Fix unchecked HWP MSR access (bsc#1234619). - commit df6b669 - cpufreq: intel_pstate: Update the maximum CPU frequency consistently (bsc#1234619). - commit 110e6ef - cpufreq: intel_pstate: Replace three global.turbo_disabled checks (bsc#1234619). - commit 0ad4ebe - cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() (bsc#1234619). - Refresh patches.suse/cpufreq-intel_pstate-Ramp-up-frequency-faster-when-u.patch. - Refresh patches.suse/cpufreq-intel_pstate-Temporarily-boost-P-state-when-.patch. - commit 1c8960e - cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() (bsc#1234619). - commit 9383d66 - scsi: ufs: qcom: Only free platform MSIs when ESI is enabled (CVE-2024-56620 bsc#1235227) - commit 00c6f8f - cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization (bsc#1234619). - Refresh patches.suse/cpufreq-intel_pstate-Ramp-up-frequency-faster-when-u.patch. - commit 536c9fc - cpufreq: intel_pstate: Refine computation of P-state for given frequency (bsc#1234619). - commit 8135bb3 - cpufreq: intel_pstate: Revise global turbo disable check (bsc#1234619). - commit 4089ec6 - Drop uvcvideo fix due to regression (bsc#1235894) - Delete patches.suse/media-uvcvideo-Require-entities-to-have-a-non-zero-u.patch. - blacklist.conf update - commit 90c0ac7 - virt: tdx-guest: Just leak decrypted memory on unrecoverable errors (CVE-2024-57793 bsc#1235768). - commit 0fbd2e1 - cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller (bsc#1234619). - commit 430dfdb - cpufreq: intel_pstate: Use __ro_after_init for three variables (bsc#1234619). - commit e421ce1 - cpufreq: intel_pstate: Get rid of unnecessary READ_ONCE() annotations (bsc#1234619). - commit 682d75a - cpufreq: intel_pstate: Wait for canceled delayed work to complete (bsc#1234619). - commit a725954 - cpufreq: intel_pstate: Simplify spinlock locking (bsc#1234619). - commit 6583c13 - cpufreq: intel_pstate: Drop redundant locking from intel_pstate_driver_cleanup() (bsc#1234619). - commit e58d8d7 - Revert 'arm64: Kconfig: Make SME depend on BROKEN for now' This reverts commit 2ccfee6be929dd4ea49ef59a7ae686473aae40b6 CONFIG_ARM64_SME is enabled by default so some customers may rely on SME. We need further analysis to evaluate to what extent we are impacted and in case we'll disable SME support later. - commit f83551c - PCI: imx6: Fix suspend/resume support on i.MX6QDL (CVE-2024-57809 bsc#1235793). - commit 11fd956 - net: tun: fix tun_napi_alloc_frags() (CVE-2024-56372 bsc#1235753). - net: renesas: rswitch: avoid use-after-put for a device tree node (CVE-2024-55639 bsc#1235737). - commit 0d5db72 - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - commit 6f62e94 - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - commit 509127e - mm/sparsemem: fix race in accessing memory_section-&gt;usage (bsc#1221326 CVE-2023-52489). - commit 13000fd - scsi: hisi_sas: Add cond_resched() for no forced preemption model (CVE-2024-56589 bsc#1235241) - commit a1ef870 - arm64: Kconfig: Make SME depend on BROKEN for now (git-fixes). - commit 2ccfee6 - arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL (git-fixes). - commit 834d2d0 - arm64: dts: rockchip: add hevc power domain clock to rk3328 (git-fixes). - commit 7aa2931 - Update patches.suse/ALSA-6fire-Release-resources-at-card-release.patch (git-fixes CVE-2024-53239 bsc#1235054). - Update patches.suse/ALSA-caiaq-Use-snd_card_free_when_closed-at-disconne.patch (git-fixes CVE-2024-56531 bsc#1235057). - Update patches.suse/ALSA-us122l-Use-snd_card_free_when_closed-at-disconn.patch (git-fixes CVE-2024-56532 bsc#1235059). - Update patches.suse/ALSA-usb-audio-Fix-potential-out-of-bound-accesses-f.patch (git-fixes CVE-2024-53197 bsc#1235464). - Update patches.suse/ALSA-usx2y-Use-snd_card_free_when_closed-at-disconne.patch (git-fixes CVE-2024-56533 bsc#1235053). - Update patches.suse/Bluetooth-hci_core-Fix-not-checking-skb-length-on-hc.patch (stable-fixes CVE-2024-56590 bsc#1235038). - Update patches.suse/Bluetooth-hci_event-Fix-using-rcu_read_-un-lock-whil.patch (git-fixes CVE-2024-56654 bsc#1235532). - Update patches.suse/HID-wacom-fix-when-get-product-name-maybe-null-point.patch (git-fixes CVE-2024-56629 bsc#1235473). - Update patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch (bsc#1231016 CVE-2024-50106 bsc#1232882). - Update patches.suse/PCI-Fix-reset_method_store-memory-leak.patch (git-fixes CVE-2024-56745 bsc#1235563). - Update patches.suse/PCI-Fix-use-after-free-of-slot-bus-on-hot-remove.patch (stable-fixes CVE-2024-53194 bsc#1235459). - Update patches.suse/PCI-MSI-Handle-lack-of-irqdomain-gracefully.patch (git-fixes CVE-2024-56760 bsc#1235616). - Update patches.suse/RDMA-hns-Fix-cpu-stuck-caused-by-printings-during-re.patch (git-fixes CVE-2024-56722 bsc#1235570). - Update patches.suse/acpi-nfit-vmalloc-out-of-bounds-Read-in-acpi_nfit_ct.patch (git-fixes CVE-2024-56662 bsc#1235533). - Update patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch (CVE-2024-56606 bsc#123541 bsc#1235417). - Update patches.suse/apparmor-test-Fix-memory-leak-for-aa_unpack_strdup.patch (git-fixes CVE-2024-56741 bsc#1235502). - Update patches.suse/blk-cgroup-Fix-UAF-in-blkcg_unpin_online.patch (bsc#1234726 CVE-2024-56672 bsc#1235534). - Update patches.suse/can-dev-can_set_termination-allow-sleeping-GPIOs.patch (git-fixes CVE-2024-56625 bsc#1235223). - Update patches.suse/can-hi311x-hi3110_can_ist-fix-potential-use-after-fr.patch (git-fixes CVE-2024-56651 bsc#1235528). - Update patches.suse/crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch (git-fixes CVE-2024-56681 bsc#1235557). - Update patches.suse/crypto-pcrypt-Call-crypto-layer-directly-when-padata.patch (git-fixes CVE-2024-56690 bsc#1235428). - Update patches.suse/dlm-fix-possible-lkb_resource-null-dereference.patch (git-fixes CVE-2024-47809 bsc#1235714). - Update patches.suse/dma-debug-fix-a-possible-deadlock-on-radix_lock.patch (stable-fixes CVE-2024-47143 bsc#1235710). - Update patches.suse/dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_.patch (git-fixes CVE-2024-56767 bsc#1235160). - Update patches.suse/drivers-soc-xilinx-add-the-missing-kfree-in-xlnx_add.patch (git-fixes CVE-2024-56546 bsc#1235070). - Update patches.suse/drm-amdgpu-don-t-access-invalid-sched.patch (git-fixes CVE-2024-46896 bsc#1235707). - Update patches.suse/drm-amdgpu-set-the-right-AMDGPU-sg-segment-limitatio.patch (stable-fixes CVE-2024-56594 bsc#1235413). - Update patches.suse/drm-dp_mst-Fix-MST-sideband-message-body-length-chec.patch (stable-fixes CVE-2024-56616 bsc#1235427). - Update patches.suse/drm-modes-Avoid-divide-by-zero-harder-in-drm_mode_vr.patch (stable-fixes CVE-2024-56369 bsc#1235750). - Update patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer-831214f.patch (git-fixes CVE-2024-56776 bsc#1235647). - Update patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer-e965e77.patch (git-fixes CVE-2024-56777 bsc#1235641). - Update patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer.patch (git-fixes CVE-2024-56778 bsc#1235635). - Update patches.suse/drm-vc4-hdmi-Avoid-hang-with-debug-registers-when-su.patch (git-fixes CVE-2024-56683 bsc#1235497). - Update patches.suse/drm-zynqmp_kms-Unplug-DRM-device-before-removal.patch (git-fixes CVE-2024-56538 bsc#1235051). - Update patches.suse/efi-libstub-Free-correct-pointer-on-failure.patch (git-fixes CVE-2024-56573 bsc#1235042). - Update patches.suse/fbdev-sh7760fb-Fix-a-possible-memory-leak-in-sh7760f.patch (git-fixes CVE-2024-56746 bsc#1235622). - Update patches.suse/gpio-grgpio-Add-NULL-check-in-grgpio_probe.patch (git-fixes CVE-2024-56634 bsc#1235486). - Update patches.suse/hfsplus-don-t-query-the-device-logical-block-size-multiple-times.patch (git-fixes CVE-2024-56548 bsc#1235073). - Update patches.suse/igb-Fix-potential-invalid-memory-access-in-igb_init_.patch (git-fixes CVE-2024-52332 bsc#1235700). - Update patches.suse/iio-adc-ad7923-Fix-buffer-overflow-for-tx_buf-and-ri.patch (git-fixes CVE-2024-56557 bsc#1235122). - Update patches.suse/io_uring-check-if-iowq-is-killed-before-queuing.patch (git-fixes CVE-2024-56709 bsc#1235552). - Update patches.suse/io_uring-tctx-work-around-xa_store-allocation-error-.patch (git-fixes CVE-2024-56584 bsc#1235117). - Update patches.suse/jfs-add-a-check-to-prevent-array-index-out-of-bounds-in-dbAdjTree.patch (git-fixes CVE-2024-56595 bsc#1235410). - Update patches.suse/jfs-array-index-out-of-bounds-fix-in-dtReadFirst.patch (git-fixes CVE-2024-56598 bsc#1235220). - Update patches.suse/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch (git-fixes CVE-2024-56596 bsc#1235458). - Update patches.suse/jfs-fix-shift-out-of-bounds-in-dbSplit.patch (git-fixes CVE-2024-56597 bsc#1235222). - Update patches.suse/leds-class-Protect-brightness_show-with-led_cdev-led.patch (stable-fixes CVE-2024-56587 bsc#1235125). - Update patches.suse/media-atomisp-Add-check-for-rgby_data-memory-allocat.patch (git-fixes CVE-2024-56705 bsc#1235568). - Update patches.suse/media-dvb-frontends-dib3000mb-fix-uninit-value-in-di.patch (git-fixes CVE-2024-56769 bsc#1235155). - Update patches.suse/media-imx-jpeg-Ensure-power-suppliers-be-suspended-b.patch (git-fixes CVE-2024-56575 bsc#1235039). - Update patches.suse/media-imx-jpeg-Set-video-drvdata-before-register-vid.patch (git-fixes CVE-2024-56578 bsc#1235115). - Update patches.suse/media-mtk-jpeg-Fix-null-ptr-deref-during-unload-modu.patch (git-fixes CVE-2024-56577 bsc#1235112). - Update patches.suse/media-platform-allegro-dvt-Fix-possible-memory-leak-.patch (git-fixes CVE-2024-56572 bsc#1235043). - Update patches.suse/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch (git-fixes CVE-2024-56574 bsc#1235040). - Update patches.suse/media-uvcvideo-Require-entities-to-have-a-non-zero-u.patch (git-fixes CVE-2024-56571 bsc#1235037). - Update patches.suse/media-wl128x-Fix-atomicity-violation-in-fmc_send_cmd.patch (git-fixes CVE-2024-56700 bsc#1235500). - Update patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-PMIC-dev.patch (git-fixes CVE-2024-56723 bsc#1235571). - Update patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-TMU-devi.patch (git-fixes CVE-2024-56724 bsc#1235577). - Update patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-USB-Type.patch (git-fixes CVE-2024-56691 bsc#1235425). - Update patches.suse/msft-hv-3095-Drivers-hv-util-Avoid-accessing-a-ringbuffer-not-ini.patch (git-fixes CVE-2024-55916 bsc#1235747). - Update patches.suse/mtd-rawnand-fix-double-free-in-atmel_pmecc_create_us.patch (git-fixes CVE-2024-56766 bsc#1235219). - Update patches.suse/net-ipv6-release-expired-exception-dst-cached-in-soc.patch (bsc#1216813 CVE-2024-56644 bsc#1235133). - Update patches.suse/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch (git-fixes CVE-2024-56779 bsc#1235632). - Update patches.suse/nfsd-make-sure-exp-active-before-svc_export_show.patch (git-fixes CVE-2024-56558 bsc#1235100). - Update patches.suse/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch (git-fixes CVE-2024-56619 bsc#1235224). - Update patches.suse/nvme-apple-fix-device-reference-counting.patch (git-fixes CVE-2024-43913 bsc#1229833). - Update patches.suse/nvme-rdma-unquiesce-admin_q-before-destroy-it.patch (git-fixes CVE-2024-49569 bsc#1235730). - Update patches.suse/nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch (git-fixes CVE-2024-56632 bsc#1235483). - Update patches.suse/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch (git-fixes CVE-2024-56630 bsc#1235479). - Update patches.suse/pinmux-Use-sequential-access-to-access-desc-pinmux-d.patch (stable-fixes CVE-2024-47141 bsc#1235708). - Update patches.suse/power-supply-gpio-charger-Fix-set-charge-current-lim.patch (git-fixes CVE-2024-57792 bsc#1235764). - Update patches.suse/powerpc-fadump-Move-fadump_cma_init-to-setup_arch-af.patch (bsc#1215199 CVE-2024-56677 bsc#1235494). - Update patches.suse/powerpc-mm-fault-Fix-kfence-page-fault-reporting.patch (bsc#1194869 CVE-2024-56678 bsc#1235495). - Update patches.suse/powerpc-pseries-Fix-dtl_access_lock-to-be-a-rw_semap.patch (bsc#1194869 CVE-2024-56701 bsc#1235496). - Update patches.suse/quota-flush-quota_release_work-upon-quota-writeback.patch (bsc#1234195 CVE-2024-56780 bsc#1235650). - Update patches.suse/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch (git-fixes CVE-2024-56739 bsc#1235611). - Update patches.suse/scsi-qla2xxx-Fix-use-after-free-on-unload.patch (bsc#1235406 CVE-2024-56623 bsc#1235466). - Update patches.suse/smb-client-fix-TCP-timers-deadlock-after-rmmod.patch (CVE-2024-53095 bsc#1233642 CVE-2024-54680 bsc#1235723). - Update patches.suse/soc-imx8m-Probe-the-SoC-driver-as-platform-driver.patch (stable-fixes CVE-2024-56787 bsc#1235663). - Update patches.suse/spi-mpc52xx-Add-cancel_work_sync-before-module-remov.patch (git-fixes CVE-2024-50051 bsc#1235739). - Update patches.suse/sunrpc-clear-XPRT_SOCK_UPD_TIMEOUT-when-reset-transport.patch (git-fixes CVE-2024-56688 bsc#1235538). - Update patches.suse/sunrpc-fix-one-UAF-issue-caused-by-sunrpc-kernel-tcp.patch (git-fixes CVE-2024-53168 bsc#1234887). - Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch (CVE-2024-56642 bsc#1235433 CVE-2024-56661 bsc#1234931). - Update patches.suse/unicode-Fix-utf8_load-error-path.patch (git-fixes CVE-2024-53233 bsc#1235046). - Update patches.suse/usb-dwc3-gadget-Fix-looping-of-queued-SG-entries.patch (git-fixes CVE-2024-56698 bsc#1235491). - Update patches.suse/usb-gadget-u_serial-Fix-the-issue-that-gs_start_io-c.patch (git-fixes CVE-2024-56670 bsc#1235488). - Update patches.suse/usb-musb-Fix-hardware-lockup-on-first-Rx-endpoint-re.patch (git-fixes CVE-2024-56687 bsc#1235537). - Update patches.suse/wifi-ath12k-Skip-Rx-TID-cleanup-for-self-peer.patch (git-fixes CVE-2024-56543 bsc#1235065). - Update patches.suse/wifi-ath12k-fix-atomic-calls-in-ath12k_mac_op_set_bi.patch (stable-fixes CVE-2024-56607 bsc#1235423). - Update patches.suse/wifi-brcmfmac-Fix-oops-due-to-NULL-pointer-dereferen.patch (stable-fixes CVE-2024-56593 bsc#1235252). - Update patches.suse/wifi-nl80211-fix-NL80211_ATTR_MLO_LINK_ID-off-by-one.patch (git-fixes CVE-2024-56663 bsc#1235454). - Update patches.suse/wifi-rtw88-use-ieee80211_purge_tx_queue-to-purge-TX-.patch (stable-fixes CVE-2024-56609 bsc#1235389). - Update patches.suse/wifi-rtw89-check-return-value-of-ieee80211_probereq_.patch (stable-fixes CVE-2024-48873 bsc#1235716). - commit 8258b9d - Move upstreamed NFS patch into sorted section - commit b16f043 - net: dsa: improve shutdown sequence (CVE-2024-49998 bsc#1232087). - commit 4c71ee1 - smb: client: fix OOBs when building SMB2_IOCTL request (bsc#1233055, CVE-2024-50151). - commit 6434503 - KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits (bsc#1234635). - commit e5c720c - KVM: s390: Reject KVM_SET_GSI_ROUTING on ucontrol VMs (git-fixes bsc#1235776). - KVM: s390: Reject setting flic pfault attributes on ucontrol VMs (git-fixes bsc#1235777). - KVM: s390: vsie: fix virtual/physical address in unpin_scb() (git-fixes bsc#1235778). - iommu/s390: Implement blocking domain (CVE-2024-53232 bsc#1235050). - commit aa0d65c - mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199 bsc#1233112). - commit 57bc3bb - exfat: fix the infinite loop in __exfat_free_cluster() (git-fixes). - commit f091e41 - exfat: fix the infinite loop in exfat_readdir() (git-fixes). - commit 3298782 - dlm: fix possible lkb_resource null dereference (git-fixes). - commit f2b8780 - Bluetooth: MGMT: Fix possible crash on mgmt_index_removed (CVE-2024-49951 bsc#1232158). - commit 8b8b4db - afs: Fix the maximum cell name length (git-fixes). - commit 77a0ae0 - drm/amd/display: Fix handling of plane refcount (bsc#1235657 CVE-2024-56775) - commit b028260 - misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config (git-fixes). - misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling (git-fixes). - commit 5eb3001 - iio: inkern: call iio_device_put() only on mapped devices (git-fixes). - iio: adc: at91: call input_free_device() on allocated iio_dev (git-fixes). - iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() (git-fixes). - iio: pressure: zpa2326: fix information leak in triggered buffer (git-fixes). - iio: adc: rockchip_saradc: fix information leak in triggered buffer (git-fixes). - iio: imu: kmx61: fix information leak in triggered buffer (git-fixes). - iio: light: vcnl4035: fix information leak in triggered buffer (git-fixes). - iio: adc: ti-ads8688: fix information leak in triggered buffer (git-fixes). - iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer (git-fixes). - iio: gyro: fxas21002c: Fix missing data update in trigger handler (git-fixes). - iio: test : check null return of kunit_kmalloc in iio_rescale_test_scale (git-fixes). - iio: adc: ad7124: Disable all channels at probe time (git-fixes). - staging: iio: ad9832: Correct phase range check (git-fixes). - staging: iio: ad9834: Correct phase range check (git-fixes). - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind (git-fixes). - USB: core: Disable LPM only for non-suspended ports (git-fixes). - usb: fix reference leak in usb_new_device() (git-fixes). - usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null (git-fixes). - usb: gadget: configfs: Ignore trailing LF for user strings to cdev (git-fixes). - USB: usblp: return error when setting unsupported protocol (git-fixes). - usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints (git-fixes). - usb: typec: tcpm/tcpci_maxim: fix error code in max_contaminant_read_resistance_kohm() (git-fixes). - usb: dwc3-am62: Disable autosuspend during remove (git-fixes). - usb: dwc3: gadget: fix writing NYET threshold (git-fixes). - commit 04c952e - tty: serial: 8250: Fix another runtime PM usage counter underflow (git-fixes). - commit 1e248c9 - hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur (git-fixes). - commit b04cc0b - thermal: of: fix OF node leak in of_thermal_zone_find() (git-fixes). - drm/mediatek: Add return value check when reading DPCD (git-fixes). - drm/mediatek: mtk_dsi: Add registers to pdata to fix MT8186/MT8188 (git-fixes). - drm/mediatek: Fix mode valid issue for dp (git-fixes). - drm/mediatek: Fix YCbCr422 color format issue for DP (git-fixes). - drm/mediatek: stop selecting foreign drivers (git-fixes). - drm/mediatek: Add support for 180-degree rotation in the display driver (git-fixes). - drm/mediatek: Set private-&gt;all_drm_private[i]-&gt;drm to NULL if mtk_drm_bind returns err (git-fixes). - drm/amdkfd: fixed page fault when enable MES shader debugger (git-fixes). - platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it (git-fixes). - commit 4e3d452 - Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch (CVE-2024-56642 bsc#1235433). - commit 6f4f559 - Disable ceph (jsc#PED-7242) - commit 0dd7856 - bpf, sockmap: Fix race between element replace and close() (CVE-2024-56664 bsc#1235249). - commit 81511fb - platform/x86/intel/tpmi: Add defines to get version information (bsc#1225897). - commit 00f1af2 - s390x config: IOMMU_DEFAULT_DMA_LAZY=y (bsc#1235646) - commit 4e210b3 - tipc: fix NULL deref in cleanup_bearer() (bsc#1235433). - commit e9be640 - platform/x86/intel-uncore-freq: Ignore minor version change (bsc#1225897). - commit 33349ec - udmabuf: fix memory leak on last export_udmabuf() error path (CVE-2024-56712 bsc#1235565). - commit bbc81b4 - modpost: fix the missed iteration for the max bit in do_input() (git-fixes). - net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() (git-fixes). - net: wwan: t7xx: Fix FSM command timeout issue (git-fixes). - thunderbolt: Add support for Intel Panther Lake-M/P (stable-fixes). - sound: usb: format: don't warn that raw DSD is unsupported (stable-fixes). - sound: usb: enable DSD output for ddHiFi TC44C (stable-fixes). - net: usb: qmi_wwan: add Telit FE910C04 compositions (stable-fixes). - wifi: mac80211: wake the queues in case of failure in resume (stable-fixes). - wifi: mac80211: fix mbss changed flags corruption on 32 bit systems (stable-fixes). - watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler (stable-fixes). - wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask() (stable-fixes). - wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb (stable-fixes). - wifi: mac80211: export ieee80211_purge_tx_queue() for drivers (stable-fixes). - wifi: mac80211: Add non-atomic station iterator (stable-fixes). - watchdog: rzg2l_wdt: Rely on the reset driver for doing proper reset (stable-fixes). - watchdog: rzg2l_wdt: Remove reset de-assert from probe (stable-fixes). - media: uvcvideo: Force UVC version to 1.0a for 0408:4035 (stable-fixes). - thunderbolt: Add support for Intel Lunar Lake (stable-fixes). - usb: chipidea: add CI_HDRC_FORCE_VBUS_ACTIVE_ALWAYS flag (stable-fixes). - commit c96ed05 - Bluetooth: btnxpuart: Fix driver sending truncated data (git-fixes). - Bluetooth: MGMT: Fix Add Device to responding before completing (git-fixes). - Bluetooth: hci_sync: Fix not setting Random Address when required (git-fixes). - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() (git-fixes). - irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base (stable-fixes). - drm/amdkfd: Correct the migration DMA map direction (stable-fixes). - ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model (stable-fixes). - ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A (stable-fixes). - drm/amd/display: Fix incorrect DSC recompute trigger (stable-fixes). - i2c: i801: Add support for Intel Panther Lake (stable-fixes). - Bluetooth: btusb: Add new VID/PID 0489/e111 for MT7925 (stable-fixes). - Bluetooth: btusb: mediatek: add callback function in btusb_disconnect (stable-fixes). - docs: media: update location of the media patches (stable-fixes). - cleanup: Adjust scoped_guard() macros to avoid potential warning (stable-fixes). - cleanup: Remove address space of returned pointer (git-fixes). - crypto: ecdsa - Avoid signed integer overflow on signature decoding (stable-fixes). - irqchip/gic-v3: Force propagation of the active state with a read-back (stable-fixes). - ACPI/IORT: Add PMCG platform information for HiSilicon HIP10/11 (stable-fixes). - i2c: i801: Add support for Intel Arrow Lake-H (stable-fixes). - crypto: ecdsa - Use ecc_digits_from_bytes to convert signature (stable-fixes). - drm/amd/display: Fix DSC-re-computing (stable-fixes). - Bluetooth: btusb: add callback function in btusb suspend/resume (stable-fixes). - crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes (git-fixes). - Bluetooth: btusb: Add USB HW IDs for MT7921/MT7922/MT7925 (stable-fixes). - crypto: ecdsa - Rename keylen to bufsize where necessary (stable-fixes). - crypto: ecdsa - Convert byte arrays with key coordinates to digits (stable-fixes). - ALSA: ump: Use guard() for locking (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3602 for MT7925 (stable-fixes). - cleanup: Add conditional guard support (stable-fixes). - i2c: xgene-slimpro: Migrate to use generic PCC shmem related macros (stable-fixes). - ACPI: PCC: Add PCC shared memory region command and status bitfields (stable-fixes). - mailbox: pcc: Support shared interrupt for multiple subspaces (stable-fixes). - mailbox: pcc: Add support for platform notification handling (stable-fixes). - Bluetooth: Add support ITTIM PE50-M75C (stable-fixes). - commit 964672e - scsi: sg: Fix slab-use-after-free read in sg_release() (CVE-2024-56631 bsc#1235480). - commit cb70e79 - Fix CVE reference for patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch (CVE-2024-56606) - commit f8ce5de - 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584). - commit f0916d2 - net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() (CVE-2024-56602 bsc#1235521). - commit 2d367ac - net: hsr: avoid potential out-of-bound access in fill_frame_info() (CVE-2024-56648 bsc#1235451). - commit 79ce319 - net/mlx5: DR, prevent potential error pointer dereference (CVE-2024-56660 bsc#1235437) - commit 0e2235c - bnxt_en: Fix GSO type for HW GRO packets on 5750X chips (git-fixes) - commit 8448fe4 - bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips (CVE-2024-56656 bsc#1235444) - commit a44ef4d - af_packet: avoid erroring out after sock_init_data() in packet_create() (CVE-2024-5660 bsc#123541) - commit c21a9e5 - smb: client: fix NULL ptr deref in crypto_aead_setkey() (CVE-2024-53185 bsc#1234901) - commit 77b5b00 - net: af_can: do not leave a dangling sk pointer in can_create() (CVE-2024-56603 bsc#1235415) - commit 53bb420 - btrfs: fix use-after-free waiting for encoded read endios (bsc#1235445). - btrfs: fix use-after-free in btrfs_encoded_read_endio() (bsc#1235445). - commit ae44992 - ovl: Filter invalid inodes with missing lookup function (bsc#1235035 CVE-2024-56570). - commit 0cddc7c - ubi: fastmap: Fix duplicate slab cache names while attaching (CVE-2024-53172 bsc#1234898) - commit f996297 - net: sched: fix ordering of qlen adjustment (CVE-2024-53164 bsc#1234863) - commit ac3c374 - tipc: Fix use-after-free of kernel socket in cleanup_bearer() (CVE-2024-56642 bsc#1235433). - commit 644f840 - sctp: properly validate chunk size in sctp_sf_ootb() (CVE-2024-50299 bsc#1233488) - commit 9038d7f - Revert &quot;btrfs: fix use-after-free waiting for encoded read endios (bsc#1235128)&quot; - commit 4296cd8 - Delete XHCI patch for regression (bsc#1235550) Deleted: patches.suse/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch - commit 9b365a6 - Update patches.suse/Bluetooth-L2CAP-do-not-leave-dangling-sk-pointer-on-.patch (stable-fixes CVE-2024-56605 bsc#1235061). - Update patches.suse/can-j1939-j1939_session_new-fix-skb-reference-counti.patch (git-fixes CVE-2024-56645 bsc#1235134). - Update patches.suse/drm-amdgpu-fix-usage-slab-after-free.patch (stable-fixes CVE-2024-56551 bsc#1235075). - commit 3b5652e - idpf: trigger SW interrupt when exiting wb_on_itr mode (bsc#1235507). - idpf: add support for SW triggered interrupts (bsc#1235507). - net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024 (bsc#1235246). - idpf: enable WB_ON_ITR (bsc#1235507). - commit 561bd1f - smb: client: fix TCP timers deadlock after rmmod (git-fixes) [hcarvalho: fix issue described in bsc#1233642] - commit 6448f16 - smb: client: Fix use-after-free of network namespace (CVE-2024-53095 bsc#1233642). - commit a29a1bc - smb: client: fix use-after-free of signing key (CVE-2024-53179 bsc#1234921). - commit fb9831c - powerpc/book3s64/hugetlb: Fix disabling hugetlb when fadump is active (bsc#1235108). - commit c2d7be7 - nvmet-loop: avoid using mutex in IO hotpath (git-fixes). - commit c6bd393 - nvme-pci: 512 byte aligned dma pool segment quirk (git-fixes). - commit c9efbed - nvme-rdma: unquiesce admin_q before destroy it (git-fixes). - nvme-tcp: fix the memleak while create new ctrl failed (git-fixes). - nvme/multipath: Fix RCU list traversal to use SRCU primitive (git-fixes). - nvme: fix metadata handling in nvme-passthrough (git-fixes). - nvme: apple: fix device reference counting (git-fixes). - commit d75a9f8 - workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker (bsc#1235416). - commit 1f8402d - btrfs: fix use-after-free waiting for encoded read endios (bsc#1235128) - commit 1c811b2 - scsi: lpfc: Copyright updates for 14.4.0.7 patches (bsc#1235409). - scsi: lpfc: Update lpfc version to 14.4.0.7 (bsc#1235409). - scsi: lpfc: Add support for large fw object application layer reads (bsc#1235409). - scsi: lpfc: Update definition of firmware configuration mbox cmds (bsc#1235409). - scsi: lpfc: Change lpfc_nodelist save_flags member into a bitmask (bsc#1235409). - scsi: lpfc: Add handling for LS_RJT reason explanation authentication required (bsc#1235409). - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (bsc#1235409). - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (bsc#1235409). - scsi: lpfc: Restrict the REG_FCFI MAM field to FCoE adapters only (bsc#1235409). - scsi: lpfc: Redefine incorrect type in lpfc_create_device_data() (bsc#1235409). - commit 9acd44f - btrfs: fix use-after-free in btrfs_encoded_read_endio() (CVE-2024-56582 bsc#1235128) - commit 03199ca - scsi: qla2xxx: Update version to 10.02.09.400-k (bsc#1235406). - scsi: qla2xxx: Supported speed displayed incorrectly for VPorts (bsc#1235406). - scsi: qla2xxx: Fix NVMe and NPIV connect issue (bsc#1235406). - scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt (bsc#1235406). - scsi: qla2xxx: Fix use after free on unload (bsc#1235406). - scsi: qla2xxx: Fix abort in bsg timeout (bsc#1235406). - scsi: qla2xxx: Remove the unused 'del_list_entry' field in struct fc_port (bsc#1235406). - commit 7f98a5d - vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235004 CVE-2024-53214). - commit 84c948c - powerpc/pseries/vas: Add close() callback in vas_vm_ops struct (bsc#1234825). - commit 0422117 - wifi: ath10k: avoid NULL pointer error during sdio remove (CVE-2024-56599 bsc#1235138). - commit ee28d42 - xhci: fix possible null pointer deref during xhci urb enqueue (git-fixes). - commit 743e834 - erofs: handle NONHEAD !delta[1] lclusters gracefully (bsc#1235045 CVE-2024-53234). - commit ac75a6e - mm/slub: Avoid list corruption when removing a slab from the full list (CVE-2024-56566 bsc#1235033). - commit fa88fa6 - Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet (git-fixes). - tools: hv: change permissions of NetworkManager configuration file (git-fixes). - x86/hyperv: Fix hv tsc page based sched_clock for hibernation (git-fixes). - commit b596020 - soc: qcom: geni-se: Add M_TX_FIFO_NOT_EMPTY bit definition (git-fixes). - commit 01eee89 - zram: fix NULL pointer in comp_algorithm_show() (bsc#1234974 CVE-2024-53222). - commit ddd5fff - xhci: Add usb cold attach (CAS) as a reason to resume root hub (git-fixes). - commit 585f519 - slub: Replace cmpxchg_double() - KABI fix (bsc#1220773). - commit 3c58884 - Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() (bsc#1235056 CVE-2024-56604). - Bluetooth: Consolidate code around sk_alloc into a helper function (bsc#1235056 CVE-2024-56604). Refresh patches.suse/Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch. - commit 9ad4dd1 - RAS/AMD/ATL: Translate normalized to system physical addresses using PRM (jsc#PED-10467). - commit eb8da28 - ACPI: PRM: Add PRM handler direct call support (jsc#PED-10467). - commit bbc75ff - serial: qcom-geni: introduce qcom_geni_serial_poll_bitfield() (git-fixes). - serial: qcom-geni: fix arg types for qcom_geni_serial_poll_bit() (git-fixes). - soc: qcom: geni-se: add GP_LENGTH/IRQ_EN_SET/IRQ_EN_CLEAR registers (git-fixes). - commit 89e9015 - serial: imx: only set receiver level if it is zero (git-fixes). - serial: stm32: do not always set SER_RS485_RX_DURING_TX if RS485 is enabled (git-fixes). - commit f2c678b - serial: qcom-geni: fix receiver enable (git-fixes). - serial: qcom-geni: fix dma rx cancellation (git-fixes). - serial: qcom-geni: fix shutdown race (git-fixes). - serial: qcom-geni: revert broken hibernation support (git-fixes). - serial: qcom-geni: fix polled console initialisation (git-fixes). - serial: qcom-geni: fix polled console corruption (git-fixes). - serial: qcom-geni: disable interrupts during console writes (git-fixes). - serial: qcom-geni: fix console corruption (git-fixes). - serial: qcom-geni: fix false console tx restart (git-fixes). - serial: qcom-geni: fix fifo polling timeout (git-fixes). - serial: don't use uninitialized value in uart_poll_init() (git-fixes). - serial: qcom-geni: fix hard lockup on buffer flush (git-fixes). - serial: qcom-geni: fix soft lockup on sw flow control and suspend (git-fixes). - serial: imx: set receiver level before starting uart (git-fixes). - serial: 8250_dw: Don't use struct dw8250_data outside of 8250_dw (git-fixes). - Refresh patches.suse/serial-8250_dw-Add-Sophgo-SG2044-quirk.patch. - serial: stm32: Return IRQ_NONE in the ISR if no handling happend (git-fixes). - serial: 8250_dw: Replace ACPI device check by a quirk (git-fixes). - serial: qcom-geni: Don't cancel/abort if we can't get the port lock (git-fixes). - serial: Do not hold the port lock when setting rx-during-tx GPIO (git-fixes). - tty: serial: kgdboc: Fix 8250_* kgdb over serial (git-fixes). - hvc/xen: fix console unplug (git-fixes). - hvc/xen: fix error path in xen_hvc_init() to always register frontend driver (git-fixes). - hvc/xen: fix event channel handling for secondary consoles (git-fixes). - commit 2277c72 - RDMA/rtrs: Ensure 'ib_sge list' is accessible (git-fixes) - commit c3bd473 - RDMA/hns: Fix missing flush CQE for DWQE (git-fixes) - commit a1a14cc - RDMA/hns: Fix warning storm caused by invalid input in IO path (git-fixes) - commit 953ada2 - RDMA/hns: Fix accessing invalid dip_ctx during destroying QP (git-fixes) - commit e65781e - RDMA/hns: Fix mapping error of zero-hop WQE buffer (git-fixes) - commit 3c13231 - RDMA/bnxt_re: Fix the locking while accessing the QP table (git-fixes) - commit ed2aacf - RDMA/bnxt_re: Disable use of reserved wqes (git-fixes) - commit 353c5fc - RDMA/bnxt_re: Fix max_qp_wrs reported (git-fixes) - commit aa6d51f - RDMA/bnxt_re: Fix reporting hw_ver in query_device (git-fixes) - commit fa157d3 - RDMA/bnxt_re: Add check for path mtu in modify_qp (git-fixes) - commit c25c45b - RDMA/bnxt_re: Fix the check for 9060 condition (git-fixes) - commit 6ff31c0 - RDMA/core: Fix ENODEV error for iWARP test over vlan (git-fixes) - commit 7974be7 - RDMA/bnxt_re: Avoid sending the modify QP workaround for latest adapters (git-fixes) - commit 02a3ccc - RDMA/bnxt_re: Avoid initializing the software queue for user queues (git-fixes) - commit 3b41756 - RDMA/mlx5: Enforce same type port association for multiport RoCE (git-fixes) - commit 1eb4b60 - RDMA/uverbs: Prevent integer overflow issue (git-fixes) - commit d8e26f5 - RDMA/bnxt_re: Remove always true dattr validity check (git-fixes) - commit 39ec21b - sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket (git-fixes). - nfs: ignore SB_RDONLY when mounting nfs (git-fixes). - NFSD: initialize copy-&gt;cp_clp early in nfsd4_copy for use by trace point (git-fixes). - commit f025866 - Refresh patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch. Add upstream commit id. - commit 4b11aed - nfsd: fix UAF when access ex_uuid or ex_stats (CVE-2024-53216 bsc#1235003). - SUNRPC: no need get cache ref when protected by rcu (CVE-2024-53216 bsc#1235003). - nfsd: no need get cache ref when protected by rcu (CVE-2024-53216 bsc#1235003). - SUNRPC: introduce cache_check_rcu to help check in rcu context (CVE-2024-53216 bsc#1235003). - commit 4d2bea1 - blacklist.conf: - Delete patches.suse/nfsd-release-svc_expkey-svc_export-with-rcu_work.patch. This was reverted upstream. There is a better fix. - commit 49617fd - Delete patches.suse/drdb-Convert-to-use-bdev_open_by_path.patch. See bsc#1234668. This backport did not copile correctly, and needed too many other patches to work correctly, since it was part of a larger series. So remove it. - commit 7f1c582 - ALSA hda/realtek: Add quirk for Framework F111:000C (stable-fixes). - ALSA: seq: oss: Fix races at processing SysEx messages (stable-fixes). - ALSA: hda/realtek: Fix headset mic on Acer Nitro 5 (stable-fixes). - commit d982feb - wifi: cw1200: Fix potential NULL dereference (git-fixes). - pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking (git-fixes). - ALSA: seq: Check UMP support for midi_version change (git-fixes). - ALSA: usb-audio: US16x08: Initialize array before use (git-fixes). - drm: adv7511: Drop dsi single lane support (git-fixes). - drm: adv7511: Fix use-after-free in adv7533_attach_dsi() (git-fixes). - drm/bridge: adv7511_audio: Update Audio InfoFrame properly (git-fixes). - drm/i915/dg1: Fix power gate sequence (git-fixes). - commit f7b7a9b - netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING (CVE-2024-56755 bsc#1234920). - cachefiles: Fix NULL pointer dereference in object-&gt;file (CVE-2024-56549 bsc#1234912). - commit 785eb5b - netfilter: ipset: add missing range check in bitmap_ip_uadt (CVE-2024-53141 bsc#1234381) - commit 51ec3c0 - Update patches.suse/ALSA-pcm-Add-sanity-NULL-check-for-the-default-mmap-.patch (stable-fixes CVE-2024-53180 bsc#1234929). - Update patches.suse/ALSA-usb-audio-Fix-out-of-bounds-reads-when-finding-.patch (stable-fixes CVE-2024-53150 bsc#1234834). - Update patches.suse/Bluetooth-MGMT-Fix-possible-deadlocks.patch (git-fixes CVE-2024-53207 bsc#1234907). - Update patches.suse/Bluetooth-MGMT-Fix-slab-use-after-free-Read-in-set_p.patch (git-fixes CVE-2024-53208 bsc#1234909). - Update patches.suse/Bluetooth-fix-use-after-free-in-device_for_each_chil.patch (git-fixes CVE-2024-53237 bsc#1235007). - Update patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch (git-fixes bsc#1230697 CVE-2024-8805 CVE-2024-53144 bsc#1234690). - Update patches.suse/NFSD-Prevent-NULL-dereference-in-nfsd4_process_cb_update.patch (git-fixes CVE-2024-53217 bsc#1234999). - Update patches.suse/NFSD-Prevent-a-potential-integer-overflow.patch (git-fixes CVE-2024-53146 bsc#1234853). - Update patches.suse/NFSv4.0-Fix-a-use-after-free-problem-in-the-asynchronous-open.patch (git-fixes CVE-2024-53173 bsc#1234891). - Update patches.suse/RDMA-mlx5-Move-events-notifier-registration-to-be-af.patch (git-fixes CVE-2024-53224 bsc#1235009). - Update patches.suse/RDMA-rxe-Fix-the-qp-flush-warnings-in-req.patch (git-fixes CVE-2024-53229 bsc#1234905). - Update patches.suse/Revert-mmc-dw_mmc-Fix-IDMAC-operation-with-pages-big.patch (git-fixes CVE-2024-53127 bsc#1234153). - Update patches.suse/SUNRPC-make-sure-cache-entry-active-before-cache_show.patch (git-fixes CVE-2024-53174 bsc#1234899). - Update patches.suse/ad7780-fix-division-by-zero-in-ad7780_write_raw.patch (git-fixes CVE-2024-56567 bsc#1234916). - Update patches.suse/blk-iocost-do-not-WARN-if-iocg-was-already-offlined.patch (bsc#1234147 CVE-2024-36908 bsc#1225743). - Update patches.suse/block-bfq-fix-bfqq-uaf-in-bfq_limit_depth.patch (bsc#1234160 CVE-2024-53166 bsc#1234884). - Update patches.suse/block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch (bsc#1234279 CVE-2024-49854 bsc#1232193). - Update patches.suse/bnxt_en-Fix-receive-ring-space-parameters-when-XDP-i.patch (git-fixes CVE-2024-53209 bsc#1235002). - Update patches.suse/clk-clk-apple-nco-Add-NULL-check-in-applnco_probe.patch (git-fixes CVE-2024-53154 bsc#1234826). - Update patches.suse/comedi-Flush-partial-mappings-in-error-case.patch (git-fixes CVE-2024-53148 bsc#1234832). - Update patches.suse/crypto-caam-Fix-the-pointer-passed-to-caam_qi_shutdo.patch (git-fixes CVE-2024-56754 bsc#1234918). - Update patches.suse/crypto-qat-qat_4xxx-fix-off-by-one-in-uof_get_name.patch (git-fixes CVE-2024-53162 bsc#1234843). - Update patches.suse/drm-amd-display-Add-NULL-check-for-clk_mgr-in-dcn32_.patch (stable-fixes CVE-2024-49915 bsc#1231963). - Update patches.suse/drm-amd-display-Avoid-overflow-assignment-in-link_dp.patch (stable-fixes CVE-2024-50016 bsc#1232420). - Update patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st-2bc96c9.patch (git-fixes CVE-2024-53200 bsc#1234968). - Update patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st.patch (git-fixes CVE-2024-53201 bsc#1234969). - Update patches.suse/drm-i915-Fix-NULL-pointer-dereference-in-capture_eng.patch (git-fixes CVE-2024-56667 bsc#1235016). - Update patches.suse/drm-nouveau-gr-gf100-Fix-missing-unlock-in-gf100_gr_.patch (git-fixes CVE-2024-56752 bsc#1234937). - Update patches.suse/drm-rockchip-vop-Fix-a-dereferenced-before-check-war.patch (git-fixes CVE-2024-53129 bsc#1234155). - Update patches.suse/filemap-Fix-bounds-checking-in-filemap_read.patch (bsc#1234209 CVE-2024-50272 bsc#1233461). - Update patches.suse/firmware-arm_scpi-Check-the-DVFS-OPP-count-returned-.patch (git-fixes CVE-2024-53157 bsc#1234827). - Update patches.suse/firmware_loader-Fix-possible-resource-leak-in-fw_log.patch (git-fixes CVE-2024-53202 bsc#1234970). - Update patches.suse/hwmon-nct6775-core-Fix-overflows-seen-when-writing-l.patch (git-fixes CVE-2024-53159 bsc#1234848). - Update patches.suse/i3c-master-Fix-miss-free-init_dyn_addr-at-i3c_master.patch (git-fixes CVE-2024-56562 bsc#1234930). - Update patches.suse/kdb-Fix-buffer-overflow-during-tab-complete.patch (bsc#1234652 CVE-2024-39480 bsc#1227445). - Update patches.suse/media-i2c-tc358743-Fix-crash-in-the-probe-error-path.patch (git-fixes CVE-2024-56576 bsc#1235019). - Update patches.suse/mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch (CVE-2024-50228 bsc#1233204 git fixes (mm/shmem) CVE-2024-53136 bsc#1234161). - Update patches.suse/msft-hv-3081-hv_sock-Initializing-vsk-trans-to-NULL-to-prevent-a-.patch (git-fixes CVE-2024-53103 bsc#1234024). - Update patches.suse/net-usb-lan78xx-Fix-double-free-issue-with-interrupt.patch (git-fixes CVE-2024-53213 bsc#1234973). - Update patches.suse/nfsd-release-svc_expkey-svc_export-with-rcu_work.patch (git-fixes CVE-2024-53216 bsc#1235003). - Update patches.suse/nvme-fabrics-fix-kernel-crash-while-shutting-down-co.patch (git-fixes CVE-2024-53169 bsc#1234900). - Update patches.suse/nvme-pci-fix-freeing-of-the-HMB-descriptor-table.patch (git-fixes CVE-2024-56756 bsc#1234922). - Update patches.suse/ocfs2-fix-uninitialized-value-in-ocfs2_file_read_iter.patch (git-fixes CVE-2024-53155 bsc#1234855). - Update patches.suse/s390-iucv-MSG_PEEK-causes-memory-leak-in-iucv_sock_destruct.patch (git-fixes CVE-2024-53210 bsc#1234971). - Update patches.suse/smb-client-fix-UAF-in-async-decryption.patch (bsc#1232418 (CVE-2024-50047) CVE-2024-50047). - Update patches.suse/soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch (git-fixes CVE-2024-53158 bsc#1234811). - Update patches.suse/svcrdma-Address-an-integer-overflow.patch (git-fixes CVE-2024-53151 bsc#1234829). - Update patches.suse/svcrdma-fix-miss-destroy-percpu_counter-in-svc_rdma_proc_init.patch (git-fixes CVE-2024-53215 bsc#1234962). - Update patches.suse/tcp-Fix-use-after-free-of-nreq-in-reqsk_timer_handler.patch (CVE-2024-50154 bsc#1233070 CVE-2024-53206 bsc#1234960). - Update patches.suse/ubifs-authentication-Fix-use-after-free-in-ubifs_tnc_end_commit.patch (git-fixes CVE-2024-53171 bsc#1234889). - Update patches.suse/vdpa-solidrun-Fix-UB-bug-with-devres.patch (git-fixes CVE-2024-53126 bsc#1234158). - Update patches.suse/wifi-ath12k-fix-crash-when-unbinding.patch (git-fixes CVE-2024-53188 bsc#1234948). - Update patches.suse/wifi-ath12k-fix-warning-when-unbinding.patch (git-fixes CVE-2024-53191 bsc#1234952). - Update patches.suse/wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch (git-fixes CVE-2024-53156 bsc#1234846). - Update patches.suse/wifi-cw1200-Fix-potential-NULL-dereference.patch (git-fixes CVE-2024-56536 bsc#1234911). - Update patches.suse/wifi-mwifiex-Fix-memcpy-field-spanning-write-warning-d241a13.patch (git-fixes CVE-2024-56539 bsc#1234963). - Update patches.suse/wifi-rtlwifi-Drastically-reduce-the-attempts-to-read.patch (stable-fixes CVE-2024-53190 bsc#1234950). - commit 525626c - drm/amdkfd: pause autosuspend when creating pdd (stable-fixes). - commit 22dc4b9 - ALSA: seq: ump: Fix seq port updates per FB info notify (git-fixes). - commit d51bef7 - drm/amdkfd: Use device based logging for errors (stable-fixes). - commit bcbc5e4 - ALSA: seq: ump: Use automatic cleanup of kfree() (stable-fixes). - Refresh patches.suse/ALSA-seq-ump-Skip-useless-ports-for-static-blocks.patch. - commit 013a8a9 - drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (stable-fixes). - regmap: Use correct format specifier for logging range errors (stable-fixes). - platform/x86: asus-nb-wmi: Ignore unknown event 0xCF (stable-fixes). - ALSA: seq: ump: Use guard() for locking (stable-fixes). - commit 19dff9a - EDAC/bluefield: Fix potential integer overflow (CVE-2024-53161 bsc#1234856). - commit 7e4b5c0 - ice: Unbind the workqueue (bsc#1234989) - commit 0570b37 - swiotlb: Reinstate page-alignment for mappings &gt;= PAGE_SIZE (git-fixes). - swiotlb: Enforce page alignment in swiotlb_alloc() (git-fixes). - commit c0aa9ec - rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu (bsc#1234810 CVE-2024-53160). - commit 94f148d - io_uring: check if iowq is killed before queuing (git-fixes). - io_uring: Fix registered ring file refcount leak (git-fixes). - commit 3d9d45c - io_uring: always lock __io_cqring_overflow_flush (git-fixes). - io_uring/rw: avoid punting to io-wq directly (git-fixes). - commit b99f1b6 - io_uring/tctx: work around xa_store() allocation error issue (git-fixes). - commit 38adcdb - Drop recent ACPI fixes for kABI breakage Deleted: patches.suse/ACPI-x86-Make-UART-skip-quirks-work-on-PCI-UARTs-wit.patch patches.suse/ACPI-x86-Move-acpi_quirk_skip_serdev_enumeration-out.patch - commit c49880b - wifi: mac80211: clean up 'ret' in sta_link_apply_parameters() (stable-fixes). - Refresh patches.suse/wifi-mac80211-fix-station-NSS-capability-initializat.patch. - commit 484b5d2 - serial: amba-pl011: Use port lock wrappers (stable-fixes). - Refresh patches.suse/ARM-PL011-Fix-DMA-support.patch. - commit acf4ef9 - power: supply: gpio-charger: Fix set charge current limits (git-fixes). - USB: serial: option: add Telit FE910C04 rmnet compositions (stable-fixes). - USB: serial: option: add MediaTek T7XX compositions (stable-fixes). - USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready (stable-fixes). - USB: serial: option: add MeiG Smart SLM770A (stable-fixes). - USB: serial: option: add TCL IK512 MBIM &amp; ECM (stable-fixes). - usb: dwc2: Fix HCD port connection race (git-fixes). - usb: dwc2: hcd: Fix GetPortStatus &amp; SetPortFeature (git-fixes). - usb: dwc2: Fix HCD resume (git-fixes). - usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer (git-fixes). - usb: dwc3: xilinx: make sure pipe clock is deselected in usb2 only mode (git-fixes). - usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe() (git-fixes). - usb: typec: anx7411: fix fwnode_handle reference leak (git-fixes). - usb: host: max3421-hcd: Correctly abort a USB request (git-fixes). - usb: ehci-hcd: fix call balance of clocks handling routines (git-fixes). - spi: aspeed: Fix an error handling path in aspeed_spi_[read|write]_user() (git-fixes). - wifi: cfg80211: sme: init n_channels before channels[] access (git-fixes). - wifi: mac80211: init cnt before accessing elem in ieee80211_copy_mbssid_beacon (git-fixes). - rtc: cmos: avoid taking rtc_lock for extended period of time (stable-fixes). - serial: amba-pl011: fix build regression (git-fixes). - serial: amba-pl011: Fix RX stall when DMA is used (git-fixes). - serial: 8250_dw: Add Sophgo SG2044 quirk (stable-fixes). - usb: dwc3: ep0: Don't clear ep0 DWC3_EP_TRANSFER_STARTED (git-fixes). - usb: chipidea: udc: handle USB Error Interrupt if IOC not set (stable-fixes). - pinmux: Use sequential access to access desc-&gt;pinmux data (stable-fixes). - thermal/drivers/qcom/tsens-v1: Add support for MSM8937 tsens (stable-fixes). - wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() (stable-fixes). - wifi: ipw2x00: libipw_rx_any(): fix bad alignment (stable-fixes). - wifi: rtw89: check return value of ieee80211_probereq_get() for RNR (stable-fixes). - soc: fsl: cpm1: qmc: Set the ret error code on platform_get_irq() failure (git-fixes). - soc: imx8m: Probe the SoC driver as platform driver (stable-fixes). - soc: fsl: cpm1: qmc: Introduce qmc_{init,exit}_xcc() and their CPM1 version (stable-fixes). - soc: fsl: cpm1: qmc: Introduce qmc_init_resource() and its CPM1 version (stable-fixes). - soc: fsl: cpm1: qmc: Re-order probe() operations (stable-fixes). - soc: fsl: cpm1: qmc: Fix blank line and spaces (stable-fixes). - usb: dwc3: ep0: Don't reset resource alloc flag (including ep0) (git-fixes). - usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled (stable-fixes). - usb: cdns3-ti: Add workaround for Errata i2409 (stable-fixes). - usb: cdns3: Add quirk flag to enable suspend residency (stable-fixes). - usb: dwc3: ep0: Don't reset resource alloc flag (git-fixes). - xhci: Allow RPM on the USB controller (1022:43f7) by default (stable-fixes). - usb: dwc3: gadget: Rewrite endpoint allocation flow (stable-fixes). - soc/fsl: cpm: qmc: Convert to platform remove callback returning void (stable-fixes). - commit 07f38d1 - PCI/MSI: Handle lack of irqdomain gracefully (git-fixes). - i2c: microchip-core: fix &quot;ghost&quot; detections (git-fixes). - i2c: microchip-core: actually use repeated sends (git-fixes). - i2c: imx: add imx7d compatible string for applying erratum ERR007805 (git-fixes). - linux/dmaengine.h: fix a few kernel-doc warnings (git-fixes). - phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() (git-fixes). - phy: core: Fix an OF node refcount leakage in _of_phy_get() (git-fixes). - phy: core: Fix that API devm_phy_destroy() fails to destroy the phy (git-fixes). - phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider (git-fixes). - phy: core: Fix that API devm_phy_put() fails to release the phy (git-fixes). - phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP (git-fixes). - phy: rockchip: naneng-combphy: fix phy reset (git-fixes). - phy: usb: Toggle the PHY power during init (git-fixes). - mtd: rawnand: arasan: Fix missing de-registration of NAND (git-fixes). - mtd: rawnand: arasan: Fix double assertion of chip-select (git-fixes). - mtd: diskonchip: Cast an operand to prevent potential overflow (git-fixes). - mtd: rawnand: fix double free in atmel_pmecc_create_user() (git-fixes). - of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() (git-fixes). - of: Fix refcount leakage for OF node returned by __of_get_dma_parent() (git-fixes). - of: Fix error path in of_parse_phandle_with_args_map() (git-fixes). - media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg (git-fixes). - hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers (git-fixes). - hwmon: (tmp513) Fix Current Register value interpretation (git-fixes). - hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers (git-fixes). - i915/guc: Accumulate active runtime on gt reset (git-fixes). - i915/guc: Ensure busyness counter increases motonically (git-fixes). - i915/guc: Reset engine utilization buffer before registration (git-fixes). - mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk (git-fixes). - i2c: riic: Always round-up when calculating bus period (git-fixes). - i2c: pnx: Fix timeout in wait functions (git-fixes). - mmc: sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet (stable-fixes). - PCI: vmd: Add DID 8086:B06F and 8086:B60B for Intel client SKUs (stable-fixes). - PCI: qcom: Add support for IPQ9574 (stable-fixes). - PCI: Add ACS quirk for Wangxun FF5xxx NICs (stable-fixes). - PCI: Detect and trust built-in Thunderbolt chips (stable-fixes). - PCI: Add 'reset_subordinate' to reset hierarchy below bridge (stable-fixes). - PCI: vmd: Set devices to D0 before enabling PM L1 Substates (stable-fixes). - pinctrl: qcom: spmi-mpp: Add PM8937 compatible (stable-fixes). - pinctrl: qcom-pmic-gpio: add support for PM8937 (stable-fixes). - leds: class: Protect brightness_show() with led_cdev-&gt;led_access mutex (stable-fixes). - media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108 (stable-fixes). - media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera (stable-fixes). - media: uvcvideo: RealSense D421 Depth module metadata (stable-fixes). - mmc: mtk-sd: Fix MMC_CAP2_CRYPTO flag setting (git-fixes). - mmc: mtk-sd: fix devm_clk_get_optional usage (stable-fixes). - mmc: sdhci-esdhc-imx: enable quirks SDHCI_QUIRK_NO_LED (stable-fixes). - mmc: core: Add SD card quirk for broken poweroff notification (stable-fixes). - hwmon: (nct6775) Add 665-ACE/600M-CL to ASUS WMI monitoring list (stable-fixes). - of: address: Report error on resource bounds overflow (stable-fixes). - PCI/AER: Disable AER service on suspend (stable-fixes). - PCI: Use preserve_config in place of pci_flags (stable-fixes). - PCI: Add ACS quirk for Broadcom BCM5760X NIC (stable-fixes). - hwmon: (tmp513) Use SI constants from units.h (stable-fixes). - hwmon: (tmp513) Simplify with dev_err_probe() (stable-fixes). - hwmon: (tmp513) Don't use &quot;proxy&quot; headers (stable-fixes). - commit 5b99336 - drm/amdgpu: don't access invalid sched (git-fixes). - drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() (stable-fixes). - drm/panel: novatek-nt35950: fix return value check in nt35950_probe() (git-fixes). - drm/i915: Fix memory leak by correcting cache object name in error handler (git-fixes). - drm/i915: Fix NULL pointer dereference in capture_engine (git-fixes). - HID: magicmouse: Apple Magic Trackpad 2 USB-C driver support (stable-fixes). - gpio: grgpio: Add NULL check in grgpio_probe (git-fixes). - gpio: grgpio: use a helper variable to store the address of ofdev-&gt;dev (stable-fixes). - commit caf7811 - dmaengine: tegra: Return correct DMA status when paused (git-fixes). - dmaengine: mv_xor: fix child node refcount handling in early exit (git-fixes). - dmaengine: apple-admac: Avoid accessing registers in probe (git-fixes). - dmaengine: dw: Select only supported masters for ACPI devices (git-fixes). - dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset (git-fixes). - amdgpu/uvd: get ring reference from rq scheduler (git-fixes). - Documentation: PM: Clarify pm_runtime_resume_and_get() return value (git-fixes). - ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired (git-fixes). - ACPI: resource: Fix memory resource type union access (git-fixes). - acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl (git-fixes). - ASoC: amd: yc: Fix the wrong return value (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 (stable-fixes). - Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating (git-fixes). - drm/amdgpu/hdp5.2: do a posting read when flushing HDP (stable-fixes). - drm/dp_mst: Verify request type in the corresponding down message reply (stable-fixes). - drm/dp_mst: Fix MST sideband message body length check (stable-fixes). - dma-buf: fix dma_fence_array_signaled v4 (stable-fixes). - drm/amdgpu/vcn: reset fw_shared when VCPU buffers corrupted on vcn v4.0.3 (stable-fixes). - ASoC: amd: yc: Add quirk for microphone on Lenovo Thinkpad T14s Gen 6 21M1CTO1WW (stable-fixes). - ASoC: amd: yc: fix internal mic on Redmi G 2022 (stable-fixes). - driver core: fw_devlink: Stop trying to optimize cycle detection logic (git-fixes). - ACPI: x86: Clean up Asus entries in acpi_quirk_skip_dmi_ids[] (stable-fixes). - ACPI: x86: Add skip i2c clients quirk for Acer Iconia One 8 A1-840 (stable-fixes). - drm/bridge: it6505: Fix inverted reset polarity (git-fixes). - drm/amdgpu: set the right AMDGPU sg segment limitation (stable-fixes). - drm/amdgpu: skip amdgpu_device_cache_pci_state under sriov (stable-fixes). - drm/sched: memset() 'job' in drm_sched_job_init() (stable-fixes). - drm/panel: simple: Add Microchip AC69T88A LVDS Display panel (stable-fixes). - drm/amdgpu: refine error handling in amdgpu_ttm_tt_pin_userptr (stable-fixes). - drm/amdgpu: Dereference the ATCS ACPI buffer (stable-fixes). - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts for vega20_ih (stable-fixes). - drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() (stable-fixes). - drm/display: Fix building with GCC 15 (stable-fixes). - drm/mcde: Enable module autoloading (stable-fixes). - drm/bridge: it6505: Enable module autoloading (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO GEEK (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Founder edition (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model (stable-fixes). - drm/vc4: hvs: Set AXI panic modes for the HVS (stable-fixes). - drm/vc4: hdmi: Avoid log spam for audio start failure (stable-fixes). - ASoC: hdmi-codec: reorder channel allocation list (stable-fixes). - dma-debug: fix a possible deadlock on radix_lock (stable-fixes). - Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet (stable-fixes). - Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables (stable-fixes). - Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() (stable-fixes). - ACPI: x86: Make UART skip quirks work on PCI UARTs without an UID (stable-fixes). - ASoC: Intel: sof_sdw: add quirk for Dell SKU 0B8C (stable-fixes). - ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP (stable-fixes). - drm/bridge: it6505: update usleep_range for RC circuit charge time (stable-fixes). - can: gs_usb: add VID/PID for Xylanta SAINT3 product family (stable-fixes). - driver core: Add FWLINK_FLAG_IGNORE to completely ignore a fwnode link (stable-fixes). - driver core: fw_devlink: Improve logs for cycle detection (stable-fixes). - Bluetooth: ISO: Reassociate a socket with an active BIS (stable-fixes). - commit e98af40 - exfat: ensure that ctime is updated whenever the mtime is (git-fixes). - commit c79a14e - selftests/bpf: Test PROBE_MEM of VSYSCALL_ADDR on x86-64 (git-fixes). - bpf, x86: Fix PROBE_MEM runtime load check (git-fixes). - commit 2300edd - bpf: verifier: prevent userspace memory access (git-fixes). - commit d3fc797 - bpf: Check validity of link-&gt;type in bpf_link_show_fdinfo() (bsc#1233772 CVE-2024-53099). - commit 8a3e410 - x86/static-call: fix 32-bit build (git-fixes). Branch maintainer: Fix git-fixes warning when merging backport of upstream 0ef8047b737d. We don't support 32bit but fix is innocuous so we may as well take it vs blacklisting. - commit 74a7f88 - nfsd: restore callback functionality for NFSv4.0 (git-fixes). - commit 4f425ba - jffs2: Fix rtime decompressor (git-fixes). - commit 2f65fdf - proc/softirqs: replace seq_printf with seq_put_decimal_ull_width (git-fixes). - commit 5dd7a98 - 9p: v9fs_fid_find: also lookup by inode if not found dentry (git-fixes). - commit 1b79331 - NFS/pnfs: Fix a live lock between recalled layouts and layoutget (git-fixes). - commit 996e161 - jffs2: Prevent rtime decompress memory corruption (git-fixes). - commit cb042eb - jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree (git-fixes). - commit 25ee5c2 - jfs: fix array-index-out-of-bounds in jfs_readdir (git-fixes). - commit 5229c06 - jfs: fix shift-out-of-bounds in dbSplit (git-fixes). - commit 865ea26 - jfs: array-index-out-of-bounds fix in dtReadFirst (git-fixes). - commit ed99429 - xfs: return from xfs_symlink_verify early on V4 filesystems (git-fixes). - commit 5b38871 - xfs: fix sb_spino_align checks for large fsblock sizes (git-fixes). - commit 241e030 - nilfs2: fix buffer head leaks in calls to truncate_inode_pages() (git-fixes). - commit 8d5832a - nilfs2: prevent use of deleted inode (git-fixes). - commit 73e5fc2 - wifi: ath5k: add PCI ID for Arcadyan devices (git-fixes). - wifi: ath5k: add PCI ID for SX76X (git-fixes). - genirq/irqdesc: Honor caller provided affinity in alloc_desc() (git-fixes). - genirq/cpuhotplug: Retry with cpu_online_mask when migration fails (git-fixes). - genirq/cpuhotplug: Skip suspended interrupts when restoring affinity (git-fixes). - irqflags: Explicitly ignore lockdep_hrtimer_exit() argument (git-fixes). - arch: consolidate arch_irq_work_raise prototypes (git-fixes). - commit 8315804 - blk-cgroup: Fix UAF in blkcg_unpin_online() (bsc#1234726). - commit b60b794 - af_unix: Call manage_oob() for every skb in unix_stream_read_generic() (bsc#1234725). - commit 03c4c99 - idpf: fix idpf_vc_core_init error path (CVE-2024-53064 bsc#1233558 bsc#1234464). - commit a3dcc3f - ACPI/HMAT: Move HMAT messages to pr_debug() (bsc#1234294) - commit ca90bb6 - x86/xen: use new hypercall functions instead of hypercall page (XSA-466 CVE-2024-53241 bsc#1234282). - commit 6b3f759 - x86/xen: add central hypercall functions (XSA-466 CVE-2024-53241 bsc#1234282). - commit 46aadaa - x86/xen: don't do PV iret hypercall through hypercall page (XSA-466 CVE-2024-53241 bsc#1234282). - commit 65b9ccb - x86/static-call: provide a way to do very early static-call updates (XSA-466 CVE-2024-53241 bsc#1234282). - commit ad3c5c8 - objtool/x86: allow syscall instruction (XSA-466 CVE-2024-53241 bsc#1234282). - commit 05fb6a1 - x86: make get_cpu_vendor() accessible from Xen code (XSA-466 CVE-2024-53241 bsc#1234282). - commit e26e99c - xen/netfront: fix crash when removing device (XSA-465 CVE-2024-53240 bsc#1234281). - commit a1f1eb9 - kdb: Use the passed prompt in kdb_position_cursor() (bsc#1234654). - commit c2f5353 - tpm_tis_spi: Release chip select when flow control fails (bsc#1234338) - commit d89ca9b - kdb: address -Wformat-security warnings (bsc#1234659). - commit 4f4b3af - kdb: Use format-specifiers rather than memset() for padding in kdb_read() (bsc#1234658). - commit 4289748 - kdb: Merge identical case statements in kdb_read() (bsc#1234657). - commit a8f379d - kdb: Fix console handling when editing and tab-completing commands (bsc#1234655). - commit dfcc116 - kdb: Use format-strings rather than '\0' injection in kdb_read() (bsc#1234654). - commit 02dd473 - kdb: Fix buffer overflow during tab-complete (bsc#1234652). - commit aa371d8 - kgdb: Flush console before entering kgdb on panic (bsc#1234651). - commit 56f2413 - Update patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch (git-fixes, bsc#1230697, CVE-2024-8805). - commit c30f45f - bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156 CVE-2024-53125). - commit 84688aa - s390/cpum_sf: Remove WARN_ON_ONCE statements (git-fixes). - commit aa00e1d - s390/facility: Disable compile time optimization for decompressor code (git-fixes). - commit 0a4f48e - s390/cpum_sf: Handle CPU hotplug remove during sampling (git-fixes). - commit 775e5ae - s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() (git-fixes). - commit 7e74f7b - s390/pageattr: Implement missing kernel_page_present() (git-fixes). - commit 566fa19 - s390/cio: Do not unregister the subchannel based on DNV (git-fixes). - commit 1c87aa1 - net: Make copy_safe_from_sockptr() match documentation (git-fixes CVE-2024-36915 bsc#1225758). - commit 169ff54 - IB/mlx5: Allocate resources just before first QP/SRQ is created (git-fixes) Refresh patches.suse/RDMA-mlx5-Move-events-notifier-registration-to-be-af.patch - commit 1acdd4a - arm64: Ensure bits ASID[15:8] are masked out when the kernel uses (bsc#1234605) - commit ac850b9 - autofs: fix memory leak of waitqueues in autofs_catatonic_mode (git-fixes). - Refresh patches.suse/autofs-use-wake_up-instead-of-wake_up_interruptible.patch. - commit 232ce22 - Delete patches.suse/NFSD-Convert-the-callback-workqueue-to-use-delayed_w.patch. (bsc#1233837) - Delete patches.suse/NFSD-Reschedule-CB-operations-when-backchannel-rpc_c.patch. (bsc#1233837) - commit 5e13c63 - Update references for patches.suse/net-mlx5e-CT-Fix-null-ptr-deref-in-add-rule-err-flow.patch (CVE-2024-53120 bsc#1234075 git-fixes). - commit 76825cc - kabi/severities: make vcap_find_actionfield PASS (bsc#1220773) - commit 9b653b7 - locking/atomic/x86: Correct the definition of __arch_try_cmpxchg128() (bsc#1220773 git-fix). - commit 60d5cb5 - parisc: Raise minimal GCC version to 12.0.0 (bsc#1220773 git-fix). - commit 99aca5f - percpu: Fix self-assignment of __old in raw_cpu_generic_try_cmpxchg() (bsc#1220773 git-fix). - commit ceecf8a - rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454) Upstream commit 822b11a74ba2 (kbuild: use absolute path in the generated wrapper Makefile) sets also KBUILD_OUTPUT in objdir's Makefile before including srcdir's Makefile. So emulate this too, otherwise KMPs fail to build: /usr/src/linux-6.13.0-rc2-1.gf92fc5d/Makefile:782: /usr/src/linux-6.13.0-rc2-1.gf92fc5d/include/config/auto.conf: No such file or directory - commit 46168e5 - Bluetooth: SCO: Add support for 16 bits transparent voice setting (git-fixes). - Bluetooth: iso: Fix recursive locking warning (git-fixes). - batman-adv: Do not let TT changes list grows indefinitely (git-fixes). - batman-adv: Remove uninitialized data in full table TT response (git-fixes). - batman-adv: Do not send uninitialized TT changes (git-fixes). - wifi: mac80211: fix station NSS capability initialization order (git-fixes). - wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one (git-fixes). - commit 54fd934 - vsock: fix recursive -&gt;recvmsg calls (CVE-2024-44996 bsc#1230205) - commit d60b119 - bpf: Fix out-of-bounds write in trie_get_next_key() (CVE-2024-50262 bsc#1233239) - commit 31aa98f - Update references for patches.suse/bpf-arm64-Fix-address-emission-with-tag-based-KASAN-enabled.patch (CVE-2024-50203 bsc#1233328 git-fixes) - commit 6ae65a2 - pmdomain: imx93-blk-ctrl: correct remove path (CVE-2024-53134 bsc#1234159) - commit 3b944bf - mptcp: cope racing subflow creation in mptcp_rcv_space_adjust (CVE-2024-53122 bsc#1234076) - commit 129e03d - virtio/vsock: Improve MSG_ZEROCOPY error handling (CVE-2024-53117 bsc#1234079) - commit 827fecc - virtio/vsock: Fix accept_queue memory leak (CVE-2024-53119 bsc#1234073) - commit 506378c - vsock: Fix sk_error_queue memory leak (CVE-2024-53118 bsc#1234071) - commit 0bc6237 - drm/i915/hdcp: Add encoder check in hdcp2_get_capability (CVE-2024-53050 bsc#1233546) - commit 410a89a - scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time (jsc#PED-11253). - commit d0fd569 - iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables (git-fixes). - commit 0c9ae1f - xfs: remove unknown compat feature check in superblock write validation (git-fixes). - commit 6933b9b - xfs: sb_spino_align is not verified (git-fixes). - commit de8458a - xfs: don't allocate COW extents when unsharing a hole (git-fixes). - commit 3a93bda - ocfs2: free inode when ocfs2_get_init_inode() fails (git-fixes). - commit 04cafb7 - ocfs2: fix uninitialized value in ocfs2_file_read_iter() (git-fixes). - commit e44ccda - nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() (git-fixes). - commit cb9e5a0 - jffs2: fix use of uninitialized variable (git-fixes). - commit 63ec3f3 - ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit (git-fixes). - commit 7f48142 - ubifs: Correct the total block count by deducting journal reservation (git-fixes). - commit 3145547 - igb: Fix potential invalid memory access in igb_init_module() (git-fixes). - ixgbe: downgrade logging of unsupported VF API version to debug (git-fixes). - ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5 (git-fixes). - ice: fix PHY Clock Recovery availability check (git-fixes). - net/mlx5e: Remove workaround to avoid syndrome for internal port (git-fixes). - net/qed: allow old cards not supporting &quot;num_images&quot; to work (git-fixes). - bnxt_en: Fix receive ring space parameters when XDP is active (git-fixes). - bnxt_en: Set backplane link modes correctly for ethtool (git-fixes). - bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is down (git-fixes). - vdpa/mlx5: Fix suboptimal range on iotlb iteration (git-fixes). - i40e: Fix handling changed priv flags (git-fixes). - ice: consistently use q_idx in ice_vc_cfg_qs_msg() (git-fixes). - Revert &quot;igb: Disable threaded IRQ for igb_msix_other&quot; (git-fixes). - net/mlx5e: CT: Fix null-ptr-deref in add rule err flow (git-fixes). - net/mlx5e: clear xdp features on non-uplink representors (git-fixes). - vdpa/mlx5: Fix PA offset with unaligned starting iotlb map (git-fixes). - vDPA/ifcvf: Fix pci_read_config_byte() return code handling (git-fixes). - vdpa: solidrun: Fix UB bug with devres (git-fixes). - drivers: net: ionic: add missed debugfs cleanup to ionic_probe() error path (git-fixes). - ice: change q_index variable type to s16 to store -1 value (git-fixes). - Octeontx2-pf: Free send queue buffers incase of leaf to inner (git-fixes). - devlink: Fix length of eswitch inline-mode (git-fixes). - net: Return error from sk_stream_wait_connect() if sk_wait_event() fails (git-fixes). - commit fa15ce4 - erofs: avoid debugging output for (de)compressed data (git-fixes). - commit 3480b45 - NFSD: Fix nfsd4_shutdown_copy() (git-fixes). - commit a4ffb65 - NFSD: Async COPY result needs to return a write verifier (git-fixes). - commit e395e20 - sunrpc: handle -ENOTCONN in xs_tcp_setup_socket() (git-fixes). - commit 4da96b5 - svcrdma: Address an integer overflow (git-fixes). - commit b19353d - NFSD: Remove a never-true comparison (git-fixes). - commit 931734c - NFSD: Prevent NULL dereference in nfsd4_process_cb_update() (git-fixes). - commit ea6cf72 - NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() (git-fixes). - commit 046d0f2 - nfsd: make sure exp active before svc_export_show (git-fixes). - commit 2126f12 - nfsd: release svc_expkey/svc_export with rcu_work (git-fixes). - commit e769a61 - svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() (git-fixes). - commit e0af091 - NFSv4.0: Fix a use-after-free problem in the asynchronous open() (git-fixes). - commit 9d06142 - SUNRPC: timeout and cancel TLS handshake with -ETIMEDOUT (git-fixes). - commit 6f9adf8 - sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport (git-fixes). - commit 053db51 - nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur (git-fixes). - commit 2eafa33 - SUNRPC: make sure cache entry active before cache_show (git-fixes). - commit 8e9b27b - NFSD: Prevent a potential integer overflow (git-fixes). - commit 1b6cbfa - exfat: fix uninit-value in __exfat_get_dentry_set (git-fixes). - commit 6f6d820 - hfsplus: don't query the device logical block size multiple times (git-fixes). - commit 163ca69 - afs: Fix missing subdir edit when renamed between parent dirs (git-fixes). - commit f215f1c - afs: Automatically generate trace tag enums (git-fixes). - commit 6c948f0 - jfs: xattr: check invalid xattr size more strictly (git-fixes). - commit 74de9a6 - drm/amd/display: Add HDR workaround for specific eDP (stable-fixes). - commit 343cf80 - drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` (stable-fixes). - drm/amdkfd: Fix resource leak in criu restore queue (stable-fixes). - drm/amdgpu: enable gfxoff quirk on HP 705G4 (stable-fixes). - drm/amdgpu: add raven1 gfxoff quirk (stable-fixes). - drm/amdgpu/gfx10: use rlc safe mode for soft recovery (stable-fixes). - drm/amdgpu/gfx11: use rlc safe mode for soft recovery (stable-fixes). - drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination (stable-fixes). - drm/printer: Allow NULL data in devcoredump printer (stable-fixes). - drm/amdgpu/gfx9: use rlc safe mode for soft recovery (stable-fixes). - drm/amdgpu: Block MMR_READ IOCTL in reset (stable-fixes). - drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() (stable-fixes). - drm/amdgpu: fix unchecked return value warning for amdgpu_gfx (stable-fixes). - drm/amd/display: Revert Avoid overflow assignment (stable-fixes). - drm/amd/display: Use gpuvm_min_page_size_kbytes for DML2 surfaces (stable-fixes). - drm/amd/display: Avoid overflow assignment in link_dp_cts (stable-fixes). - drm/amdgpu/gfx9: properly handle error ints on all pipes (stable-fixes). - drm/nouveau/gsp: Use the sg allocator for level 2 of radix3 (stable-fixes). - drm/amdgpu/umsch: don't execute umsch test when GPU is in reset/suspend (stable-fixes). - drm/amdgpu/pm: Remove gpu_od if it's an empty directory (stable-fixes). - drm/amdgpu: differentiate external rev id for gfx 11.5.0 (stable-fixes). - drm/amd/pm: fix the high voltage issue after unload (stable-fixes). - drm/amdgpu: add smu 14.0.1 discovery support (stable-fixes). - drm/amdgpu/umsch: reinitialize write pointer in hw init (stable-fixes). - commit f0f6440 - Add already cherry-picked ids to AMDGPU patch - commit bf5122e - Revert &quot;unicode: Don't special case ignorable code points&quot; (stable-fixes). - crypto: x86/sha256 - Add parentheses around macros' single arguments (stable-fixes). - crypto: qat - disable IOV in adf_dev_stop() (git-fixes). - accel/habanalabs: fix debugfs files permissions (stable-fixes). - accel/habanalabs: increase HL_MAX_STR to 64 bytes to avoid warnings (stable-fixes). - accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE (stable-fixes). - accel/habanalabs/gaudi2: unsecure tpc count registers (stable-fixes). - commit 64f4d90 - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() (CVE-2024-50256 bsc#1233200). - net: napi: Prevent overflow of napi_defer_hard_irqs (CVE-2024-50018 bsc#1232419). - commit bb4ef32 - net: preserve kabi for napi_struct and net_device (CVE-2024-50018 bsc#1232419). - commit 8d46390 - Refresh patches.suse/block-sed-opal-add-ioctl-ioc_opal_set_sid_pw.patch. - commit 85490e8 - Move kABI workaround patch to correct folder - commit 3c8636b - afs: Fix lock recursion (bsc#1233637 CVE-2024-53090). - commit 5df3cda - nilfs2: propagate directory read errors from nilfs_find_entry() (bsc#1233324 CVE-2024-50202). - commit 3d85d69 - dm cache: fix potential out-of-bounds access on the first resume (bsc#1233467, CVE-2024-50278). - dm cache: optimize dirty bit checking with find_next_bit when resizing (bsc#1233467, CVE-2024-50278). - dm cache: fix flushing uninitialized delayed_work on cache_ctr error (bsc#1233467, CVE-2024-50278, bsc#1233469, CVE-2024-50280). - dm cache: correct the number of origin blocks to match the target length (bsc#1233467, CVE-2024-50278). - commit 44af9e6 - Update References: field, patches.suse/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch (bsc#1233467, bsc#1233468, CVE-2024-50278, CVE-2024-50279). - commit c98dcb1 - netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042 bsc#1228526). - commit 2eab656 - Delete patches.suse/smb-client-Fix-use-after-free-of-network-namespace-.patch (bsc#1233642 CVE-2024-53095). [hcarvalho: revert because the fix is incomplete. The patch fixes UAF of network namespace but causes in another UAF (of the socket) when the cifs module is removed]. - commit 928bab1 - kABI fix for netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839 bsc#1224726). - commit cf24c71 - PCI: Add T_PERST_CLK_US macro (git-fixes). - PCI: j721e: Add suspend and resume support (git-fixes). - PCI: j721e: Use T_PERST_CLK_US macro (git-fixes). - Refresh patches.suse/PCI-j721e-Deassert-PERST-after-a-delay-of-PCIE_T_PVP.patch. - commit 48f05ae - dmaengine: idxd: Check for driver name match before sva user feature (bsc#1234357). - commit 2a8f3bf - tpm/eventlog: Limit memory allocations for event logs with excessive size (bsc#1233260 bsc#1233259 bsc#1232421). - commit 9c38d71 - Move upstreamed sound patches into sorted section - commit 8c19caa - netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839 bsc#1224726). - netfilter: propagate net to nf_bridge_get_physindev (CVE-2024-35839 bsc#1224726). - netfilter: nf_queue: remove excess nf_bridge variable (CVE-2024-35839 bsc#1224726). - netfilter: nfnetlink_log: use proper helper for fetching physinif (CVE-2024-35839 bsc#1224726). - commit bcdb77b - netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397 bsc#1224095). - netfilter: nft_set_rbtree: .deactivate fails if element has expired (CVE-2024-27397 bsc#1224095). - commit 7c6b7ec - kABI workaround for struct drm_dp_mst_topology_mgr (git-fixes). - commit 9d1af7b - drm/dp_mst: Fix resetting msg rx state after topology removal (git-fixes). - ALSA: usb-audio: Notify xrun for low-latency mode (git-fixes). - commit 4cb8f05 - drm/amdgpu: prevent BO_HANDLES error from being overwritten (git-fixes). - commit c78cf7d - platform/x86: thinkpad_acpi: Fix for ThinkPad's with ECFW showing incorrect fan speed (stable-fixes). - commit 16ab399 - serial: 8250_fintek: Add support for F81216E (stable-fixes). - drm/amdgpu: fix usage slab after free (stable-fixes). - drm/amdkfd: Use the correct wptr size (stable-fixes). - drm/radeon: Fix spurious unplug event on radeon HDMI (git-fixes). - drm/amd/pm: update current_socclk and current_uclk in gpu_metrics on smu v13.0.7 (stable-fixes). - ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 (stable-fixes). - counter: ti-ecap-capture: Add check for clk_enable() (git-fixes). - counter: stm32-timer-cnt: Add check for clk_enable() (git-fixes). - Bluetooth: MGMT: Fix possible deadlocks (git-fixes). - PCI: Fix use-after-free of slot-&gt;bus on hot remove (stable-fixes). - checkpatch: always parse orig_commit in fixes tag (git-fixes). - mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE (git-fixes). - mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices (git-fixes). - mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device (git-fixes). - mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device (git-fixes). - mfd: da9052-spi: Change read-mask to write-mask (git-fixes). - drm/etnaviv: flush shader L1 cache after user commandstream (stable-fixes). - Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() (stable-fixes). - wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures (stable-fixes). - clocksource/drivers/timer-ti-dm: Fix child node refcount handling (git-fixes). - clocksource/drivers:sp804: Make user selectable (git-fixes). - hwmon: (pmbus/core) clear faults after setting smbalert mask (git-fixes). - drm: panel-orientation-quirks: Make Lenovo Yoga Tab 3 X90F DMI match less strict (stable-fixes). - regulator: rk808: Add apply_bit for BUCK3 on RK809 (stable-fixes). - can: j1939: fix error in J1939 documentation (stable-fixes). - platform/x86: dell-wmi-base: Handle META key Lock/Unlock events (stable-fixes). - platform/x86: dell-smbios-base: Extends support to Alienware products (stable-fixes). - soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() (git-fixes). - soc: qcom: Add check devm_kasprintf() returned value (stable-fixes). - firmware: arm_scmi: Reject clear channel request on A2P (stable-fixes). - usb: typec: use cleanup facility for 'altmodes_node' (stable-fixes). - mac80211: fix user-power when emulating chanctx (stable-fixes). - wifi: iwlwifi: mvm: Use the sync timepoint API in suspend (stable-fixes). - net: usb: qmi_wwan: add Quectel RG650V (stable-fixes). - usb: add support for new USB device ID 0x17EF:0x3098 for the r8152 driver (stable-fixes). - PCI: j721e: Add reset GPIO to struct j721e_pcie (stable-fixes). - PCI: cadence: Set cdns_pcie_host_init() global (stable-fixes). - PCI: cadence: Extract link setup sequence from cdns_pcie_host_setup() (stable-fixes). - PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads (stable-fixes). - drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw (stable-fixes). - drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit (stable-fixes). - drm/radeon: change rdev-&gt;ddev to rdev_to_drm(rdev) (stable-fixes). - drm/radeon: add helper rdev_to_drm(rdev) (stable-fixes). - checkpatch: check for missing Fixes tags (stable-fixes). - hwmon: (pmbus_core) Allow to hook PMBUS_SMBALERT_MASK (stable-fixes). - PCI: j721e: Add PCIe 4x lane selection support (stable-fixes). - PCI: j721e: Add per platform maximum lane settings (stable-fixes). - mtd: hyperbus: rpc-if: Convert to platform remove callback returning void (stable-fixes). - commit c2f6105 - nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint (bsc#1234219 CVE-2024-53130). - commit c6f7b3e - nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint (bsc#1234220 CVE-2024-53131). - commit 6de8c49 - Update tags in patches.suse/udf-refactor-inode_bmap-to-handle-error.patch (bsc#1234242 bsc#1233096 CVE-2024-50211). - commit 18aa07e - Update tags in: patches.suse/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch (bsc#1234243 bsc#1233038 CVE-2024-50143). - commit 420cdda - mm: fix NULL pointer dereference in alloc_pages_bulk_noprof (CVE-2024-53113 bsc#1234077). - commit 0c80b5e - mm/mremap: fix address wraparound in move_page_tables() (CVE-2024-53111 bsc#1234086). - commit 85bf967 - mm: page_alloc: move mlocked flag clearance into free_pages_prepare() (CVE-2024-53105 bsc#1234069). - commit d988d1d - kABI: Restore deleted EXPORT_SYMBOL(__qdisc_calculate_pkt_len) (CVE-2024-50039 bsc#1231909). - commit cc27caf - net/ipv6: release expired exception dst cached in socket (bsc#1216813). - commit 138c9d6 - Update patches.suse/initramfs-avoid-filename-buffer-overrun.patch (CVE-2024-53142 bsc#1232436). - commit d5d0ad8 - drm/amd/display: Handle dml allocation failure to avoid crash (bsc#1234221 CVE-2024-53133) Added an additional fixes tag refering to commit abd26a3252cb (&quot;drm/amd/display: Add dml2 copy functions&quot;). - commit 100a7fa - net/sched: accept TCA_STAB only for root qdisc (CVE-2024-50039 bsc#1231909). - commit 72cfcc2 - sched/numa: fix memory leak due to the overwritten vma-&gt;numab_state (git fixes (sched/numa)). - commit 639ae96 - netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924 bsc#1223387). - commit e933c39 - net: bridge: mcast: wait for previous gc cycles when removing port (CVE-2024-44934 bsc#1229809). - commit 4999b27 - scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error (git-fixes). - net :mana :Request a V2 response version for MANA_QUERY_GF_STAT (git-fixes). - commit 5ae2067 - iio: magnetometer: yas530: use signed integer type for clamp limits (git-fixes). - scatterlist: fix incorrect func name in kernel-doc (git-fixes). - kasan: make report_lock a raw spinlock (git-fixes). - commit c03eb5e Package krb5 was updated: - Prevent overflow when calculating ulog block size. An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash; (CVE-2025-24528); (bsc#1236619). - Add patch 0010-CVE-2025-24528.patch Package util-linux:systemd was updated: - Update to version 2.40.4: * agetty: Prevent cursor escape (bsc#1194818, drop util-linux-agetty-prevent-cursor-escape.patch) add &quot;systemd&quot; to --version output\ * chcpu(8): Document CPU deconfiguring behavior * fdisk: SGI fixes * hardlink: fix memory corruption * hardlink.1 directory|file is mandatory * lib/env: fix env_list_setenv() for strings without '=' * libblkid: (exfat) validate fields used by prober (gpt) use blkid_probe_verify_csum() for partition array checksum add FSLASTBLOCK for swaparea bitlocker fix version on big-endian systems * libfdisk: make sure libblkid uses the same sector size * libmount: extract common error handling function propagate first error of multiple filesystem types * logger: correctly format tv_usec * lscpu: Skip aarch64 decode path for rest of the architectures (bsc#1229476, drop util-linux-lscpu-skip-aarch64-decode.patch) * lsns: ignore ESRCH errors reported when accessing files under /proc * mkswap: set selinux label also when creating file * more: make sure we have data on stderr * nsenter: support empty environ * umount, losetup: Document loop destroy behavior (bsc#1159034, drop util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). * uuidd: fix /var/lib/libuuid mode uuidd-tmpfiles.conf fix /var/lib/libuuid mode uuidd-tmpfiles.conf * Many other fixes, improvements and code cleanup. For the complete list see https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.3-ReleaseNotes https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.4-ReleaseNotes - Refresh util-linux.keyring. Key validity was extended. - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). - Disable mountfd API again. (https://github.com/util-linux/util-linux/issues/3158) - Update to version 2.40.2: * cfdisk: fix possible integer overflow * libmount: improving robustness in reading kernel messages, add pidfs to pseudo fs list * lscpu: New Arm Cortex part numbers fix hang of lscpu -e (bsc#1225598) * lsfd: Refactor the pidfd logic, support pidfs (obsoletes 0001-include-Include-unistd.h-in-pidfd-utils.h-for-syscal.patch, 0002-lsfd-Refactor-the-pidfd-logic-into-lsfd-pidfd.c.patch, 0003-lsfd-Support-pidfs.patch, 0004-lsfd-test-Adapt-test-cases-for-pidfs.patch) * mkswap.8.adoc: update note regarding swapfile creation * setpgid: make -f work * Many other fixes, improvements and code cleanup. For the complete list see https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.2-ReleaseNotes - Enable kernel mountfd API, as it should be already stable (PED-9752). - Move autoreconf back to %build. - Add devel dependencies. - Remove util-linux-rpmlintrc. It is no more needed with multibuild. - uncomment &quot;autoreconf --install&quot; to use the new version of automake - disable libmagic in more(1) for binary detection (bsc#1225197) - add support for pidfs in kernel 6.9 (bsc#1224285) * 0001-include-Include-unistd.h-in-pidfd-utils.h-for-syscal.patch * 0002-lsfd-Refactor-the-pidfd-logic-into-lsfd-pidfd.c.patch * 0003-lsfd-Support-pidfs.patch * 0004-lsfd-test-Adapt-test-cases-for-pidfs.patch Package util-linux was updated: - Update to version 2.40.4: * agetty: Prevent cursor escape (bsc#1194818, drop util-linux-agetty-prevent-cursor-escape.patch) add &quot;systemd&quot; to --version output\ * chcpu(8): Document CPU deconfiguring behavior * fdisk: SGI fixes * hardlink: fix memory corruption * hardlink.1 directory|file is mandatory * lib/env: fix env_list_setenv() for strings without '=' * libblkid: (exfat) validate fields used by prober (gpt) use blkid_probe_verify_csum() for partition array checksum add FSLASTBLOCK for swaparea bitlocker fix version on big-endian systems * libfdisk: make sure libblkid uses the same sector size * libmount: extract common error handling function propagate first error of multiple filesystem types * logger: correctly format tv_usec * lscpu: Skip aarch64 decode path for rest of the architectures (bsc#1229476, drop util-linux-lscpu-skip-aarch64-decode.patch) * lsns: ignore ESRCH errors reported when accessing files under /proc * mkswap: set selinux label also when creating file * more: make sure we have data on stderr * nsenter: support empty environ * umount, losetup: Document loop destroy behavior (bsc#1159034, drop util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). * uuidd: fix /var/lib/libuuid mode uuidd-tmpfiles.conf fix /var/lib/libuuid mode uuidd-tmpfiles.conf * Many other fixes, improvements and code cleanup. For the complete list see https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.3-ReleaseNotes https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.4-ReleaseNotes - Refresh util-linux.keyring. Key validity was extended. - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). - Disable mountfd API again. (https://github.com/util-linux/util-linux/issues/3158) - Update to version 2.40.2: * cfdisk: fix possible integer overflow * libmount: improving robustness in reading kernel messages, add pidfs to pseudo fs list * lscpu: New Arm Cortex part numbers fix hang of lscpu -e (bsc#1225598) * lsfd: Refactor the pidfd logic, support pidfs (obsoletes 0001-include-Include-unistd.h-in-pidfd-utils.h-for-syscal.patch, 0002-lsfd-Refactor-the-pidfd-logic-into-lsfd-pidfd.c.patch, 0003-lsfd-Support-pidfs.patch, 0004-lsfd-test-Adapt-test-cases-for-pidfs.patch) * mkswap.8.adoc: update note regarding swapfile creation * setpgid: make -f work * Many other fixes, improvements and code cleanup. For the complete list see https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40.2-ReleaseNotes - Enable kernel mountfd API, as it should be already stable (PED-9752). - Move autoreconf back to %build. - Add devel dependencies. - Remove util-linux-rpmlintrc. It is no more needed with multibuild. - uncomment &quot;autoreconf --install&quot; to use the new version of automake - disable libmagic in more(1) for binary detection (bsc#1225197) - add support for pidfs in kernel 6.9 (bsc#1224285) * 0001-include-Include-unistd.h-in-pidfd-utils.h-for-syscal.patch * 0002-lsfd-Refactor-the-pidfd-logic-into-lsfd-pidfd.c.patch * 0003-lsfd-Support-pidfs.patch * 0004-lsfd-test-Adapt-test-cases-for-pidfs.patch Package expat was updated: - version update to 2.7.1 Bug fixes: [#980] #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: [#976] #977 Autotools: Integrate files &quot;fuzz/xml_lpm_fuzzer.{cpp,proto}&quot; with Automake that were missing from 2.7.0 release tarballs [#983] #984 Fix printf format specifiers for 32bit Emscripten [#992] docs: Promote OpenSSF Best Practices self-certification [#978] tests/benchmark: Resolve mistaken double close [#986] Address compiler warnings [#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: [#982] CI: Start running Perl XML::Parser integration tests [#987] CI: Enforce Clang Static Analyzer clean code [#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy [#981] CI: Cover compilation with musl [#983] #984 CI: Cover compilation with 32bit Emscripten [#976] #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 for SLFO-1.1 - deleted patches - expat-CVE-2024-45490.patch (upstreamed) - expat-CVE-2024-45491.patch (upstreamed) - expat-CVE-2024-45492.patch (upstreamed) - expat-CVE-2024-28757.patch (upstreamed) - expat-CVE-2024-50602.patch (upstreamed) - expat-fix-minicheck.patch (upstreamed) - version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: [#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data (&quot;&lt;e&gt;&amp;g1;&lt;/e&gt;&quot;) - general entities in attribute values (&quot;&lt;e k1='&amp;g1;'/&gt;&quot;) - parameter entities (&quot;%p1;&quot;) Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: [#935] #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS [#925] Autotools: Sync CMake templates with CMake 3.29 [#945] #962 #966 CMake: Drop support for CMake &lt;3.13 [#942] CMake: Small fuzzing related improvements [#921] docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 [#941] docs: Document need for C++11 compiler for use from C++ [#959] tests/benchmark: Fix a (harmless) TOCTTOU [#944] Windows: Fix installer target location of file xmlwf.xml for CMake [#953] Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW [#971] Address Cppcheck warnings [#969] #970 Mass-migrate links from http:// to https:// [#947] #958 .. [#974] #975 Document changes since the previous release [#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - no source changes, just adding jira reference: jsc#SLE-21253 - version update to 2.6.4 * Security fixes: [bsc#1232601][bsc#1232579] [#915] CVE-2024-50602 -- Fix crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754 * Other changes: [#903] CMake: Add alias target &quot;expat::expat&quot; [#905] docs: Document use via CMake &gt;=3.18 with FetchContent and SOURCE_SUBDIR and its consequences [#902] tests: Reduce use of global parser instance [#904] tests: Resolve duplicate handler [#317] #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) [#914] Fix signedness of format strings [#919] #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do - updated keyring [https://build.suse.de/request/show/345282] - modified sources % expat.keyring - Update to 2.6.3: * Security fixes: - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with len &lt; 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. * Other changes: - Autotools: Sync CMake templates with CMake 3.28 - Autotools: Always provide path to find(1) for portability - Autotools: Ensure that the m4 directory always exists. - Autotools: Simplify handling of SIZEOF_VOID_P - Autotools: Support non-GNU sed - Autotools|CMake: Fix main() to main(void) - Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM - Autotools|CMake: Stop requiring dos2unix - CMake: Fix check for symbols size_t and off_t - docs|tests: Convert README to Markdown and update - Windows: Drop support for Visual Studio &lt;=15.0/2017 - Drop needless XML_DTD guards around is_param access - Fix typo in a code comment - Version info bumped from 10:2:9 (libexpat*.so.1.9.2) to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ for what these numbers do - update to 2.6.2: * CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (boo#1221289) * Reject direct parameter entity recursion and avoid the related undefined behavior - update to 2.6.1: * Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0 * Make tests independent of CPU speed, and thus more robust - drop libxml2-fix-xmlwf.1-handling.patch, upstream - Fix handling of xmlwf.1 to avoid workarounds in specfile: * Added libxml2-fix-xmlwf.1-handling.patch - Call buildconf.sh to avoid (future) issues with expat_config.h.in Package libxslt was updated: - Security fixes: * Fix use-after-free of XPath context node [bsc#1239625, CVE-2025-24855] * Fix UAF related to excluded namespaces [bsc#1239637, CVE-2024-55549] * Make generate-id() deterministic [bsc#1238591, CVE-2023-40403] Just adding the reference here as this CVE was already fixed in 0009-Make-generate-id-deterministic.patch * Add patches: - libxslt-CVE-2024-55549.patch - libxslt-CVE-2025-24855.patch Package freetype2 was updated: - update to 2.13.2: * Some fields in the `FT_Outline` structure have been changed from signed to unsigned type, which better reflects the actual usage. It is also an additional means to protect against malformed input. * Rare double-free crashes in the cache subsystem have been fixed. * Excessive stack allocation in the autohinter has been fixed. * The B/W rasterizer has received a major upkeep that results in large performance improvements. The rendering speed has increased and even doubled for very complex glyphs. Package gnutls was updated: - Security fix [bsc#1236974, CVE-2024-12243] * gnutls: inefficient DER Decoding in libtasn1 could lead to remote DoS * Add gnutls-CVE-2024-12243.patch Package openssl-3 was updated: - Security fix: [bsc#1236136, CVE-2024-13176] * Fix timing side-channel in ECDSA signature computation * Add openssl-CVE-2024-13176.patch Package systemd was updated: - Maintain the network device naming scheme used on SLE15 (jsc#PED-12317) This shouldn't cause problems as predictable naming schemes are disabled on SLMicro-6.1 (net.ifnames=0 is set on the kernel command line by default). Add 1001-man-describe-the-net-naming-schemes-specific-to-SLE.patch for the description of these schemes in the relevant man page. - Import commit 09b7477895b79c7a3604a7e1aa71eeb3d401e65c 09b7477895 udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - Drop 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch The path has been merged into the SUSE/v254 branch. - Import commit 0d0f2dbfc4c901dca09fdd3d5b744b5339e0e991 (merge of v254.24) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b4693652f317dbae80e31b978f51e695a23fa3d0...0d0f2dbfc4c901dca09fdd3d5b744b5339e0e991 - Import commit b4693652f317dbae80e31b978f51e695a23fa3d0 b4693652f3 journald: close runtime journals before their parent directory removed 044d051f0c journald: reset runtime seqnum data when flushing to system journal (bsc#1236886) - Add 0004-core-create-the-credential-directory-even-if-it-s-em.patch (bsc#1229228) - Import commit d7a56d70fb052f738442c2874b072d6514242050 (merge of v254.23) eab1d9753b stdio-bridge: fix polled fds f028f2298e hwdb: comment out the entry for Logitech MX Keys for Mac e808cbdd6d test: answer 2nd mdadm --create question for compat with new version bf01f3d692 core/unit-serialize: fix serialization of markers f043ab6f34 locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged 71efbe69b6 core: fix assert when AddDependencyUnitFiles is called with invalid parameter - Fix systemd-network recommending libidn2-devel (boo#1234765) - Import commit 679c57667db0e755271f392775908d18e4976406 679c57667d tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED (boo#1233752 bsc#1234313) - Import commit 8752ef2f258c62470bef3bb24ca1ef3a969ac474 (merge of v254.22) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e107182cb3dd1702b291d0455bdabcb7db28e537...8752ef2f258c62470bef3bb24ca1ef3a969ac474 - Add 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch (bsc#1234015) Temporarily add this patch. It will be integrated in the git repository if no issues are reported in the coming months. - Import commit 807fe764111b5a74cc8618b8e4ec437a0dec91ff 807fe76411 udev: add new builtin net_driver 3a48b5f21d udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard() 5359c1d6d4 udev-builtin-net_id: split-out get_pci_slot_specifiers() 1cd915ac7b udev-builtin-net_id: introduce get_port_specifier() helper function 72a4218155 udev-builtin-net_id: split out get_dev_port() and make its failure critical f6c721b4da udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address() 9e16c3cf27 udev-builtin-net_id: return earlier when hotplug slot is not found 4851355767 udev-builtin-net_id: skip non-directory entry earlier a571e5f1dd udev-builtin-net_id: make names_xen() self-contained 9acc241d5f udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim ca8a431b55 udev-builtin-net_id: make names_netdevsim() self-contained a66251d666 udev-builtin-net_id: make names_platform() self-contained 1e834d7157 udev-builtin-net_id: make names_vio() self-contained 8b236dcd7a udev-builtin-net_id: make names_ccw() self-contained 7d70e2fa7d udev-builtin-net_id: make dev_devicetree_onboard() self-contained 46158a6e91 udev-builtin-net_id: make names_mac() self-contained 7789e7f886 udev-builtin-net_id: split out get_ifname_prefix() 9b0062a667 udev-builtin-net_id: swap arguments for streq() and friends 181a775b40 udev-builtin-net_id: drop unused value from NetNameType Refactoring to prepare for backporting the filtering mechanism of specific sysfs attributes during predictable NIC name generation. - Add 0003-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338) Upstream deprecated it and plan to drop it in the future. Let's get ahead and drop it now as this feature is unlikely to be used on SUSE distros and it might be used to gain access to encrypted SLEM systems with unattended disk unlock and with secure boot disabled. - Import commit e107182cb3dd1702b291d0455bdabcb7db28e537 (merge of v254.21) This merge includes the following fix: a467a411f pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/a3aa27ac6649cb096b3c87c8ac61a6950bfa3567...e107182cb3dd1702b291d0455bdabcb7db28e537 - Import commit a3aa27ac6649cb096b3c87c8ac61a6950bfa3567 (merge of v254.20) This merge includes the following fix: 8b6ae951d3 udev: skipping empty udev rules file while collecting the stats (bsc#1232844) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/ae14c7765524a3c84ce8a65d6a3a4db2be981f69...a3aa27ac6649cb096b3c87c8ac61a6950bfa3567 Package libtasn1 was updated: - Security fix: [bsc#1236878, CVE-2024-12133] * Potential DoS in handling of numerous SEQUENCE OF or SET OF elements * Add libtasn1-CVE-2024-12133.patch Package libxml2 was updated: - security update- added patches fix CVE-2024-56171 [bsc#1237363], use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c + libxml2-CVE-2024-56171.patch fix CVE-2025-24928 [bsc#1237370], stack-based buffer overflow in xmlSnprintfElements in valid.c + libxml2-CVE-2025-24928.patch fix CVE-2025-27113 [bsc#1237418], NULL Pointer Dereference in libxml2 xmlPatMatch + libxml2-CVE-2025-27113.patch Package microos-tools was updated: - Update to version 2.21+git24: * test: Check for AVC denials in the journal * test: More reliable output of combustion-validate * test: Remove workaround for boo#1230912 * Label /sys before selinux-autorelabel units run (bsc#1232709) * Add RemainAfterExit=true to autorelabel services * Consistently use tabs in selinux-autorelabel-generator * Add automated testing of SELinux relabelling functionality * Fix OBS workflow for pushes to master Package netavark was updated: - Use recommended way to require latest rust—require cargo.- Update to version 1.12.2: * Release v1.12.2 * Release notes for 1.12.2 * fix new rust 1.80 lint issues * silence new rust 1.80 warnings * aardvark: on start failure delete entries again * iptables: make dns rules cover tcp as well * nftables: make dns rules cover tcp as well * Release v1.12.1 * Update release notes for v1.12.1 * Change nv cargo categories * Bump to 1.13.0-dev * Release 1.12 * Release Notes for 1.12 * run cargo update * rpm: use nftables as default for f41 * fix(deps): update rust crate serde_json to 1.0.121 * fix(deps): update rust crate tokio to 1.39.2 * aardvark-dns: trim whitespaces from error text * fix(deps): update rust crate env_logger to 0.11.5 * [skip-ci] RPM: handle iptables/nftables dependencies * fix aardvark-dns error handling * fix(deps): update rust crate tokio to 1.39.1 * fix(deps): update rust crate env_logger to 0.11.4 * fix(deps): update rust crate tokio to 1.38.1 * update mozim to 0.2.4 (bsc#1236567) * fix(deps): update rust crate serde_json to 1.0.120 * netavark: dhcp_proxy: use dns servers from dhcp lease * fix(deps): update rust crate serde_json to 1.0.119 * fix(deps): update rust crate netlink-packet-route to 0.20.1 * fix(deps): update rust crate log to 0.4.22 * Fix Epoch so upgrade path is preserved from Fedora/RHEL. * test: add macvlan metric test * fix(deps): update rust crate serde_json to 1.0.118 * fix(deps): update rust crate url to 2.5.2 * fix(deps): update rust crate prost to 0.12.6 * fix(deps): update rust crate url to 2.5.1 * fix(deps): update rust crate iptables to 0.5.2 * [CI:BUILD] rpm: Update Rust macro usage * fix(deps): update rust crate nftables to 0.4.1 * fix(deps): update rust crate tokio to 1.38.0 * Bump to 1.12.0-dev - Remove redundant source: cargo_config - Update to version 1.11.0: * Release v1.11.0 * Update release notes for 1.11.0 * update netlink-packet-route to 0.20.0 * run cargo update * fix: remove extra / in make install and uninstall * chore(deps): update dependency containers/automation_images to v20240529 * fix(deps): update rust crate nix to 0.29.0 * fix(deps): update rust crate nispor to 1.2.19 * fix(deps): update rust crate anyhow to 1.0.86 * fix(deps): update rust crate anyhow to 1.0.85 * [skip-ci] Packit: do not create dup jobs on podman-next * fix(deps): update rust crate anyhow to 1.0.84 * [skip-ci] RPM: use default __cargo macro across all envs * [skip-ci] RPM: switch default firewall to nftables on EL10+ * chore(deps): update dependency containers/automation_images to v20240513 * Add conditional compilation of default firewall driver * fix(deps): update rust crate serde_json to 1.0.117 * fix new clippy warnings * Update CI image to fedora 40 * fix ncat sctp tests * fix(deps): update rust crate anyhow to 1.0.83 * build(deps): bump h2 from 0.3.25 to 0.3.26 * [skip-ci] Packit: distinct `-rhel` packages value * [skip-ci] Packit: enable c10s downstream sync * fix(deps): update rust crate libc to 0.2.154 * fix(deps): update rust crate ipnet to 2.9.0 * fix(deps): update rust crate tower to 0.4.13 * fix(deps): update rust crate tokio-stream to 0.1.15 * fix(deps): update rust crate prost to 0.12.4 * fix(deps): update rust crate iptables to 0.5.1 * [skip-ci] Packit: remove el8 jobs * fix(deps): update rust crate anyhow to 1.0.82 * fix(deps): update rust crate serde to 1.0.199 * Add suffix to Aardvark internal network filenames * fix port forward with strict RPF and multi networks * renovate: stop rebasing PRs automatically * chore(deps): update rust crate chrono to 0.4.38 * fix(deps): update rust crate serde_json to 1.0.116 * fix(deps): update rust crate netlink-sys to 0.8.6 * nftables: only dump netavark table rules * update nftables to 0.4 * fix aardvark-dns netns check * fix(deps): update rust crate tokio to 1.37 * fix(deps): update rust crate netlink-packet-route to 0.19.0 * Update to nix-0.28.0 * fix(deps): update rust crate mozim to 0.2.3 * fix(deps): update rust crate nispor to 1.2.18 * Update chrono * fix(deps): update rust crate serde_json to 1.0.115 * build(deps): bump mio from 0.8.9 to 0.8.11 * [skip-ci] rpm: aardvark-dns is a hard dep across the board * Update Rust crate env_logger to 0.11.3 * Update Rust crate serde to 1.0.197 * Update Rust crate tempfile to 3.10.1 * Update Rust crate log to 0.4.21 * Update Rust crate zbus to 3.15.2 * Update Rust crate serde_json to 1.0.114 * Update Rust crate env_logger to 0.11.2 * Update Rust crate chrono to 0.4.34 * Update Rust crate tonic-build to 0.11 * Update Rust crate tonic to 0.11 * fix netavark update to not start a new aardvark-dns * Update Rust crate tempfile to 3.10.0 * Update Rust crate zbus to 3.15.0 * Update Rust crate tokio to 1.36 * Update Rust crate chrono to 0.4.33 * Do not perform network namespace detection on AV update * [CI:BUILD] Packit/rpm: fix aardvark-dns handling * Update Rust crate serde_json to 1.0.113 * Update Rust crate serde_json to 1.0.112 * Update Rust crate env_logger to 0.11.1 * update README with nftables support * Bump to v1.11.0-dev * perf-netavark: accept fw driver as argument * perf-netavark: fix missing --config arg - Update to version 1.10.3: * v1.10.3 * fix netavark update to not start a new aardvark-dns Package openssh was updated: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1: * openssh-8.0p1-gssapi-keyex.patch - Fix a MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client and a DoS attack against OpenSSH's client and server (bsc#1237040, CVE-2025-26465, bsc#1237041, CVE-2025-26466): * fix-CVE-2025-26465-and-CVE-2025-26466.patch - From Fri Oct 11 09:28:30 UTC 2024 - Antonio Larrosa &lt;alarrosa@suse.com&gt; - Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow. Submitted to upstream in https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4 . Fixes bsc#1229449: * fix-x11-regression-bsc1229449.patch - Drop most of openssh-6.6p1-keycat.patch (actually, it was just commented out). The keycat binary isn't really installed nor supported, so we can drop it, except for the code that is used by other SELinux patches, which is what I kept from that patch (boo#1229072). - Add patch submitted to upstream to fix RFC4256 implementation so that keyboard-interactive authentication method can send instructions and sshd shows them to users even before a prompt is requested. This fixes MFA push notifications (boo#1229010). * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - From Wed Jul 10 11:35:18 UTC 2024 - Antonio Larrosa &lt;alarrosa@suse.com&gt; - Remove empty line at the end of sshd-sle.pamd (bsc#1227456) Package pam_u2f was updated: - Add 0002_soften_authfile_permission_check.patch introduced upstream to fix an issue when authfile has flaky permissions. - Fix for CVE-2025-23013 (bsc#1233517): * Add 0001_fix_for_CVE_2025_23013.patch patch Package pam was updated: - pam_access: rework resolving of tokens as hostname - separate resolving of IP addresses from hostnames. Don't resolve TTYs or display variables as hostname. - Add &quot;nodns&quot; option to disallow resolving of tokens as hostname. - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078, CVE-2024-10963] Package podman was updated: - Add patch for CVE-2025-22869 (bsc#1239330): * 0003-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch - Rebase patches: * 0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch * 0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch - Add patch for CVE-2025-27144 (bsc#1237641): * 0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch - Rebase patches: * 0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch - Add patch for CVE-2024-11218 (bsc#1236270): * 0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch - Removed patches (merged upstream): * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch * 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch * 0003-Properly-validate-cache-IDs-and-sources.patch * 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch - Add missing podman-clean-transient unit - Update to version 5.2.5: * Bump to v5.2.5 (bsc#1236507) * Update release notes for 5.2.5 * Bump c/storage to v1.55.1 and Buildah to v1.37.5 * RPM: remove dup Provides * Packit: constrain koji and bodhi jobs to fedora package to avoid dupes * Bump to v5.2.5-dev * Bump to v5.2.4 * Update release notes for v5.2.4 * Validate the bind-propagation option to `--mount` * Bump Buildah to v1.37.4 * vendor: update c/common to v0.60.4 * Bump to v5.2.4-dev * Bump to v5.2.3 * Update release notes for v5.2.3 * [v5.2] Bump Buildah to v1.37.3 * pkg/specgen: allow pasta when running inside userns * libpod: convert owner IDs only with :idmap * docs: update read the docs changes * allow exposed sctp ports * libpod: setupNetNS() correctly mount netns * vendor: update c/common to v0.60.3 * [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets * [skip-ci] Packit: Enable sidetags for bodhi updates * build: Update gvisor-tap-vsock to 0.7.5 * CI: podman-machine: do not use cache registry * [CI:DOCS] Add v5.2.2 lib updates to RELEASE_NOTES.md * Bump to v5.2.3-dev * Bump to v5.2.2 * Update RELEASE_NOTES for v5.2.2 * [v5.2] Bump Buildah to v1.37.2, c/common v0.60.2, c/image v5.32.2 * [v5.2] golangci-lint: make darwin linting happy * [v5.2] golangci-lint: make windows linting happy * [v5.2] test/e2e: remove kernel version check * [v5.2] golangci-lint: remove most skip dirs * [v5.2] set !remote build tags where needed * [v5.2] update golangci-lint to 1.60.1 * Packit: update targets for propose-downstream * Create volume path before state initialization * Update Cirrus DEST_BRANCH * Bump to v5.2.2-dev * Bump to v5.2.1 * Update release notes for v5.2.1 * [v5.2] Add zstd:chunked test fix * [v5.2] Bump Buildah to v1.37.1, c/common v0.60.1, c/image v5.32.1 * libpod: reset state error on init * libpod: do not save expected stop errors in ctr state * libpod: fix broken saveContainerError() * Bump to v5.2.1-dev * Bump to v5.2.0 * Never skip checkout step in release workflow * Bump to v5.2.0-dev * Bump to v5.2.0-rc3 * Update release notes for v5.2.0-rc3 * Tweak versions in register_images.go * fix network cleanup flake in play kube * WIP: Fixes for vendoring Buildah * Add --compat-volumes option to build and farm build * Bump Buildah, c/storage, c/image, c/common * libpod: bind ports before network setup * pkg/api: do not leak config pointers into specgen * build: Update gvisor-tap-vsock to 0.7.4 * test/system: fix borken pasta interface name checks * test/system: fix bridge host.containers.internal test * CI: system tests: instrument to allow failure analysis * Use uploaded .zip for Windows action * RPM: podman-iptables.conf only on Fedora * Bump to v5.2.0-dev * Bump to v5.2.0-rc2 * Update release notes for v5.2.0-rc2 * test/e2e: fix ncat tests * libpod: add hidden env to set sqlite timeout * Add support for StopSignal in quadlet .container files * podman pod stats: fix race when ctr process exits * Update module github.com/vbauerster/mpb/v8 to v8.7.4 * libpod: correctly capture healthcheck output * Bump bundled krunkit to 0.1.2 * podman stats: fix race when ctr process exists * nc -p considered harmful * podman pod stats: fix pod rm race * podman ps: fix racy pod name query * system connection remove: use Args function to validate * pkg/machine/compression: skip decompress bar for empty file * nc -p considered harmful * podman system df: fix fix ErrNoSuchCtr/Volume race * podman auto-update: fix ErrNoSuchCtr race * Fix name for builder in farm connection * 700-play.bats: use unique pod/container/image/volume names * safename: consistent within same test, and, dashes * 700-kube.bats: refactor $PODMAN_TMPDIR/test.yaml * 700-play.bats: eliminate $testYaml * 700-play.bats: refactor clumsy yamlfile creation * 700-play.bats: move _write_test_yaml up near top * chore(deps): update dependency setuptools to v71 * Expand drop-in search paths * top-level (pod.d) * truncated (unit-.container.d) * Remove references and checks for --gpus * Do not crash on invalid filters * fix(deps): update module github.com/rootless-containers/rootlesskit/v2 to v2.2.0 * Bump to v5.2.0-dev * Bump to v5.2.0-rc1 * Keep the volume-driver flag deprecated * Vendor in latest containers(common, storage,image, buildah) * System tests: safe container/image/volume/etc names * Implement disable default mounts via command line * test: drop unmount for overlay * test: gracefully terminate server * libpod: shutdown Stop waits for handlers completion * libpod: cleanup store at shutdown * Add NetworkAlias= support to quadlet * cmd: call shutdown handler stop function * fix race conditions in start/attach logic * swagger: exlude new docker network types * vendor: bump c/storage * update to docker 27 * contrib: use a distinct --pull-option= for each flag * Update warning message when using external compose provider * Update module github.com/cyphar/filepath-securejoin to v0.3.0 * Ignore result of EvalSymlinks on ENOENT * test/upgrade: fix tests when netavark uses nftables * test/system: fix network reload test with nftables * test/e2e: rework some --expose tests * test: remove publish tests from e2e * CI: test nftables driver on fedora * CI: use local registry, part 3 of 3: for developers * CI: use local registry, part 2 of 3: fix tests * CI: use local registry, part 1 of 3: setup * CI: test composefs on rawhide * chore(deps): update module google.golang.org/grpc to v1.64.1 [security] * chore(deps): update dependency setuptools to ~=70.3.0 * Improve container filenname ambiguity. * containers/attach: Note bug around goroutine leak * Drop minikube CI test * add libkrun test docs * fix(deps): update module tags.cncf.io/container-device-interface to v0.8.0 * cirrus: check for header files in source code check * pkg/machine/e2e: run debug command only for macos * create runtime's worker queue before queuing any job * test/system: fix pasta host.containers.internal test * Visual Studio BuildTools as a MinGW alternative * SetupRootless(): only reexec when needed * pkg/rootless: simplify reexec for container code * cirrus: add missing test/tools to danger files * fix(deps): update module golang.org/x/tools to v0.23.0 * Windows Installer: switch to wix5 * fix(deps): update module golang.org/x/net to v0.27.0 * pkg/machine/e2e: print tests timings at the end * pkg/machine/e2e: run debug commands after init * pkg/machine/e2e: improve timeout handling * libpod: first delete container then cidfile * fix(deps): update module golang.org/x/term to v0.22.0 * System test fixes * cirrus.yml: automatic skips based on source * fix(deps): update module github.com/containers/ocicrypt to v1.2.0 * podman events: fix error race * chore(deps): update dependency setuptools to ~=70.2.0 * fix(deps): update module github.com/gorilla/schema to v1.4.1 [security] * Update CI VM images * pkg/machine/e2e: fix broken cleanup * pkg/machine/e2e: use tmp file for connections * test/system: fix podman --image-volume to allow tmpfs storage * CI: mount tmpfs for container storage * docs: --network remove missing leading sentence * specgen: parse devices even with privileged set * vendor: update c/storage * Remove the unused machine volume-driver * feat(quadlet): log option handling * Error when machine memory exceeds system memory * machine: Always use --log-file with gvproxy * CI: Build-Each-Commit test: run only on PRs * Small fixes for testing libkrun * Podman machine resets all providers * Clearly indicate names w/ URLencoded duplicates * [skip-ci] Packit: split rhel and centos-stream jobs * apple virtiofs: fix racy mount setup * cirrus: fix broken macos artifacts URL * libpod/container_top_linux.c: fix missing header * refactor(build): improve err when file specified by -f does not exist * Minor: Remove unhelpful comment * Update module github.com/openshift/imagebuilder to v1.2.11 * Minor: Rename the OSX Cross task * [skip-ci] Remove conditionals from changelog * podman top: join the container userns * Run linting in parallel with building * Fix missing Makefile target dependency * build API: accept platform comma separated * [skip-ci] RPM: create podman-machine subpackage * ExitWithError() - more upgrades from Exit() * test/e2e: remove podman system service tests * cirrus: reduce int tests timeout * cirrus: remove redundant skip logic * pkg/machine/apple: machine stop timeout * CI: logformatter: link to correct PR base * Update module github.com/crc-org/crc/v2 to v2.38.0 * ExitWithError(): continued * test/system: Add test steps for journald log check in quadlet * restore: fix missing network setup * podman run use pod userns even with --pod-id-file * macos-installer: bundle krunkit * remote API: fix pod top error reporting * libpod API: return proper error status code for pod start * fix #22233 * added check for `registry.IsRemote()`. and correct error message. * fix #20686 * pkg/machine/e2e: Remove unnecessary copy of machine image. * libpod: intermediate mount if UID not mapped into the userns * libpod: avoid chowning the rundir to root in the userns * libpod: do not chmod bind mounts * libpod: unlock the thread if possible * CI Cleanup: Remove cgroups v1 support * ExitWithError() - more upgrades from Exit() * remote: fix incorrect CONTAINER_CONNECTION parsing * container: pass KillSignal and StopTimeout to the systemd scope * libpod: fix comment * e2e: test container restore in pod by name * docs: Adds all PushImage supported paramters to openapi docs. * systests: kube: bump up a timeout * cirrus.yml: add CI:ALL mode to force all tests * cirrus.yml: implement skips based on source changes * CI VMs: bump * restore: fix container restore into pod * sqlite_state: Fix RewriteVolumeConfig * chore(deps): update dependency setuptools to ~=70.1.0 * Quadlet - use specifier for unescaped values for templated container name * cirrus: check for system test leaks in nightly * test/system: check for leaks in teardown suite * test/system: speed up basic_{setup,teardown}() * test/system: fix up many tests that do not cleanup * test/system: fix podman --authfile=nonexistent-path * Update module github.com/containernetworking/plugins to v1.5.1 * Update module github.com/checkpoint-restore/checkpointctl to v1.2.1 * Update module github.com/spf13/cobra to v1.8.1 * Update module github.com/gorilla/schema to v1.4.0 * pkg/machine/wsl: force terminate wsl instance * pkg/machine/wsl: wrap command errors * [CI:DOCS] Quadlet - add note about relative path resolution * CI: do not install python packages at runtime * Release workflow: Include candidate descriptor * Minor: Fix indentation in GHA release workflow * GHA: Send release notification mail * GHA: Validate release version number * Remove references to --pull=true and --pull=false * ExitWithError, continued * podman: add new hidden flag --pull-option * [CI:DOCS] Fix typos in podman-build * infra: mark storageSet when imagestore is changed * [CI:DOCS] Add jnovy as reviewer and approver * fix(deps): update module google.golang.org/protobuf to v1.34.2 * refactor(machine,wsl): improve operations of Windows API * --squash --layers=false should be allowed * fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.2.0 * update golangci-lint to v1.59.1 * Rename master to main in CONTRIBUTING.md * podman 5, pasta and inter-container networking * libpod: do not resuse networking on start * machine/linux: Switch to virtiofs by default * machine/linux: Support virtiofs mounts (retain 9p default) * machine/linux: Use memory-backend-memfd by default * ExitWithError() - continued * Enable libkrun provider to open a debug console * Add new targets on Windows makefile (winmake.ps1) * fix(deps): update module github.com/docker/docker to v26.1.4+incompatible * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.1 * fix(deps): update module golang.org/x/tools to v0.22.0 * fix(deps): update module golang.org/x/net to v0.26.0 * libpod: fix 'podman kube generate' on FreeBSD * fix(deps): update module golang.org/x/sys to v0.21.0 * libpod: do not leak systemd hc startup unit timer * vendor latest c/common * pkg/rootless: set _CONTAINERS_USERNS_CONFIGURED correctly * run bats -T, to profile timing hogs * test/system: speed up podman ps --external * test/system: speed up podman network connect/disconnect * test/system: speed up podman network reload * test/system: speed up quadlet - pod simple * test/system: speed up podman parallel build should not race * test/system: speed up podman cp dir from host to container * test/system: speed up podman build - workdir, cmd, env, label * test/system: speed up podman --log-level recognizes log levels * test/system: remove obsolete debug in net connect/disconnect test * test/system: speed up quadlet - basic * test/system: speed up user namespace preserved root ownership * System tests: add `podman system check` tests * Add `podman system check` for checking storage consistency * fix(deps): update module github.com/crc-org/crc/v2 to v2.37.0 * fix(libpod): add newline character to the end of container's hostname file * fix(deps): update module github.com/openshift/imagebuilder to v1.2.10 * fix(deps): update github.com/containers/image/v5 digest to aa93504 * Fix 5.1 release note re: runlabel * test/e2e: use local skopeo not image * fix(deps): update golang.org/x/exp digest to fd00a4e * [CI:DOCS] Add contrib/podmanimage/stable path back in repo * chore(deps): update dependency requests to ~=2.32.3 * fix(deps): update github.com/containers/image/v5 digest to 2343e81 * libpod: do not move podman with --cgroups=disabled * Update release notes on Main to v5.1.0 * test: look at the file base name * tests: simplify expected output * Sigh, new VMs again * Fail earlier when no containers exist in stats * Add Hyper-V option in windows installer * libpod: cleanup default cache on system reset * vendor: update c/image * test/system: speed up kube generate tmpfs on /tmp * test/system: speed up podman kube play tests * test/system: speed up podman shell completion test * test/system: simplify test signal handling in containers * test/system: speed up podman container rm ... * test/system: speed up podman ps - basic tests * test/system: speed up read-only from containers.conf * test/system: speed up podman logs - multi ... * test/system: speed up podman run --name * Debian: switch to crun * test/system: speed up podman generate systemd - envar * test/system: speed up podman-kube@.service template * test/system: speed up kube play healthcheck initialDelaySeconds * test/system: speed up exit-code propagation test * test/system: speed up &quot;podman run --timeout&quot; * test/system: fix slow kube play --wait with siginterrupt * undo auto-formatting * test/system: speed up podman events tests * Quadlet: Add support for .build files * test/system: speed up &quot;podman auto-update using systemd&quot; * test/system: remove podman wait test * tests: disable tests affected by a race condition * update golangci-lint to v1.59.0 * kubernetes_support.md: Mark volumeMounts.subPath as supported * working name of pod on start and stop * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0 * Bump Buildah to v1.36.0 * fix(deps): update module github.com/burntsushi/toml to v1.4.0 * fix typo in Tutorials.rst * Mac PM test: Require pre-installed rosetta * test/e2e: fix new error message * Add configuration for podmansh * Update containers/common to latest main * Only stop chowning volumes once they're not empty * podman: fix --sdnotify=healthy with --rm * libpod: wait another interval for healthcheck * quadlet: Add a network requirement on .image units * test, pasta: Ignore deprecated addresses in tests * [CI:DOCS] performance: update network docs * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0 * CI: disable minikube task * [CI:DOCS] Fix windows action trigger * chore(deps): update dependency setuptools to v70 * Check AppleHypervisor before accessing it * fix(deps): update module github.com/containernetworking/plugins to v1.5.0 * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.2 * add podman-clean-transient.service service to rootless * [CI:DOCS] Update podman network docs * fix incorrect host.containers.internal entry for rootless bridge mode * vendor latest c/common main * Add Rosetta support for Apple Silicon mac * bump main to 5.2.0-dev * Use a defined constant instead of a hard-coded magic value * cirrus: use faster VM's for integration tests * fix(deps): update github.com/containers/gvisor-tap-vsock digest to 01a1a0c * [CI:DOCS] Fix Mac pkg link * test: remove test_podman* scripts * test/system: fix documentation * Return StatusNotFound when multiple volumes matching occurs * container_api: do not wait for healtchecks if stopped * libpod: wait for healthy on main thread * `podman events`: check for an error after we finish reading events * remote API: restore v4 payload in container inspect * Fix updating connection when SSH port conflict happens * rootless: fix reexec to use /proc/self/exe * ExitWithError() - enforce required exit status &amp; stderr * ExitWithError() - a few that I missed * [skip-ci] Packit: use only one value for `packages` key for `trigger: commit` copr builds * Revert &quot;Temporarily disable rootless debian e2e testing&quot; * CI tests: enforce TMPDIR on tmpfs * use new CI images with tmpfs /tmp * run e2e test on tmpfs * Update module github.com/crc-org/crc/v2 to v2.36.0 * Address CVE-2024-3727 * [CI:DOCS] Use checkout@v4 in GH Actions * ExitWithError() - rmi_test * ExitWithError() - more r files * ExitWithError() - s files * ExitWithError() - more run_xxx tests * Fix podman-remote support for `podman farm build` * [CI:DOCS] Trigger windows installer action properly * Revert &quot;container stop: kill conmon&quot; * Ensure that containers do not get stuck in stopping * [CI:DOCS] Improvements to make validatepr * ExitWithError() - rest of the p files * [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1 * Graceful shutdown during podman kube down * Remove duplicate call * test/system: fix broken &quot;podman volume globs&quot; test * Quadlet/Container: Add GroupAdd option * Don't panic if a runtime was configured without paths * update c/{buildah,common,image,storage} to latest main * update golangci-lint to 1.58 * machine: Add LibKrun provider detection * ExitWithError() - continue tightening * fix(deps): update module google.golang.org/protobuf to v1.34.1 * test: improve test for powercap presence * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3 * fix(deps): update module go.etcd.io/bbolt to v1.3.10 * fix(deps): update module golang.org/x/tools to v0.21.0 * [skip-ci] RPM: `bats` required only on Fedora * fix(deps): update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842 * gpdate and remove parameter settings in `.golangci.yml` * ExitWithError() - play_kube_test.go * Temporarily disable rootless debian e2e testing * fix(deps): update module golang.org/x/crypto to v0.23.0 * CI Docs: Clarify passthrough_envars() comments * Skip machine tests if they don't need to be run * Update CI VMs to F40, F39, D13 * ExitWithError() - v files * Update module golang.org/x/term to v0.20.0 * machine: Add provider detection API * util: specify a not empty pause dir for root too * Add missing option 'healthy' to output of `podman run --help` * [CI:DOCS] Add info on the quay.io images to the README.md * Add a random suffix to healthcheck unit names * test/e2e: remove toolbox image * Also substitute $HOME in runlabel with user's homedir * Update module github.com/cyphar/filepath-securejoin to v0.2.5 * Change tmpDir for macOS * ExitWithError() - pod_xxx tests * ExitWithError() -- run_test.go * Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f * Update module github.com/shirou/gopsutil/v3 to v3.24.4 * Update module github.com/docker/docker to v26.1.1+incompatible * GHA: Attempt fix exceeded a secondary rate limit * vendor ginkgo 2.17.2 into test/tools * Fix machine volumes with long path and paths with dashes * Update module google.golang.org/protobuf to v1.34.0 * Update module github.com/crc-org/crc/v2 to v2.35.0 * Update module github.com/onsi/gomega to v1.33.1 * test/e2e: podman unshare image mount fix tmpdir leak * test/e2e: do not leak /tmp/private_file * test/e2e: &quot;persistentVolumeClaim with source&quot; do not leak file * e2e tests: use /var/tmp, not $TMPDIR, as workdirs * Update dependency pytest to v8.1.2 * Remove unncessary lines at the end of specfile summary * Clean machine pull cache * Add krun support to podman machine * Use custom image for make validatepr * test/e2e: force systemd cgroup manager * e2e and bindings tests: fix $PATH setup * Makefile: remove useless HACK variable in e2e test * test/e2e: fix volumes and suid/dev/exec options * test/e2e: volumes and suid/dev/exec options works remote * test/e2e: fix limits test * Update module github.com/rootless-containers/rootlesskit/v2 to v2.1.0 * Correct option name `ip` -&gt; `ip6` * Add the ability to automount images as volumes via play * Add support for image volume subpaths * Bump Buildah to latest main * Update Makefile to Go 1.22 for in-container * ExitWithError() - yet more low-hanging fruit * ExitWithError() - more low-hanging fruit * ExitWithError() - low-hanging fruit * chore: fix function names in comment * Remove redundant Prerequisite before build section * Remove PKG_CONFIG_PATH * Add installation instructions for openSUSE * Replace golang.org/x/exp/slices with slices from std * Update to go 1.21 * fix(deps): update module github.com/docker/docker to v26.1.0+incompatible * [CI:DOCS] Fix artifact action * [skip-ci] Packit/rpm: remove el8 jobs and spec conditionals * e2e tests: stop littering * [CI:DOCS] format podman-pull example as code * [CI:DOCS] Build &amp; upload release artifacts with GitHub Actions * libpod: getHealthCheckLog() remove unessesary check * add containers.conf healthcheck_events support * vendor latest c/common * libpod: make healthcheck events more efficient * libpod: wrap store setup error message * [skip-ci] Packit: enable CentOS 10 Stream build jobs * pkg/systemd: use fileutils.(Le|E)xists * pkg/bindings: use fileutils.(Le|E)xists * pkg/util: use fileutils.(Le|E)xists * pkg/trust: use fileutils.(Le|E)xists * pkg/specgen: use fileutils.(Le|E)xists * pkg/rootless: use fileutils.(Le|E)xists * pkg/machine: use fileutils.(Le|E)xists * pkg/domain: use fileutils.(Le|E)xists * pkg/api: use fileutils.(Le|E)xists * libpod: use fileutils.(Le|E)xists * cmd: use fileutils.(Le|E)xists * vendor: update containers/{buildah,common,image,storage} * fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security] * fix podman-pod-restart.1.md typo * [skip-ci] Packit: switch to EPEL instead of centos-stream+epel-next * fix(deps): update module github.com/onsi/gomega to v1.33.0 * Add more annnotation information to podman kupe play man page * test/compose: remove compose v1 code * CI: remove compose v1 tests * fix: close resource file * [CI:DOCS] Fix windows installer action * fix(deps): update module tags.cncf.io/container-device-interface to v0.7.2 * add `list` as an alias to list networks * Add support for updating restart policy * Add Compat API for Update * Make `podman update` changes persistent * Emergency fix (well, skip) for failing bud tests * fix swagger doc for manifest create * [CI:DOCS] options/network: fix markdown lists * Makefile: do not hardcode `GOOS` in `podman-remote-static` target * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] * chore(deps): update dependency setuptools to ~=69.5.0 * Fix some comments * swagger fix infinitive recursion on some types * install swagger from source * Revert &quot;Swap out javascript engine&quot; * podman exec CID without command should exit 125 * (minor) prefetch systemd image before use * Update go-swagger version * Swap out javascript engine * fix(deps): update module github.com/docker/docker to v26.0.1+incompatible * Add os, arch, and ismanifest to libpod image list * [CI:DOCS]Initial PR validation * fix(deps): update github.com/containers/gvisor-tap-vsock digest to d744d71 * vendor ginkgo 2.17.1 into test/tools * fix &quot;concurrent map writes&quot; in network ls compat endpoint * chore(deps): update dependency pytest to v8 * e2e: redefine ExitWithError() to require exit code * docs: fix missleading run/create --expose description * podman ps: show exposed ports under PORTS as well * rootless: drop function ReadMappingsProc * fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3 * New CI VMs, to give us pasta 2024-04-05 * Add big warning to GHA workflow * GHA: Fix intermittent workflow error * fix(deps): update module golang.org/x/tools to v0.20.0 * e2e tests: remove requirement for fuse-overlayfs * docs: update Quadlet volume Options desc * fix(deps): update module golang.org/x/sync to v0.7.0 * Fix relabeling failures with Z/z volumes on Mac * fix(deps): update module golang.org/x/net to v0.24.0 * Makefile: fix annoying errors in docs generation * chore: fix function names in comment * Bump tags.cncf.io/container-device-interface to v0.7.1 * fix(deps): update module golang.org/x/crypto to v0.22.0 * Detect unhandled reboots and require user intervention * podman --runroot: remove 50 char length restriction * update github.com/rootless-containers/rootlesskit to v2 * Update module github.com/gorilla/schema to v1.3.0 * Update dependency requests-mock to ~=1.12.1 * Update module github.com/crc-org/crc/v2 to v2.34.1 * rm --force work for more than one arg * [CI:DOCS] Update kube docs * fix(deps): update module github.com/shirou/gopsutil/v3 to v3.24.3 * [CI:DOCS] Add GitHub action to update version on Podman.io * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2 * Windows: clean up temporary perl install * pkg/util: FindDeviceNodes() ignore ENOENT errors * [CI:DOCS] build deps: make-validate needs docs * test/system: add rootless-netns test for setup errors * vendor latest c/common main * container: do not chown to dest target with U * [CI:DOCS] golangci-lint: update deprecated flags * systests: conditionalize slirp4netns tests * CI: systests: instrument flaky tests * s3fs docs * test: do not skip tests under rootless * Add note about host networking to Kube PublishPort option * Inject additional build tags from the environment * libpod: use original IDs if idmap is provided * Switch back to checking out the same branch the action script runs in * docs/podman-login: Give an example of writing the persistent path * CI: Bump VMs to 2024-03-28 * [skip-ci] Update dawidd6/action-send-mail action to v3.12.0 * fix(deps): update module github.com/openshift/imagebuilder to v1.2.7 * Fix reference to deprecated types.Info * Use logformatter for podman_machine_windows_task * applehv: Print vfkit logs in --log-level debug * [CI:DOCS]Add Mario to reviewers list * [CI:DOCS] Document CI-maintenance job addition * Add golang 1.21 update warning * Add rootless network command to `podman info` * libpod: don't warn about cgroupsv1 on FreeBSD * hyperv: error if not admin * Properly parse stderr when updating container status * [skip-ci] Packit: specify fedora-latest in propose-downstream * Use built-in ssh impl for all non-pty operations * Add support for annotations * hyperv: fix machine rm -r * [skip-ci] Packit: Enable CentOS Stream 10 update job * 5.0 release note fix typo in cgroupv1 env var * fix remote build isolation on client side * chore: remove repetitive words * Dont save remote context in temp file but stream and extract * fix remote build isolation when server runs as root * util: use private propagation with bind * util: add some tests for ProcessOptions * util: refactor ProcessOptions into an internal function * util: rename files to snake case * Add LoongArch support for libpod * fix(deps): update github.com/containers/common digest to bc5f97c * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1 * fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] * fix(deps): update module github.com/onsi/gomega to v1.32.0 * [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0 * Update module github.com/cpuguy83/go-md2man/v2 to v2.0.4 * Fix type-o * Use correct extension in suite * minikube: instrument tests, to allow debugging failures * libpod: restart always reconfigure the netns * use new c/common pasta2 setup logic to fix dns * utils: drop conversion float-&gt;string-&gt;float * utils: do not generate duplicate range * logformatter: handle Windows logs * utils: add test for the new function * utils: move rootless code to a new function * CVE-2024-1753 fix for main * xref-helpmsgs-manpages: cross-check Commands.rst * test/system: Add support for multipath routes in pasta networking tests * [skip-ci] rpm: use macro supported vendoring * Adjust to the standard location of gvforwarder used in new images * Makefile: add target `podman-remote-static` * Switch to 5.x WSL machine os stream using new automation * Cleanup build scratch dir if remote end disconnects while passing the context * bump main to 5.1.0-dev * Use faster gzip for compression for 3x speedup for sending large contexts to remote * pkg/machine: make checkExclusiveActiveVM race free * pkg/machine/wsl: remove unused CheckExclusiveActiveVM() * pkg/machine: CheckExclusiveActiveVM should also check for starting * pkg/machine: refresh config after we hold lock * Update dependency setuptools to ~=69.2.0 * [skip-ci] rpm: update containers-common dep on f40+ * fix invalid HTTP header values when hijacking a connection * Add doc to build podman on windows without MSYS * Removing CRI-O related annotations * fix(deps): update module github.com/containers/ocicrypt to v1.1.10 * Pass the restart policy to the individual containers * kube play: always pull when both imagePullPolicy and tag are missing Package python-instance-billing-flavor-check was updated: - Update to version 1.0.0 (jsc#PCT-531) + API incompatibility: The check_payg_byos function no longer exits, it now returns a tuple of (flavor, exit_code). This makes the function reusable. + Update the build setup to work with the system interpreter of upcoming SLE releases. SLE 12 stays with the Python 3.4 interpreter and SLE 15 with the Python 3.6 interpreter. - Version 0.1.2 (bsc#1234444) + Improve detection of IPv4 and IPv6 network setup and use appropriate IP version for access the update servers + Improve reliability of flavor detection. Try an update server multiple times to get an answer, if we hit timeouts return the value flavor value from a cache file. - Version 0.1.1 (bsc#1235991, bsc#1235992) + Add time stamp to log - From version 0.1.0 + Doc improvements clarifying exit staus codes Package python-charset-normalizer was updated: Package libxml2:python was updated: - security update- added patches fix CVE-2024-56171 [bsc#1237363], use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c + libxml2-CVE-2024-56171.patch fix CVE-2025-24928 [bsc#1237370], stack-based buffer overflow in xmlSnprintfElements in valid.c + libxml2-CVE-2025-24928.patch fix CVE-2025-27113 [bsc#1237418], NULL Pointer Dereference in libxml2 xmlPatMatch + libxml2-CVE-2025-27113.patch Package selinux-policy was updated: - Update to version 20241031+git6.af97b0a3: * Allow vhostmd_t list virtqemud pid dirs (bsc#1230961) - Update to version 20241031+git4.96add794: * Label /run/libvirt/qemu/channel with virtqemud_var_run_t (bsc#1230961) - Update macros.selinux-policy to trigger a full relabel on transactional systems upon module installation. This is rather expensive and will hopefully be replaced by a more fine grained solution later on (bsc#1232753) - Update to version 20241031+git2.f85cbd70: * Allow virt_dbus_t to connect to virtd_t over unix_stream_socket (bsc#1232655) - (internal change): created seperate branch to track SLFO:1.1 in selinux-policy git repository, change _service file to pull from that branch Package supportutils was updated: - Changes to version 3.2.9 + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221) + Supportconfig available in current distro (PED-7131) + Corrected display issues (bsc#1231396) + NFS takes too long, showmount times out (bsc#1231423) + Merged sle15 and master branches (bsc#1233726, PED-11669) - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) - Changes in version 3.1.30 + Added -V key:value pair option (bsc#1222021, PED-8211) + Avoid getting duplicate kernel verifications in boot.text (pr#193) + Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082) + Includes container log timestamps (pr#197) Package suse-build-key was updated: - changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted Package suseconnect-ng was updated: - Update version to 1.13: - Integrating uptime-tracker - Honor auto-import-gpg-keys flag on migration (bsc#1231328) - Only send labels if targetting SCC - Skip the docker auth generation on RMT (bsc#1231185) - Add --set-labels to register command to set labels at registration time on SCC - Add a new function to display suse-uptime-tracker version - Integrate with uptime-tracker ( https://github.com/SUSE/uptime-tracker/ ) - Add a command to show the info being gathered The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sle-micro-6-1-byos-v20250522-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 NetworkManager-1.42.6-slfo.1.1_2.1 NetworkManager-tui-1.42.6-slfo.1.1_2.1 SL-Micro-release-6.1-slfo.1.11.31 aardvark-dns-1.12.2-slfo.1.1_1.1 ca-certificates-mozilla-2.74-slfo.1.1_1.1 cloud-regionsrv-client-10.3.11-slfo.1.1_2.1 cloud-regionsrv-client-plugin-gce-1.0.0-slfo.1.1_2.1 cockpit-bridge-322-slfo.1.1_1.1 cockpit-kdump-322-slfo.1.1_1.1 cockpit-podman-91-slfo.1.1_2.1 cockpit-selinux-322-slfo.1.1_1.1 cockpit-system-322-slfo.1.1_1.1 cockpit-ws-322-slfo.1.1_1.1 container-selinux-2.236.0-slfo.1.1_1.1 curl-8.12.1-slfo.1.1_1.1 dracut-059+suse.631.ga638ed12-slfo.1.1_1.1 dracut-kiwi-lib-10.2.12-slfo.1.1_1.1 dracut-kiwi-oem-repart-10.2.12-slfo.1.1_1.1 findutils-4.9.0-slfo.1.1_2.1 gettext-runtime-0.21.1-slfo.1.1_2.1 glib2-tools-2.78.6-slfo.1.1_2.1 glibc-2.38-slfo.1.1_3.1 glibc-locale-base-2.38-slfo.1.1_3.1 google-guest-agent-20250116.00-slfo.1.1_1.1 google-guest-configs-20241205.00-slfo.1.1_1.1 google-osconfig-agent-20250115.01-slfo.1.1_1.1 kernel-default-6.4.0-28.1 krb5-1.21.3-slfo.1.1_2.1 lastlog2-2.40.4-slfo.1.1_1.1 libblkid1-2.40.4-slfo.1.1_1.1 libcurl4-8.12.1-slfo.1.1_1.1 libexpat1-2.7.1-slfo.1.1_1.1 libexslt0-1.1.38-slfo.1.1_2.1 libfdisk1-2.40.4-slfo.1.1_1.1 libfreetype6-2.13.3-slfo.1.1_1.1 libgio-2_0-0-2.78.6-slfo.1.1_2.1 libglib-2_0-0-2.78.6-slfo.1.1_2.1 libgmodule-2_0-0-2.78.6-slfo.1.1_2.1 libgnutls30-3.8.3-slfo.1.1_2.1 libgobject-2_0-0-2.78.6-slfo.1.1_2.1 liblastlog2-2-2.40.4-slfo.1.1_1.1 libmount1-2.40.4-slfo.1.1_1.1 libnm0-1.42.6-slfo.1.1_2.1 libopenssl3-3.1.4-slfo.1.1_4.1 libsmartcols1-2.40.4-slfo.1.1_1.1 libsystemd0-254.24-slfo.1.1_1.1 libtasn1-6-4.19.0-slfo.1.1_2.1 libtextstyle0-0.21.1-slfo.1.1_2.1 libudev1-254.24-slfo.1.1_1.1 libuuid1-2.40.4-slfo.1.1_1.1 libxml2-2-2.11.6-slfo.1.1_2.1 libxml2-tools-2.11.6-slfo.1.1_2.1 libxslt1-1.1.38-slfo.1.1_2.1 libxxhash0-0.8.1-slfo.1.1_2.1 microos-tools-2.21+git24-slfo.1.1_1.1 netavark-1.12.2-slfo.1.1_1.1 openssh-9.6p1-slfo.1.1_2.1 openssh-clients-9.6p1-slfo.1.1_2.1 openssh-common-9.6p1-slfo.1.1_2.1 openssh-server-9.6p1-slfo.1.1_2.1 openssl-3-3.1.4-slfo.1.1_4.1 pam-1.6.1-slfo.1.1_2.1 pam_u2f-1.3.0-slfo.1.1_2.1 passt-20240906.6b38f07-slfo.1.1_1.6 passt-selinux-20240906.6b38f07-slfo.1.1_1.6 podman-5.2.5-slfo.1.1_1.1 python-instance-billing-flavor-check-1.0.0-slfo.1.1_1.1 python311-charset-normalizer-3.1.0-slfo.1.1_2.1 python311-libxml2-2.11.6-slfo.1.1_2.1 selinux-policy-20241031+git6.af97b0a3-slfo.1.1_1.1 selinux-policy-targeted-20241031+git6.af97b0a3-slfo.1.1_1.1 supportutils-3.2.9-slfo.1.1_1.1 suse-build-key-12.0-slfo.1.1_3.1 suseconnect-ng-1.13.0-slfo.1.1_1.1 systemd-254.24-slfo.1.1_1.1 systemd-coredump-254.24-slfo.1.1_1.1 udev-254.24-slfo.1.1_1.1 util-linux-2.40.4-slfo.1.1_1.1 util-linux-systemd-2.40.4-slfo.1.1_1.1 NetworkManager-1.42.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 NetworkManager-tui-1.42.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 SL-Micro-release-6.1-slfo.1.11.31 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 aardvark-dns-1.12.2-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 ca-certificates-mozilla-2.74-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cloud-regionsrv-client-10.3.11-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cloud-regionsrv-client-plugin-gce-1.0.0-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-bridge-322-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-kdump-322-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-podman-91-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-selinux-322-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-system-322-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 cockpit-ws-322-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 container-selinux-2.236.0-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 curl-8.12.1-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 dracut-059+suse.631.ga638ed12-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 dracut-kiwi-lib-10.2.12-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 dracut-kiwi-oem-repart-10.2.12-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 findutils-4.9.0-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 gettext-runtime-0.21.1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 glib2-tools-2.78.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 glibc-2.38-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 glibc-locale-base-2.38-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 google-guest-agent-20250116.00-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 google-guest-configs-20241205.00-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 google-osconfig-agent-20250115.01-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 kernel-default-6.4.0-28.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 krb5-1.21.3-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 lastlog2-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libblkid1-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libcurl4-8.12.1-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libexpat1-2.7.1-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libexslt0-1.1.38-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libfdisk1-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libfreetype6-2.13.3-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libgio-2_0-0-2.78.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libglib-2_0-0-2.78.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libgmodule-2_0-0-2.78.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libgnutls30-3.8.3-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libgobject-2_0-0-2.78.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 liblastlog2-2-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libmount1-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libnm0-1.42.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libopenssl3-3.1.4-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libsmartcols1-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libsystemd0-254.24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libtasn1-6-4.19.0-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libtextstyle0-0.21.1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libudev1-254.24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libuuid1-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libxml2-2-2.11.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libxml2-tools-2.11.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libxslt1-1.1.38-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 libxxhash0-0.8.1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 microos-tools-2.21+git24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 netavark-1.12.2-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 openssh-9.6p1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 openssh-clients-9.6p1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 openssh-common-9.6p1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 openssh-server-9.6p1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 openssl-3-3.1.4-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 pam-1.6.1-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 pam_u2f-1.3.0-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 passt-20240906.6b38f07-slfo.1.1_1.6 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 passt-selinux-20240906.6b38f07-slfo.1.1_1.6 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 podman-5.2.5-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 python-instance-billing-flavor-check-1.0.0-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 python311-charset-normalizer-3.1.0-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 python311-libxml2-2.11.6-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 selinux-policy-20241031+git6.af97b0a3-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 selinux-policy-targeted-20241031+git6.af97b0a3-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 supportutils-3.2.9-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 suse-build-key-12.0-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 suseconnect-ng-1.13.0-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 systemd-254.24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 systemd-coredump-254.24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 udev-254.24-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 util-linux-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 util-linux-systemd-2.40.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20250522-arm64 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. CVE-2019-15903 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information. CVE-2023-40403 moderate In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated--- CVE-2023-52489 moderate In the Linux kernel, the following vulnerability has been resolved: cpu/hotplug: Don't offline the last non-isolated CPU If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked(). cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN)); Thus results in an empty CPU mask which triggers the warning and then the subsequent crash: WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930 Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798 Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU. Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue. CVE-2023-52831 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: adapt set backend to use GC transaction API Use the GC transaction API to replace the old and buggy gc API and the busy mark approach. No set elements are removed from async garbage collection anymore, instead the _DEAD bit is set on so the set element is not visible from lookup path anymore. Async GC enqueues transaction work that might be aborted and retried later. rbtree and pipapo set backends does not set on the _DEAD bit from the sync GC path since this runs in control plane path where mutex is held. In this case, set elements are deactivated, removed and then released via RCU callback, sync GC never fails. CVE-2023-52923 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors. CVE-2023-52924 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error. CVE-2023-52925 moderate In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context. CVE-2023-52926 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl. CVE-2023-52927 moderate A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. CVE-2024-10963 moderate When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053 moderate A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host. CVE-2024-11218 moderate A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. CVE-2024-12133 important A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. CVE-2024-12243 moderate Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. CVE-2024-13176 moderate A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. CVE-2024-1753 moderate The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get "refunded" to init_net when that namespace disappears. The main interface name may get overwritten in the process if it would have conflicted. We need to also discard all conflicting altnames. Recent fixes addressed ensuring that altnames get moved with the main interface, which surfaced this problem. CVE-2024-26634 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked. Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1. CVE-2024-26708 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Lock external INTx masking ops Mask operations through config space changes to DisINTx may race INTx configuration changes via ioctl. Create wrappers that add locking for paths outside of the core interrupt code. In particular, irq_type is updated holding igate, therefore testing is_intx() requires holding igate. For example clearing DisINTx from config space can otherwise race changes of the interrupt configuration. This aligns interfaces which may trigger the INTx eventfd into two camps, one side serialized by igate and the other only enabled while INTx is configured. A subsequent patch introduces synchronization for the latter flows. CVE-2024-26810 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix a deadlock issue related to automatic dump If we issue a disabling PHY command, the device attached with it will go offline, if a 2 bit ECC error occurs at the same time, a hung task may be found: [ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds. [ 4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208 [ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas] [ 4613.691518] Call trace: [ 4613.694678] __switch_to+0xf8/0x17c [ 4613.698872] __schedule+0x660/0xee0 [ 4613.703063] schedule+0xac/0x240 [ 4613.706994] schedule_timeout+0x500/0x610 [ 4613.711705] __down+0x128/0x36c [ 4613.715548] down+0x240/0x2d0 [ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main] [ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas] [ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas] [ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main] [ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main] [ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas] [ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas] [ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas] [ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas] [ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas] [ 4613.784716] process_one_work+0x248/0x950 [ 4613.789424] worker_thread+0x318/0x934 [ 4613.793878] kthread+0x190/0x200 [ 4613.797810] ret_from_fork+0x10/0x18 [ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds. [ 4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208 [ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main] [ 4613.841491] Call trace: [ 4613.844647] __switch_to+0xf8/0x17c [ 4613.848852] __schedule+0x660/0xee0 [ 4613.853052] schedule+0xac/0x240 [ 4613.856984] schedule_timeout+0x500/0x610 [ 4613.861695] __down+0x128/0x36c [ 4613.865542] down+0x240/0x2d0 [ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main] [ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main] [ 4613.883019] process_one_work+0x248/0x950 [ 4613.887732] worker_thread+0x318/0x934 [ 4613.892204] kthread+0x190/0x200 [ 4613.896118] ret_from_fork+0x10/0x18 [ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds. [ 4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208 [ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas] [ 4613.939549] Call trace: [ 4613.942702] __switch_to+0xf8/0x17c [ 4613.946892] __schedule+0x660/0xee0 [ 4613.951083] schedule+0xac/0x240 [ 4613.955015] schedule_timeout+0x500/0x610 [ 4613.959725] wait_for_common+0x200/0x610 [ 4613.964349] wait_for_completion+0x3c/0x5c [ 4613.969146] flush_workqueue+0x198/0x790 [ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas] [ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas] [ 4613.985708] process_one_work+0x248/0x950 [ 4613.990420] worker_thread+0x318/0x934 [ 4613.994868] kthread+0x190/0x200 [ 4613.998800] ret_from_fork+0x10/0x18 This is because when the device goes offline, we obtain the hisi_hba semaphore and send the ABORT_DEV command to the device. However, the internal abort timed out due to the 2 bit ECC error and triggers automatic dump. In addition, since the hisi_hba semaphore has been obtained, the dump cannot be executed and the controller cannot be reset. Therefore, the deadlocks occur on the following circular dependencies ---truncated--- CVE-2024-26873 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- delete one that was just added ... add_elem("00005000") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano) CVE-2024-26924 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. CVE-2024-27397 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). This works fine. But such confirmation won't happen when eb/ip/nftables rules dropped the packets before they reached the nf_confirm step in postrouting. Pablo points out that nf_conntrack_bridge doesn't allow use of stateful nat, so we can safely discard the nf_conn entry and let inet call conntrack again. This doesn't work for bridge netfilter: skb could have a nat transformation. Also bridge nf prevents re-invocation of inet prerouting via 'sabotage_in' hook. Work around this problem by explicit confirmation of the entry at LOCAL_IN time, before upper layer has a chance to clone the unconfirmed entry. The downside is that this disables NAT and conntrack helpers. Alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but even if that could be done in a sane way this opens up other problems, for example: -m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 -m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 For multicast case, only one of such conflicting mappings will be created, conntrack only handles 1:1 NAT mappings. Users should set create a setup that explicitly marks such traffic NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass them, ruleset might have accept rules for untracked traffic already, so user-visible behaviour would change. CVE-2024-27415 moderate libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 important In the Linux kernel, the following vulnerability has been resolved: block: Fix page refcounts for unaligned buffers in __bio_release_pages() Fix an incorrect number of pages being released for buffers that do not start at the beginning of a page. CVE-2024-35826 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb. CVE-2024-35839 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed, we call inet_csk_clear_xmit_timers() to 'stop' the timers. inet_csk_clear_xmit_timers() can be called from any context, including when socket lock is held. This is the reason it uses sk_stop_timer(), aka del_timer(). This means that ongoing timers might finish much later. For user sockets, this is fine because each running timer holds a reference on the socket, and the user socket holds a reference on the netns. For kernel sockets, we risk that the netns is freed before timer can complete, because kernel sockets do not hold reference on the netns. This patch adds inet_csk_clear_xmit_timers_sync() function that using sk_stop_timer_sync() to make sure all timers are terminated before the kernel socket is released. Modules using kernel sockets close them in their netns exit() handler. Also add sock_not_owned_by_me() helper to get LOCKDEP support : inet_csk_clear_xmit_timers_sync() must not be called while socket lock is held. It is very possible we can revert in the future commit 3a58f13a881e ("net: rds: acquire refcount on TCP sockets") which attempted to solve the issue in rds only. (net/smc/af_smc.c and net/mptcp/subflow.c have similar code) We probably can remove the check_net() tests from tcp_out_of_resources() and __tcp_close() in the future. CVE-2024-35910 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible for use throughout the function. Previously, 'ib_sge list' was declared within the 'always_invalidate' block, limiting its accessibility, then caused a 'BUG: kernel NULL pointer dereference'[1]. ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2d0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? memcpy_orig+0xd5/0x140 rxe_mr_copy+0x1c3/0x200 [rdma_rxe] ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] copy_data+0xa5/0x230 [rdma_rxe] rxe_requester+0xd9b/0xf70 [rdma_rxe] ? finish_task_switch.isra.0+0x99/0x2e0 rxe_sender+0x13/0x40 [rdma_rxe] do_task+0x68/0x1e0 [rdma_rxe] process_one_work+0x177/0x330 worker_thread+0x252/0x390 ? __pfx_worker_thread+0x10/0x10 This change ensures the variable is available for subsequent operations that require it. [1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/ CVE-2024-36476 moderate In the Linux kernel, the following vulnerability has been resolved: blk-iocost: do not WARN if iocg was already offlined In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which is intended to confirm iocg is active when it has debt. However, warn can be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn() is run at that time: WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190 Call trace: iocg_pay_debt+0x14c/0x190 iocg_kick_waitq+0x438/0x4c0 iocg_waitq_timer_fn+0xd8/0x130 __run_hrtimer+0x144/0x45c __hrtimer_run_queues+0x16c/0x244 hrtimer_interrupt+0x2cc/0x7b0 The warn in this situation is meaningless. Since this iocg is being removed, the state of the 'active_list' is irrelevant, and 'waitq_timer' is canceled after removing 'active_list' in ioc_pd_free(), which ensures iocg is freed after iocg_waitq_timer_fn() returns. Therefore, add the check if iocg was already offlined to avoid warn when removing a blkcg or disk. CVE-2024-36908 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078 CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 CVE-2024-36915 moderate A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. CVE-2024-3727 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - validate slices count returned by FW The function adf_send_admin_tl_start() enables the telemetry (TL) feature on a QAT device by sending the ICP_QAT_FW_TL_START message to the firmware. This triggers the FW to start writing TL data to a DMA buffer in memory and returns an array containing the number of accelerators of each type (slices) supported by this HW. The pointer to this array is stored in the adf_tl_hw_data data structure called slice_cnt. The array slice_cnt is then used in the function tl_print_dev_data() to report in debugfs only statistics about the supported accelerators. An incorrect value of the elements in slice_cnt might lead to an out of bounds memory read. At the moment, there isn't an implementation of FW that returns a wrong value, but for robustness validate the slice count array returned by FW. CVE-2024-38606 moderate In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix FSM command timeout issue When driver processes the internal state change command, it use an asynchronous thread to process the command operation. If the main thread detects that the task has timed out, the asynchronous thread will panic when executing the completion notification because the main thread completion object has been released. BUG: unable to handle page fault for address: fffffffffffffff8 PGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:complete_all+0x3e/0xa0 [...] Call Trace: <TASK> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? complete_all+0x3e/0xa0 fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)] ? __pfx_autoremove_wake_function+0x10/0x10 kthread+0xd8/0x110 ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)] ? __pfx_kthread+0x10/0x10 ret_from_fork+0x38/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> [...] CR2: fffffffffffffff8 ---[ end trace 0000000000000000 ]--- Use the reference counter to ensure safe release as Sergey suggests: https://lore.kernel.org/all/da90f64c-260a-4329-87bf-1f9ff20a5951@gmail.com/ CVE-2024-39282 moderate In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. CVE-2024-39480 moderate In the Linux kernel, the following vulnerability has been resolved: drop_monitor: replace spin_lock by raw_spin_lock trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context. CVE-2024-40980 moderate In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix race condition in netpoll_owner_active KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) <snip> read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) netpoll_send_udp (net/core/netpoll.c:?) <snip> value changed: 0x0000000a -> 0xffffffff This happens because netpoll_owner_active() needs to check if the current CPU is the owner of the lock, touching napi->poll_owner non atomically. The ->poll_owner field contains the current CPU holding the lock. Use an atomic read to check if the poll owner is the current CPU. CVE-2024-41005 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prefer nft_chain_validate nft_chain_validate already performs loop detection because a cycle will result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE). It also follows maps via ->validate callback in nft_lookup, so there appears no reason to iterate the maps again. nf_tables_check_loops() and all its helper functions can be removed. This improves ruleset load time significantly, from 23s down to 12s. This also fixes a crash bug. Old loop detection code can result in unbounded recursion: BUG: TASK stack guard page was hit at .... Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1 [..] with a suitable ruleset during validation of register stores. I can't see any actual reason to attempt to check for this from nft_validate_register_store(), at this point the transaction is still in progress, so we don't have a full picture of the rule graph. For nf-next it might make sense to either remove it or make this depend on table->validate_state in case we could catch an error earlier (for improved error reporting to userspace). CVE-2024-41042 moderate In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it. CVE-2024-41055 moderate In the Linux kernel, the following vulnerability has been resolved: null_blk: fix validation of block size Block size should be between 512 and PAGE_SIZE and be a power of 2. The current check does not validate this, so update the check. Without this patch, null_blk would Oops due to a null pointer deref when loaded with bs=1536 [1]. [axboe: remove unnecessary braces and != 0 check] CVE-2024-41077 moderate In the Linux kernel, the following vulnerability has been resolved: block: avoid to reuse `hctx` not removed from cpuhp callback list If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it, otherwise use-after-free may be triggered. CVE-2024-41149 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors. CVE-2024-42307 moderate In the Linux kernel, the following vulnerability has been resolved: dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume rm-raid devices will occasionally trigger the following warning when being resumed after a table load because DM_RECOVERY_RUNNING is set: WARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid] The failing check is: WARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)); This check is designed to make sure that the sync thread isn't registered, but md_check_recovery can set MD_RECOVERY_RUNNING without the sync_thread ever getting registered. Instead of checking if MD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL. CVE-2024-43820 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: apple: fix device reference counting Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl. Split the allocation side out to make the error handling boundary easier to navigate. The apple driver had been doing this wrong, leaking the controller device memory on a tagset failure. CVE-2024-43913 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix UAFs when destroying the queues The second tagged commit started sometimes (very rarely, but possible) throwing WARNs from net/core/page_pool.c:page_pool_disable_direct_recycling(). Turned out idpf frees interrupt vectors with embedded NAPIs *before* freeing the queues making page_pools' NAPI pointers lead to freed memory before these pools are destroyed by libeth. It's not clear whether there are other accesses to the freed vectors when destroying the queues, but anyway, we usually free queue/interrupt vectors only when the queues are destroyed and the NAPIs are guaranteed to not be referenced anywhere. Invert the allocation and freeing logic making queue/interrupt vectors be allocated first and freed last. Vectors don't require queues to be present, so this is safe. Additionally, this change allows to remove that useless queue->q_vector pointer cleanup, as vectors are still valid when freeing the queues (+ both are freed within one function, so it's not clear why nullify the pointers at all). CVE-2024-44932 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: wait for previous gc cycles when removing port syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait for lock call br_multicasg_gc() directly acquire lock now but free port the port can be freed while grp timers still running Make sure all previous gc cycles have finished by using flush_work before freeing the port. [1] BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437 CVE-2024-44934 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. CVE-2024-44974 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: fix recursive ->recvmsg calls After a vsock socket has been added to a BPF sockmap, its prot->recvmsg has been replaced with vsock_bpf_recvmsg(). Thus the following recursiion could happen: vsock_bpf_recvmsg() -> __vsock_recvmsg() -> vsock_connectible_recvmsg() -> prot->recvmsg() -> vsock_bpf_recvmsg() again We need to fix it by calling the original ->recvmsg() without any BPF sockmap logic in __vsock_recvmsg(). CVE-2024-44996 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning ... WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) ... before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest. Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That's not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR. CVE-2024-45009 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal' endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to 'subflow' endpoints, and here it is a 'signal' endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and if the ID is not 0 -- local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before. CVE-2024-45010 moderate When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. CVE-2024-45339 important An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 moderate In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request Bus cleanup path in DMA mode may trigger a RING_OP_STAT interrupt when the ring is being stopped. Depending on timing between ring stop request completion, interrupt handler removal and code execution this may lead to a NULL pointer dereference in hci_dma_irq_handler() if it gets to run after the io_data pointer is set to NULL in hci_dma_cleanup(). Prevent this my masking the ring interrupts before ring stop request. CVE-2024-45828 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_rename_path() If smb2_set_path_attr() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() again as the reference of @cfile was already dropped by previous smb2_compound_op() call. CVE-2024-46736 moderate In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated--- CVE-2024-46782 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-46796 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf. CVE-2024-46858 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: don't access invalid sched Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") accessing job->base.sched can produce unexpected results as the initialisation of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the memset. This commit fixes an issue when a CS would fail validation and would be rejected after job->num_ibs is incremented. In this case, amdgpu_ib_free(ring->adev, ...) will be called, which would crash the machine because the ring value is bogus. To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this because the device is actually not used in this function. The next commit will remove the ring argument completely. (cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7) CVE-2024-46896 moderate In the Linux kernel, the following vulnerability has been resolved: pinmux: Use sequential access to access desc->pinmux data When two client of the same gpio call pinctrl_select_state() for the same functionality, we are seeing NULL pointer issue while accessing desc->mux_owner. Let's say two processes A, B executing in pin_request() for the same pin and process A updates the desc->mux_usecount but not yet updated the desc->mux_owner while process B see the desc->mux_usecount which got updated by A path and further executes strcmp and while accessing desc->mux_owner it crashes with NULL pointer. Serialize the access to mux related setting with a mutex lock. cpu0 (process A) cpu1(process B) pinctrl_select_state() { pinctrl_select_state() { pin_request() { pin_request() { ... .... } else { desc->mux_usecount++; desc->mux_usecount && strcmp(desc->mux_owner, owner)) { if (desc->mux_usecount > 1) return 0; desc->mux_owner = owner; } } CVE-2024-47141 moderate In the Linux kernel, the following vulnerability has been resolved: dma-debug: fix a possible deadlock on radix_lock radix_lock() shouldn't be held while holding dma_hash_entry[idx].lock otherwise, there's a possible deadlock scenario when dma debug API is called holding rq_lock(): CPU0 CPU1 CPU2 dma_free_attrs() check_unmap() add_dma_entry() __schedule() //out (A) rq_lock() get_hash_bucket() (A) dma_entry_hash check_sync() (A) radix_lock() (W) dma_entry_hash dma_entry_free() (W) radix_lock() // CPU2's one (W) rq_lock() CPU1 situation can happen when it extending radix tree and it tries to wake up kswapd via wake_all_kswapd(). CPU2 situation can happen while perf_event_task_sched_out() (i.e. dma sync operation is called while deleting perf_event using etm and etr tmc which are Arm Coresight hwtracing driver backends). To remove this possible situation, call dma_entry_free() after put_hash_bucket() in check_unmap(). CVE-2024-47143 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it. CVE-2024-47408 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. CVE-2024-47701 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent tailcall infinite loop caused by freplace There is a potential infinite loop issue that can occur when using a combination of tail calls and freplace. In an upcoming selftest, the attach target for entry_freplace of tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in entry_freplace leads to entry_tc. This results in an infinite loop: entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc. The problem arises because the tail_call_cnt in entry_freplace resets to zero each time entry_freplace is executed, causing the tail call mechanism to never terminate, eventually leading to a kernel panic. To fix this issue, the solution is twofold: 1. Prevent updating a program extended by an freplace program to a prog_array map. 2. Prevent extending a program that is already part of a prog_array map with an freplace program. This ensures that: * If a program or its subprogram has been extended by an freplace program, it can no longer be updated to a prog_array map. * If a program has been added to a prog_array map, neither it nor its subprograms can be extended by an freplace program. Moreover, an extension program should not be tailcalled. As such, return -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a prog_array map. Additionally, fix a minor code style issue by replacing eight spaces with a tab for proper formatting. CVE-2024-47794 moderate In the Linux kernel, the following vulnerability has been resolved: dlm: fix possible lkb_resource null dereference This patch fixes a possible null pointer dereference when this function is called from request_lock() as lkb->lkb_resource is not assigned yet, only after validate_lock_args() by calling attach_lkb(). Another issue is that a resource name could be a non printable bytearray and we cannot assume to be ASCII coded. The log functionality is probably never being hit when DLM is used in normal way and no debug logging is enabled. The null pointer dereference can only occur on a new created lkb that does not have the resource assigned yet, it probably never hits the null pointer dereference but we should be sure that other changes might not change this behaviour and we actually can hit the mentioned null pointer dereference. In this patch we just drop the printout of the resource name, the lkb id is enough to make a possible connection to a resource name if this exists. CVE-2024-47809 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: check return value of ieee80211_probereq_get() for RNR The return value of ieee80211_probereq_get() might be NULL, so check it before using to avoid NULL pointer access. Addresses-Coverity-ID: 1529805 ("Dereference null return value") CVE-2024-48873 moderate In the Linux kernel, the following vulnerability has been resolved: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") leads a NULL pointer deference in cache_set_flush(). 1721 if (!IS_ERR_OR_NULL(c->root)) 1722 list_add(&c->root->list, &c->btree_cache); >From the above code in cache_set_flush(), if previous registration code fails before allocating c->root, it is possible c->root is NULL as what it is initialized. __bch_btree_node_alloc() never returns NULL but c->root is possible to be NULL at above line 1721. This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this. CVE-2024-48881 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: unquiesce admin_q before destroy it Kernel will hang on destroy admin_q while we create ctrl failed, such as following calltrace: PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15 #1 [ff61d23de260fc08] schedule at ffffffff8323c014 #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1 #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006 #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362 #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25 RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b This due to we have quiesced admi_q before cancel requests, but forgot to unquiesce before destroy it, as a result we fail to drain the pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and simplify the code. CVE-2024-49569 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg When receiving proposal msg in server, the field iparea_offset and the field ipv6_prefixes_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field iparea_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks iparea_offset and ipv6_prefixes_cnt before using them. CVE-2024-49571 moderate In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder. CVE-2024-49854 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. CVE-2024-49884 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw This commit addresses a potential null pointer dereference issue in the `dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is null. The fix adds a check to ensure `dc->clk_mgr` is not null before accessing its functions. This prevents a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782) CVE-2024-49915 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime. CVE-2024-49924 moderate In the Linux kernel, the following vulnerability has been resolved: l2tp: prevent possible tunnel refcount underflow When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped. Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel. If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case. CVE-2024-49940 moderate In the Linux kernel, the following vulnerability has been resolved: net: add more sanity checks to qdisc_pkt_len_init() One path takes care of SKB_GSO_DODGY, assuming skb->len is bigger than hdr_len. virtio_net_hdr_to_skb() does not fully dissect TCP headers, it only make sure it is at least 20 bytes. It is possible for an user to provide a malicious 'GSO' packet, total length of 80 bytes. - 20 bytes of IPv4 header - 60 bytes TCP header - a small gso_size like 8 virtio_net_hdr_to_skb() would declare this packet as a normal GSO packet, because it would see 40 bytes of payload, bigger than gso_size. We need to make detect this case to not underflow qdisc_skb_cb(skb)->pkt_len. CVE-2024-49948 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-49950 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed If mgmt_index_removed is called while there are commands queued on cmd_sync it could lead to crashes like the bellow trace: 0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc 0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth] 0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth] 0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth] So while handling mgmt_index_removed this attempts to dequeue commands passed as user_data to cmd_sync. CVE-2024-49951 moderate In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from frag_list Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. CVE-2024-49978 moderate In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed CVE-2024-49994 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: improve shutdown sequence Alexander Sverdlin presents 2 problems during shutdown with the lan9303 driver. One is specific to lan9303 and the other just happens to reproduce there. The first problem is that lan9303 is unique among DSA drivers in that it calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, not remove): phy_state_machine() -> ... -> dsa_user_phy_read() -> ds->ops->phy_read() -> lan9303_phy_read() -> chip->ops->phy_read() -> lan9303_mdio_phy_read() -> dev_get_drvdata() But we never stop the phy_state_machine(), so it may continue to run after dsa_switch_shutdown(). Our common pattern in all DSA drivers is to set drvdata to NULL to suppress the remove() method that may come afterwards. But in this case it will result in an NPD. The second problem is that the way in which we set dp->conduit->dsa_ptr = NULL; is concurrent with receive packet processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL, but afterwards, rather than continuing to use that non-NULL value, dev->dsa_ptr is dereferenced again and again without NULL checks: dsa_conduit_find_user() and many other places. In between dereferences, there is no locking to ensure that what was valid once continues to be valid. Both problems have the common aspect that closing the conduit interface solves them. In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN event in dsa_user_netdevice_event() which closes user ports as well. dsa_port_disable_rt() calls phylink_stop(), which synchronously stops the phylink state machine, and ds->ops->phy_read() will thus no longer call into the driver after this point. In the second case, dev_close(conduit) should do this, as per Documentation/networking/driver.rst: | Quiescence | ---------- | | After the ndo_stop routine has been called, the hardware must | not receive or transmit any data. All in flight packets must | be aborted. If necessary, poll or wait for completion of | any reset commands. So it should be sufficient to ensure that later, when we zeroize conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call on this conduit. The addition of the netif_device_detach() function is to ensure that ioctls, rtnetlinks and ethtool requests on the user ports no longer propagate down to the driver - we're no longer prepared to handle them. The race condition actually did not exist when commit 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") first introduced dsa_switch_shutdown(). It was created later, when we stopped unregistering the user interfaces from a bad spot, and we just replaced that sequence with a racy zeroization of conduit->dsa_ptr (one which doesn't ensure that the interfaces aren't up). CVE-2024-49998 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-50016 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-50018 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30 CVE-2024-50029 moderate In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels. CVE-2024-50036 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that this is a general issue, direct users of the set/getsockopt interface can call into targets/matches that were only intended for use with ip(6)tables. Check all UNSPEC matches and targets for similar issues: - matches and targets are fine except if they assume skb_network_header() is valid -- this is only true when called from inet layer: ip(6) stack pulls the ip/ipv6 header into linear data area. - targets that return XT_CONTINUE or other xtables verdicts must be restricted too, they are incompatbile with the ebtables traverser, e.g. EBT_CONTINUE is a completely different value than XT_CONTINUE. Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as they are provided for use by ip(6)tables. The MARK target is also used by arptables, so register for NFPROTO_ARP too. While at it, bail out if connbytes fails to enable the corresponding conntrack family. This change passes the selftests in iptables.git. CVE-2024-50038 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: accept TCA_STAB only for root qdisc Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers. Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1] We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage. [1] [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 88.798611] #PF: supervisor read access in kernel mode [ 88.799014] #PF: error_code(0x0000) - not-present page [ 88.799506] PGD 0 P4D 0 [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ... Code starting with the faulting instruction =========================================== 0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 [ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 [ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f [ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 [ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac [ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 [ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 [ 88.808165] Call Trace: [ 88.808459] <TASK> [ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) [ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq [ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g ---truncated--- CVE-2024-50039 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. CVE-2024-50047 important In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: Add cancel_work_sync before module remove If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. CVE-2024-50051 important In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Fix potential dereferencing of ERR_PTR() in find_format_by_pix() and uvc_v4l2_enum_format(). Fix the following smatch errors: drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix() error: 'fmtdesc' dereferencing possible ERR_PTR() drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format() error: 'fmtdesc' dereferencing possible ERR_PTR() Also, fix similar issue in uvc_v4l2_try_format() for potential dereferencing of ERR_PTR(). CVE-2024-50056 moderate In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. CVE-2024-50073 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated--- CVE-2024-50085 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely. CVE-2024-50106 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. CVE-2024-50115 important In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20 CVE-2024-50126 moderate In the Linux kernel, the following vulnerability has been resolved: sched/core: Disable page allocation in task_tick_mm_cid() With KASAN and PREEMPT_RT enabled, calling task_work_add() in task_tick_mm_cid() may cause the following splat. [ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, expected: 0 [ 63.696416] RCU nest depth: 1, expected: 1 This problem is caused by the following call trace. sched_tick() [ acquire rq->__lock ] -> task_tick_mm_cid() -> task_work_add() -> __kasan_record_aux_stack() -> kasan_save_stack() -> stack_depot_save_flags() -> alloc_pages_mpol_noprof() -> __alloc_pages_noprof() -> get_page_from_freelist() -> rmqueue() -> rmqueue_pcplist() -> __rmqueue_pcplist() -> rmqueue_bulk() -> rt_spin_lock() The rq lock is a raw_spinlock_t. We can't sleep while holding it. IOW, we can't call alloc_pages() in stack_depot_save_flags(). The task_tick_mm_cid() function with its task_work_add() call was introduced by commit 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") in v6.4 kernel. Fortunately, there is a kasan_record_aux_stack_noalloc() variant that calls stack_depot_save_flags() while not allowing it to allocate new pages. To allow task_tick_mm_cid() to use task_work without page allocation, a new TWAF_NO_ALLOC flag is added to enable calling kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack() if set. The task_tick_mm_cid() function is modified to add this new flag. The possible downside is the missing stack trace in a KASAN report due to new page allocation required when task_work_add_noallloc() is called which should be rare. CVE-2024-50140 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on. CVE-2024-50142 moderate In the Linux kernel, the following vulnerability has been resolved: udf: fix uninit-value use in udf_get_fileshortad Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 CVE-2024-50143 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb CVE-2024-50151 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix possible double free in smb2_set_ea() Clang static checker(scan-build) warning: fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. 1304 | kfree(ea); | ^~~~~~~~~ There is a double free in such case: 'ea is initialized to NULL' -> 'first successful memory allocation for ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' -> 'goto replay_again' -> 'second goto sea_exit before allocate memory for ea' -> 'second memory release for ea resulted in double free'. Re-initialie 'ea' to NULL near to the replay_again label, it can fix this double free problem. CVE-2024-50152 moderate In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb CVE-2024-50154 important In the Linux kernel, the following vulnerability has been resolved: mptcp: handle consistently DSS corruption Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type. CVE-2024-50185 moderate In the Linux kernel, the following vulnerability has been resolved: mm/swapfile: skip HugeTLB pages for unuse_vma I got a bad pud error and lost a 1GB HugeTLB when calling swapoff. The problem can be reproduced by the following steps: 1. Allocate an anonymous 1GB HugeTLB and some other anonymous memory. 2. Swapout the above anonymous memory. 3. run swapoff and we will get a bad pud error in kernel message: mm/pgtable-generic.c:42: bad pud 00000000743d215d(84000001400000e7) We can tell that pud_clear_bad is called by pud_none_or_clear_bad in unuse_pud_range() by ftrace. And therefore the HugeTLB pages will never be freed because we lost it from page table. We can skip HugeTLB pages for unuse_vma to fix it. CVE-2024-50199 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: propagate directory read errors from nilfs_find_entry() Syzbot reported that a task hang occurs in vcs_open() during a fuzzing test for nilfs2. The root cause of this problem is that in nilfs_find_entry(), which searches for directory entries, ignores errors when loading a directory page/folio via nilfs_get_folio() fails. If the filesystem images is corrupted, and the i_size of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, for example when it is zero-filled, nilfs_check_folio() may continue to spit out error messages in bursts. Fix this issue by propagating the error to the callers when loading a page/folio fails in nilfs_find_entry(). The current interface of nilfs_find_entry() and its callers is outdated and cannot propagate error codes such as -EIO and -ENOMEM returned via nilfs_find_entry(), so fix it together. CVE-2024-50202 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix address emission with tag-based KASAN enabled When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image struct on the stack is passed during the size calculation pass and an address on the heap is passed during code generation. This may cause a heap buffer overflow if the heap address is tagged because emit_a64_mov_i64() will emit longer code than it did during the size calculation pass. The same problem could occur without tag-based KASAN if one of the 16-bit words of the stack address happened to be all-ones during the size calculation pass. Fix the problem by assuming the worst case (4 instructions) when calculating the size of the bpf_tramp_image address emission. CVE-2024-50203 moderate In the Linux kernel, the following vulnerability has been resolved: udf: refactor inode_bmap() to handle error Refactor inode_bmap() to handle error since udf_next_aext() can return error now. On situations like ftruncate, udf_extend_file() can now detect errors and bail out early without resorting to checking for particular offsets and assuming internal behavior of these functions. CVE-2024-50211 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-50228 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed. CVE-2024-50251 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated--- CVE-2024-50256 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. CVE-2024-50258 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. CVE-2024-50262 moderate In the Linux kernel, the following vulnerability has been resolved: filemap: Fix bounds checking in filemap_read() If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop. This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts. CVE-2024-50272 moderate In the Linux kernel, the following vulnerability has been resolved: dm cache: fix potential out-of-bounds access on the first resume Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, and the check in cache_preresume is not performed during the first resume, leading to the issue. Reproduce steps: 1. prepare component devices: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct 2. load a cache table of 512 cache blocks, and deliberately expand the fast device before resuming the cache, making the in-core data structures inadequate. dmsetup create cache --notable dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache 3. suspend the cache to write out the in-core dirty bitset and hint array, leading to out-of-bounds access to the dirty bitset at offset 0x40: dmsetup suspend cache KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80 Read of size 8 at addr ffffc90000085040 by task dmsetup/90 (...snip...) The buggy address belongs to the virtual mapping at [ffffc90000085000, ffffc90000087000) created by: cache_ctr+0x176a/0x35f0 (...snip...) Memory state around the buggy address: ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Fix by checking the size change on the first resume. CVE-2024-50278 moderate In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that. CVE-2024-50290 important In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing locking causing hanging calls If a call gets aborted (e.g. because kafs saw a signal) between it being queued for connection and the I/O thread picking up the call, the abort will be prioritised over the connection and it will be removed from local->new_client_calls by rxrpc_disconnect_client_call() without a lock being held. This may cause other calls on the list to disappear if a race occurs. Fix this by taking the client_call_lock when removing a call from whatever list its ->wait_link happens to be on. CVE-2024-50294 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add size validation when walking chunks") is also required in sctp_sf_ootb() to address a crash reported by syzbot: BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166 sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159 ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 CVE-2024-50299 moderate In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-50304 moderate An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Fix potential invalid memory access in igb_init_module() The pci_register_driver() can fail and when this happened, the dca_notifier needs to be unregistered, otherwise the dca_notifier can be called when igb fails to install, resulting to invalid memory access. CVE-2024-52332 moderate gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. CVE-2024-52533 important In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32 values that come from the user via the submit_lookup_cmds() function. This addition could lead to an integer wrapping bug so use size_add() to prevent that. Patchwork: https://patchwork.freedesktop.org/patch/624696/ CVE-2024-52559 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/hdcp: Add encoder check in hdcp2_get_capability Add encoder check in intel_hdcp2_get_capability to avoid null pointer error. CVE-2024-53050 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) CVE-2024-53057 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: prevent the risk of out of memory access The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_register_adapter() would already be enforcing it. On a similar way, dvb_device_open() uses the assumption that the register functions already did the needed checks. This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity. So, add explicit guards to prevent potential risk of OOM issues. CVE-2024-53063 important In the Linux kernel, the following vulnerability has been resolved: idpf: fix idpf_vc_core_init error path In an event where the platform running the device control plane is rebooted, reset is detected on the driver. It releases all the resources and waits for the reset to complete. Once the reset is done, it tries to build the resources back. At this time if the device control plane is not yet started, then the driver timeouts on the virtchnl message and retries to establish the mailbox again. In the retry flow, mailbox is deinitialized but the mailbox workqueue is still alive and polling for the mailbox message. This results in accessing the released control queue leading to null-ptr-deref. Fix it by unrolling the work queue cancellation and mailbox deinitialization in the reverse order which they got initialized. CVE-2024-53064 moderate In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: <TASK> dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-53090 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx As the introduction of the support for vsock and unix sockets in sockmap, tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK. vsock and af_unix sockets have vsock_sock and unix_sock instead of inet_connection_sock. For these sockets, tls_get_ctx may return an invalid pointer and cause page fault in function tls_sw_ctx_rx. BUG: unable to handle page fault for address: 0000000000040030 Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:sk_psock_strp_data_ready+0x23/0x60 Call Trace: ? __die+0x81/0xc3 ? no_context+0x194/0x350 ? do_page_fault+0x30/0x110 ? async_page_fault+0x3e/0x50 ? sk_psock_strp_data_ready+0x23/0x60 virtio_transport_recv_pkt+0x750/0x800 ? update_load_avg+0x7e/0x620 vsock_loopback_work+0xd0/0x100 process_one_work+0x1a7/0x360 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x112/0x130 ? __kthread_cancel_work+0x40/0x40 ret_from_fork+0x1f/0x40 v2: - Add IS_ICSK check v3: - Update the commits in Fixes CVE-2024-53091 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free of network namespace. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated--- CVE-2024-53095 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. CVE-2024-53099 moderate In the Linux kernel, the following vulnerability has been resolved: hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer When hvs is released, there is a possibility that vsk->trans may not be initialized to NULL, which could lead to a dangling pointer. This issue is resolved by initializing vsk->trans to NULL. CVE-2024-53103 moderate In the Linux kernel, the following vulnerability has been resolved: mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1926 __mmput+0x115/0x390 kernel/fork.c:1348 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 bad_page+0x176/0x1d0 mm/page_alloc.c:501 free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638 kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline] kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386 kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [in ---truncated--- CVE-2024-53105 moderate In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix address wraparound in move_page_tables() On 32-bit platforms, it is possible for the expression `len + old_addr < old_end` to be false-positive if `len + old_addr` wraps around. `old_addr` is the cursor in the old range up to which page table entries have been moved; so if the operation succeeded, `old_addr` is the *end* of the old region, and adding `len` to it can wrap. The overflow causes mremap() to mistakenly believe that PTEs have been copied; the consequence is that mremap() bails out, but doesn't move the PTEs back before the new VMA is unmapped, causing anonymous pages in the region to be lost. So basically if userspace tries to mremap() a private-anon region and hits this bug, mremap() will return an error and the private-anon region's contents appear to have been zeroed. The idea of this check is that `old_end - len` is the original start address, and writing the check that way also makes it easier to read; so fix the check by rearranging the comparison accordingly. (An alternate fix would be to refactor this function by introducing an "orig_old_start" variable or such.) Tested in a VM with a 32-bit X86 kernel; without the patch: ``` user@horn:~/big_mremap$ cat test.c #define _GNU_SOURCE #include <stdlib.h> #include <stdio.h> #include <err.h> #include <sys/mman.h> #define ADDR1 ((void*)0x60000000) #define ADDR2 ((void*)0x10000000) #define SIZE 0x50000000uL int main(void) { unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p1 == MAP_FAILED) err(1, "mmap 1"); unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p2 == MAP_FAILED) err(1, "mmap 2"); *p1 = 0x41; printf("first char is 0x%02hhx\n", *p1); unsigned char *p3 = mremap(p1, SIZE, SIZE, MREMAP_MAYMOVE|MREMAP_FIXED, p2); if (p3 == MAP_FAILED) { printf("mremap() failed; first char is 0x%02hhx\n", *p1); } else { printf("mremap() succeeded; first char is 0x%02hhx\n", *p3); } } user@horn:~/big_mremap$ gcc -static -o test test.c user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() failed; first char is 0x00 ``` With the patch: ``` user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() succeeded; first char is 0x41 ``` CVE-2024-53111 moderate In the Linux kernel, the following vulnerability has been resolved: mm: fix NULL pointer dereference in alloc_pages_bulk_noprof We triggered a NULL pointer dereference for ac.preferred_zoneref->zone in alloc_pages_bulk_noprof() when the task is migrated between cpusets. When cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be &current->mems_allowed. when first_zones_zonelist() is called to find preferred_zoneref, the ac->nodemask may be modified concurrently if the task is migrated between different cpusets. Assuming we have 2 NUMA Node, when traversing Node1 in ac->zonelist, the nodemask is 2, and when traversing Node2 in ac->zonelist, the nodemask is 1. As a result, the ac->preferred_zoneref points to NULL zone. In alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a allowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading to NULL pointer dereference. __alloc_pages_noprof() fixes this issue by checking NULL pointer in commit ea57485af8f4 ("mm, page_alloc: fix check for NULL preferred_zone") and commit df76cee6bbeb ("mm, page_alloc: remove redundant checks from alloc fastpath"). To fix it, check NULL pointer for preferred_zoneref->zone. CVE-2024-53113 moderate In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Improve MSG_ZEROCOPY error handling Add a missing kfree_skb() to prevent memory leaks. CVE-2024-53117 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: Fix sk_error_queue memory leak Kernel queues MSG_ZEROCOPY completion notifications on the error queue. Where they remain, until explicitly recv()ed. To prevent memory leaks, clean up the queue when the socket is destroyed. unreferenced object 0xffff8881028beb00 (size 224): comm "vsock_test", pid 1218, jiffies 4294694897 hex dump (first 32 bytes): 90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff ..!.......!..... 00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff ..........!..... backtrace (crc 6c7031ca): [<ffffffff81418ef7>] kmem_cache_alloc_node_noprof+0x2f7/0x370 [<ffffffff81d35882>] __alloc_skb+0x132/0x180 [<ffffffff81d2d32b>] sock_omalloc+0x4b/0x80 [<ffffffff81d3a8ae>] msg_zerocopy_realloc+0x9e/0x240 [<ffffffff81fe5cb2>] virtio_transport_send_pkt_info+0x412/0x4c0 [<ffffffff81fe6183>] virtio_transport_stream_enqueue+0x43/0x50 [<ffffffff81fe0813>] vsock_connectible_sendmsg+0x373/0x450 [<ffffffff81d233d5>] ____sys_sendmsg+0x365/0x3a0 [<ffffffff81d246f4>] ___sys_sendmsg+0x84/0xd0 [<ffffffff81d26f47>] __sys_sendmsg+0x47/0x80 [<ffffffff820d3df3>] do_syscall_64+0x93/0x180 [<ffffffff8220012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-53118 moderate In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix accept_queue memory leak As the final stages of socket destruction may be delayed, it is possible that virtio_transport_recv_listen() will be called after the accept_queue has been flushed, but before the SOCK_DONE flag has been set. As a result, sockets enqueued after the flush would remain unremoved, leading to a memory leak. vsock_release __vsock_release lock virtio_transport_release virtio_transport_close schedule_delayed_work(close_work) sk_shutdown = SHUTDOWN_MASK (!) flush accept_queue release virtio_transport_recv_pkt vsock_find_bound_socket lock if flag(SOCK_DONE) return virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) release close_work lock virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound release Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during socket destruction. unreferenced object 0xffff888109e3f800 (size 2040): comm "kworker/5:2", pid 371, jiffies 4294940105 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360 [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120 [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0 [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310 [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0 [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140 [<ffffffff810fc6ac>] process_one_work+0x20c/0x570 [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0 [<ffffffff811070dd>] kthread+0xdd/0x110 [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50 [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30 CVE-2024-53119 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow In error flow of mlx5_tc_ct_entry_add_rule(), in case ct_rule_add() callback returns error, zone_rule->attr is used uninitiated. Fix it to use attr which has the needed pointer value. Kernel log: BUG: kernel NULL pointer dereference, address: 0000000000000110 RIP: 0010:mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core] ... Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x140 ? asm_exc_page_fault+0x22/0x30 ? mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core] ? mlx5_tc_ct_entry_add_rule+0x1d5/0x2f0 [mlx5_core] mlx5_tc_ct_block_flow_offload+0xc6a/0xf90 [mlx5_core] ? nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table] nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table] flow_offload_work_handler+0x142/0x320 [nf_flow_table] ? finish_task_switch.isra.0+0x15b/0x2b0 process_one_work+0x16c/0x320 worker_thread+0x28c/0x3a0 ? __pfx_worker_thread+0x10/0x10 kthread+0xb8/0xf0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-53120 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Additional active subflows - i.e. created by the in kernel path manager - are included into the subflow list before starting the 3whs. A racing recvmsg() spooling data received on an already established subflow would unconditionally call tcp_cleanup_rbuf() on all the current subflows, potentially hitting a divide by zero error on the newly created ones. Explicitly check that the subflow is in a suitable state before invoking tcp_cleanup_rbuf(). CVE-2024-53122 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: error out earlier on disconnect Eric reported a division by zero splat in the MPTCP protocol: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 <f7> 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1073 __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 __do_sys_recvfrom net/socket.c:2283 [inline] __se_sys_recvfrom net/socket.c:2279 [inline] __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5d857559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef and provided a nice reproducer. The root cause is the current bad handling of racing disconnect. After the blamed commit below, sk_wait_data() can return (with error) with the underlying socket disconnected and a zero rcv_mss. Catch the error and return without performing any additional operations on the current socket. CVE-2024-53123 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv(). CVE-2024-53124 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: sync_linked_regs() must preserve subreg_def Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5). CVE-2024-53125 important In the Linux kernel, the following vulnerability has been resolved: vdpa: solidrun: Fix UB bug with devres In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). CVE-2024-53126 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" The commit 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K") increased the max_req_size, even for 4K pages, causing various issues: - Panic booting the kernel/rootfs from an SD card on Rockchip RK3566 - Panic booting the kernel/rootfs from an SD card on StarFive JH7100 - "swiotlb buffer is full" and data corruption on StarFive JH7110 At this stage no fix have been found, so it's probably better to just revert the change. This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890. CVE-2024-53127 moderate In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop: Fix a dereferenced before check warning The 'state' can't be NULL, we should check crtc_state. Fix warning: drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096 vop_plane_atomic_async_check() warn: variable dereferenced before check 'state' (see line 1077) CVE-2024-53129 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty() may cause a NULL pointer dereference, or a general protection fault when KASAN is enabled. This happens because, since the tracepoint was added in mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation, nilfs_grab_buffer(), which grabs a buffer to read (or create) a block of metadata, including b-tree node blocks, does not set the block device, but instead does so only if the buffer is not in the "uptodate" state for each of its caller block reading functions. However, if the uptodate flag is set on a folio/page, and the buffer heads are detached from it by try_to_free_buffers(), and new buffer heads are then attached by create_empty_buffers(), the uptodate flag may be restored to each buffer without the block device being set to bh->b_bdev, and mark_buffer_dirty() may be called later in that state, resulting in the bug mentioned above. Fix this issue by making nilfs_grab_buffer() always set the block device of the super block structure to the buffer head, regardless of the state of the buffer's uptodate flag. CVE-2024-53130 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints". This series fixes null pointer dereference bugs that occur when using nilfs2 and two block-related tracepoints. This patch (of 2): It has been reported that when using "block:block_touch_buffer" tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a NULL pointer dereference, or a general protection fault when KASAN is enabled. This happens because since the tracepoint was added in touch_buffer(), it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation, the block_device structure is set after the function returns to the caller. Here, touch_buffer() is used to mark the folio/page that owns the buffer head as accessed, but the common search helper for folio/page used by the caller function was optimized to mark the folio/page as accessed when it was reimplemented a long time ago, eliminating the need to call touch_buffer() here in the first place. So this solves the issue by eliminating the touch_buffer() call itself. CVE-2024-53131 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Handle dml allocation failure to avoid crash [Why] In the case where a dml allocation fails for any reason, the current state's dml contexts would no longer be valid. Then subsequent calls dc_state_copy_internal would shallow copy invalid memory and if the new state was released, a double free would occur. [How] Reset dml pointers in new_state to NULL and avoid invalid pointer (cherry picked from commit bcafdc61529a48f6f06355d78eb41b3aeda5296c) CVE-2024-53133 moderate In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx93-blk-ctrl: correct remove path The check condition should be 'i < bc->onecell_data.num_domains', not 'bc->onecell_data.num_domains' which will make the look never finish and cause kernel panic. Also disable runtime to address "imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!" CVE-2024-53134 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f59b934a1e7 Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 a: f7 d8 neg %eax c: 64 89 02 mov %eax,%fs:(%rdx) f: b8 ff ff ff ff mov $0xffffffff,%eax 14: eb bd jmp 0xffffffffffffffd3 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1d: 00 00 00 20: 0f 1f 00 nopl (%rax) 23: b8 31 00 00 00 mov $0x31,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 R10: 00007f59b9253298 R11: 000000000000 ---truncated--- CVE-2024-53139 moderate In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own. CVE-2024-53140 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. CVE-2024-53141 important In the Linux kernel, the following vulnerability has been resolved: initramfs: avoid filename buffer overrun The initramfs filename field is defined in Documentation/driver-api/early-userspace/buffer-format.rst as: 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data ... 55 ============= ================== ========================= 56 Field name Field size Meaning 57 ============= ================== ========================= ... 70 c_namesize 8 bytes Length of filename, including final \0 When extracting an initramfs cpio archive, the kernel's do_name() path handler assumes a zero-terminated path at @collected, passing it directly to filp_open() / init_mkdir() / init_mknod(). If a specially crafted cpio entry carries a non-zero-terminated filename and is followed by uninitialized memory, then a file may be created with trailing characters that represent the uninitialized memory. The ability to create an initramfs entry would imply already having full control of the system, so the buffer overrun shouldn't be considered a security vulnerability. Append the output of the following bash script to an existing initramfs and observe any created /initramfs_test_fname_overrunAA* path. E.g. ./reproducer.sh | gzip >> /myinitramfs It's easiest to observe non-zero uninitialized memory when the output is gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(), rather than the initrd_start+initrd_size block. ---- reproducer.sh ---- nilchar="A" # change to "\0" to properly zero terminate / pad magic="070701" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname="initramfs_test_fname_overrun" namelen=$(( ${#fname} + 1 )) # plus one to account for terminator printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \ $magic $ino $mode $uid $gid $nlink $mtime $filesize \ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) )) printf "%.s${nilchar}" $(seq 1 $termpadlen) ---- reproducer.sh ---- Symlink filename fields handled in do_symlink() won't overrun past the data segment, due to the explicit zero-termination of the symlink target. Fix filename buffer overrun by aborting the initramfs FSM if any cpio entry doesn't carry a zero-terminator at the expected (name_len - 1) offset. CVE-2024-53142 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. CVE-2024-53146 important In the Linux kernel, the following vulnerability has been resolved: exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. CVE-2024-53147 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). CVE-2024-53148 important In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. CVE-2024-53150 moderate In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: > Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data > structure") from Jun 22, 2020 (linux-next), leads to the following > Smatch static checker warning: > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk() > warn: potential user controlled sizeof overflow 'segcount * 4 * 4' > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c > 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt) > 489 { > 490 u32 segcount; > 491 __be32 *p; > 492 > 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount)) > ^^^^^^^^ > > 494 return false; > 495 > 496 /* A bogus segcount causes this buffer overflow check to fail. */ > 497 p = xdr_inline_decode(&rctxt->rc_stream, > --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p)); > > > segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will > have an integer overflow and some those values will be accepted by > xdr_inline_decode(). CVE-2024-53151 moderate In the Linux kernel, the following vulnerability has been resolved: clk: clk-apple-nco: Add NULL check in applnco_probe Add NULL check in applnco_probe, to handle kernel NULL pointer dereference error. CVE-2024-53154 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix uninitialized value in ocfs2_file_read_iter() Syzbot has reported the following KMSAN splat: BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80 ocfs2_file_read_iter+0x9a4/0xf80 __io_read+0x8d4/0x20f0 io_read+0x3e/0xf0 io_issue_sqe+0x42b/0x22c0 io_wq_submit_work+0xaf9/0xdc0 io_worker_handle_work+0xd13/0x2110 io_wq_worker+0x447/0x1410 ret_from_fork+0x6f/0x90 ret_from_fork_asm+0x1a/0x30 Uninit was created at: __alloc_pages_noprof+0x9a7/0xe00 alloc_pages_mpol_noprof+0x299/0x990 alloc_pages_noprof+0x1bf/0x1e0 allocate_slab+0x33a/0x1250 ___slab_alloc+0x12ef/0x35e0 kmem_cache_alloc_bulk_noprof+0x486/0x1330 __io_alloc_req_refill+0x84/0x560 io_submit_sqes+0x172f/0x2f30 __se_sys_io_uring_enter+0x406/0x41c0 __x64_sys_io_uring_enter+0x11f/0x1a0 x64_sys_call+0x2b54/0x3ba0 do_syscall_64+0xcd/0x1e0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Since an instance of 'struct kiocb' may be passed from the block layer with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()' and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in 'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'. CVE-2024-53155 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: <TASK> dump_stack_lvl+0x180/0x1b0 __ubsan_handle_out_of_bounds+0xd4/0x130 htc_issue_send.constprop.0+0x20c/0x230 ? _raw_spin_unlock_irqrestore+0x3c/0x70 ath9k_wmi_cmd+0x41d/0x610 ? mark_held_locks+0x9f/0xe0 ... Since this bug has been confirmed to be caused by insufficient verification of conn_rsp_epid, I think it would be appropriate to add a range check for conn_rsp_epid to htc_connect_service() to prevent the bug from occurring. CVE-2024-53156 important In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware Fix a kernel crash with the below call trace when the SCPI firmware returns OPP count of zero. dvfs_info.opp_count may be zero on some platforms during the reboot test, and the kernel will crash after dereferencing the pointer to kcalloc(info->count, sizeof(*opp), GFP_KERNEL). | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 | Mem abort info: | ESR = 0x96000004 | Exception class = DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | Data abort info: | ISV = 0, ISS = 0x00000004 | CM = 0, WnR = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c | [0000000000000028] pgd=0000000000000000 | Internal error: Oops: 96000004 [#1] SMP | scpi-hwmon: probe of PHYT000D:00 failed with error -110 | Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c) | CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1 | Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS | pstate: 60000005 (nZCv daif -PAN -UAO) | pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi] | lr : clk_register+0x438/0x720 | Call trace: | scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi] | devm_clk_hw_register+0x50/0xa0 | scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi] | scpi_clocks_probe+0x528/0x70c [clk_scpi] | platform_drv_probe+0x58/0xa8 | really_probe+0x260/0x3d0 | driver_probe_device+0x12c/0x148 | device_driver_attach+0x74/0x98 | __driver_attach+0xb4/0xe8 | bus_for_each_dev+0x88/0xe0 | driver_attach+0x30/0x40 | bus_add_driver+0x178/0x2b0 | driver_register+0x64/0x118 | __platform_driver_register+0x54/0x60 | scpi_clocks_driver_init+0x24/0x1000 [clk_scpi] | do_one_initcall+0x54/0x220 | do_init_module+0x54/0x1c8 | load_module+0x14a4/0x1668 | __se_sys_finit_module+0xf8/0x110 | __arm64_sys_finit_module+0x24/0x30 | el0_svc_common+0x78/0x170 | el0_svc_handler+0x38/0x78 | el0_svc+0x8/0x340 | Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820) | ---[ end trace 06feb22469d89fa8 ]--- | Kernel panic - not syncing: Fatal exception | SMP: stopping secondary CPUs | Kernel Offset: disabled | CPU features: 0x10,a0002008 | Memory Limit: none CVE-2024-53157 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() This loop is supposed to break if the frequency returned from clk_round_rate() is the same as on the previous iteration. However, that check doesn't make sense on the first iteration through the loop. It leads to reading before the start of these->clk_perf_tbl[] array. CVE-2024-53158 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-53159 moderate In the Linux kernel, the following vulnerability has been resolved: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu KCSAN reports a data race when access the krcp->monitor_work.timer.expires variable in the schedule_delayed_monitor_work() function: <snip> BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1: schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline] kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839 trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441 bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203 generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849 bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143 __sys_bpf+0x2e5/0x7a0 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739 x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0: __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173 add_timer_global+0x51/0x70 kernel/time/timer.c:1330 __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523 queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552 queue_delayed_work include/linux/workqueue.h:677 [inline] schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline] kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391 kthread+0x1d1/0x210 kernel/kthread.c:389 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound kfree_rcu_monitor <snip> kfree_rcu_monitor() rearms the work if a "krcp" has to be still offloaded and this is done without holding krcp->lock, whereas the kvfree_call_rcu() holds it. Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so both functions do not race anymore. CVE-2024-53160 moderate In the Linux kernel, the following vulnerability has been resolved: EDAC/bluefield: Fix potential integer overflow The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. CVE-2024-53161 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_4xxx - fix off by one in uof_get_name() The fw_objs[] array has "num_objs" elements so the > needs to be >= to prevent an out of bounds read. CVE-2024-53162 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_420xx - fix off by one in uof_get_name() This is called from uof_get_name_420xx() where "num_objs" is the ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of bounds access. CVE-2024-53163 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. CVE-2024-53164 moderate In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: <TASK> dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock. CVE-2024-53166 important In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace: <IRQ> dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 </TASK> Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Reproduction script: mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1 ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \ --tcp-flags FIN FIN -j DROP (note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \ 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1 ip netns del netns_1 The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems. To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport. CVE-2024-53168 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: fix kernel crash while shutting down controller The nvme keep-alive operation, which executes at a periodic interval, could potentially sneak in while shutting down a fabric controller. This may lead to a race between the fabric controller admin queue destroy code path (invoked while shutting down controller) and hw/hctx queue dispatcher called from the nvme keep-alive async request queuing operation. This race could lead to the kernel crash shown below: Call Trace: autoremove_wake_function+0x0/0xbc (unreliable) __blk_mq_sched_dispatch_requests+0x114/0x24c blk_mq_sched_dispatch_requests+0x44/0x84 blk_mq_run_hw_queue+0x140/0x220 nvme_keep_alive_work+0xc8/0x19c [nvme_core] process_one_work+0x200/0x4e0 worker_thread+0x340/0x504 kthread+0x138/0x140 start_kernel_thread+0x14/0x18 While shutting down fabric controller, if nvme keep-alive request sneaks in then it would be flushed off. The nvme_keep_alive_end_io function is then invoked to handle the end of the keep-alive operation which decrements the admin->q_usage_counter and assuming this is the last/only request in the admin queue then the admin->q_usage_counter becomes zero. If that happens then blk-mq destroy queue operation (blk_mq_destroy_ queue()) which could be potentially running simultaneously on another cpu (as this is the controller shutdown code path) would forward progress and deletes the admin queue. So, now from this point onward we are not supposed to access the admin queue resources. However the issue here's that the nvme keep-alive thread running hw/hctx queue dispatch operation hasn't yet finished its work and so it could still potentially access the admin queue resource while the admin queue had been already deleted and that causes the above crash. The above kernel crash is regression caused due to changes implemented in commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()"). Ideally we should stop keep-alive before destroyin g the admin queue and freeing the admin tagset so that it wouldn't sneak in during the shutdown operation. However we removed the keep alive stop operation from the beginning of the controller shutdown code path in commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()") and added it under nvme_uninit_ctrl() which executes very late in the shutdown code path after the admin queue is destroyed and its tagset is removed. So this change created the possibility of keep-alive sneaking in and interfering with the shutdown operation and causing observed kernel crash. To fix the observed crash, we decided to move nvme_stop_keep_alive() from nvme_uninit_ctrl() to nvme_remove_admin_tag_set(). This change would ensure that we don't forward progress and delete the admin queue until the keep- alive operation is finished (if it's in-flight) or cancelled and that would help contain the race condition explained above and hence avoid the crash. Moving nvme_stop_keep_alive() to nvme_remove_admin_tag_set() instead of adding nvme_stop_keep_alive() to the beginning of the controller shutdown code path in nvme_stop_ctrl(), as was the case earlier before commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()"), would help save one callsite of nvme_stop_keep_alive(). CVE-2024-53169 moderate In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [in ---truncated--- CVE-2024-53170 moderate In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trigger a use-after-free when accessing the `znode->cparent` in `write_index()` in `ubifs_tnc_end_commit()`. This can be triggered by running rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then reports: BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20 Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free when a node becomes root in TNC but still has a `cparent` to an already freed node. More specifically, consider the following TNC: zroot / / zp1 / / zn Inserting a new node `zn_new` with a key smaller then `zn` will trigger a split in `tnc_insert()` if `zp1` is full: zroot / \ / \ zp1 zp2 / \ / \ zn_new zn `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still points to `zp1`. Now, consider a removal of all the nodes _except_ `zn`. Just when `tnc_delete()` is about to delete `zroot` and `zp2`: zroot \ \ zp2 \ \ zn `zroot` and `zp2` get freed and the tree collapses: zn `zn` now becomes the new `zroot`. `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and `write_index()` will check its `znode->cparent` that wrongly points to the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called with `znode->cparent->zbranch[znode->iip].hash` that triggers the use-after-free! Fix this by explicitly setting `znode->cparent` to `NULL` in `get_znodes_to_commit()` for the root node. The search for the dirty nodes ---truncated--- CVE-2024-53171 important In the Linux kernel, the following vulnerability has been resolved: ubi: fastmap: Fix duplicate slab cache names while attaching Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y"), the duplicate slab cache names can be detected and a kernel WARNING is thrown out. In UBI fast attaching process, alloc_ai() could be invoked twice with the same slab cache name 'ubi_aeb_slab_cache', which will trigger following warning messages: kmem_cache of name 'ubi_aeb_slab_cache' already exists WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107 __kmem_cache_create_args+0x100/0x5f0 Modules linked in: ubi(+) nandsim [last unloaded: nandsim] CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2 RIP: 0010:__kmem_cache_create_args+0x100/0x5f0 Call Trace: __kmem_cache_create_args+0x100/0x5f0 alloc_ai+0x295/0x3f0 [ubi] ubi_attach+0x3c3/0xcc0 [ubi] ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi] ubi_init+0x3fb/0x800 [ubi] do_init_module+0x265/0x7d0 __x64_sys_finit_module+0x7a/0xc0 The problem could be easily reproduced by loading UBI device by fastmap with CONFIG_DEBUG_VM=y. Fix it by using different slab names for alloc_ai() callers. CVE-2024-53172 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed. CVE-2024-53173 important In the Linux kernel, the following vulnerability has been resolved: SUNRPC: make sure cache entry active before cache_show The function `c_show` was called with protection from RCU. This only ensures that `cp` will not be freed. Therefore, the reference count for `cp` can drop to zero, which will trigger a refcount use-after-free warning when `cache_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `cp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 822 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 Call Trace: <TASK> c_show+0x2fc/0x380 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-53174 moderate In the Linux kernel, the following vulnerability has been resolved: ipc: fix memleak if msg_init_ns failed in create_ipc_ns Percpu memory allocation may failed during create_ipc_ns however this fail is not handled properly since ipc sysctls and mq sysctls is not released properly. Fix this by release these two resource when failure. Here is the kmemleak stack when percpu failed: unreferenced object 0xffff88819de2a600 (size 512): comm "shmem_2nstest", pid 120711, jiffies 4300542254 hex dump (first 32 bytes): 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H..... 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V..... backtrace (crc be7cba35): [<ffffffff81b43f83>] __kmalloc_node_track_caller_noprof+0x333/0x420 [<ffffffff81a52e56>] kmemdup_noprof+0x26/0x50 [<ffffffff821b2f37>] setup_mq_sysctls+0x57/0x1d0 [<ffffffff821b29cc>] copy_ipcs+0x29c/0x3b0 [<ffffffff815d6a10>] create_new_namespaces+0x1d0/0x920 [<ffffffff815d7449>] copy_namespaces+0x2e9/0x3e0 [<ffffffff815458f3>] copy_process+0x29f3/0x7ff0 [<ffffffff8154b080>] kernel_clone+0xc0/0x650 [<ffffffff8154b6b1>] __do_sys_clone+0xa1/0xe0 [<ffffffff843df8ff>] do_syscall_64+0xbf/0x1c0 [<ffffffff846000b0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2024-53175 moderate In the Linux kernel, the following vulnerability has been resolved: smb: During unmount, ensure all cached dir instances drop their dentry The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs: BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including: - Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid. To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal. The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations. Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing. While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry. CVE-2024-53176 moderate In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000) CVE-2024-53177 important In the Linux kernel, the following vulnerability has been resolved: smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350 [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated--- CVE-2024-53178 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. CVE-2024-53179 important In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Add sanity NULL check for the default mmap fault handler A driver might allow the mmap access before initializing its runtime->dma_area properly. Add a proper NULL check before passing to virt_to_page() for avoiding a panic. CVE-2024-53180 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-53185 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: check for overflows in io_pin_pages WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: <TASK> __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... </TASK> io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. CVE-2024-53187 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix crash when unbinding If there is an error during some initialization related to firmware, the function ath12k_dp_cc_cleanup is called to release resources. However this is released again when the device is unbinded (ath12k_pci), and we get: BUG: kernel NULL pointer dereference, address: 0000000000000020 at RIP: 0010:ath12k_dp_cc_cleanup.part.0+0xb6/0x500 [ath12k] Call Trace: ath12k_dp_cc_cleanup ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ... The issue is always reproducible from a VM because the MSI addressing initialization is failing. In order to fix the issue, just set to NULL the released structure in ath12k_dp_cc_cleanup at the end. CVE-2024-53188 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc5) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and dummy_hcd infrastructure. (b) During the probe of rtl8192cu, the driver ends-up performing an efuse read procedure (which is related to EEPROM load IIUC), and here lies the issue: the function read_efuse() calls read_efuse_byte() many times, as loop iterations depending on the efuse size (in our example, 512 in total). This procedure for reading efuse bytes relies in a loop that performs an I/O read up to *10k* times in case of failures. We measured the time of the loop inside read_efuse_byte() alone, and in this reproducer (which involves the dummy_hcd emulation layer), it takes 15 seconds each. As a consequence, we have the driver stuck in its probe routine for big time, exposing a stack trace like below if we attempt to reboot the system, for example: task:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: __schedule+0xe22/0xeb6 schedule_timeout+0xe7/0x132 __wait_for_common+0xb5/0x12e usb_start_wait_urb+0xc5/0x1ef ? usb_alloc_urb+0x95/0xa4 usb_control_msg+0xff/0x184 _usbctrl_vendorreq_sync+0xa0/0x161 _usb_read_sync+0xb3/0xc5 read_efuse_byte+0x13c/0x146 read_efuse+0x351/0x5f0 efuse_read_all_map+0x42/0x52 rtl_efuse_shadow_map_update+0x60/0xef rtl_get_hwinfo+0x5d/0x1c2 rtl92cu_read_eeprom_info+0x10a/0x8d5 ? rtl92c_read_chip_version+0x14f/0x17e rtl_usb_probe+0x323/0x851 usb_probe_interface+0x278/0x34b really_probe+0x202/0x4a4 __driver_probe_device+0x166/0x1b2 driver_probe_device+0x2f/0xd8 [...] We propose hereby to drastically reduce the attempts of doing the I/O reads in case of failures, restricted to USB devices (given that they're inherently slower than PCIe ones). By retrying up to 10 times (instead of 10000), we got reponsiveness in the reproducer, while seems reasonable to believe that there's no sane USB device implementation in the field requiring this amount of retries at every I/O read in order to properly work. Based on that assumption, it'd be good to have it backported to stable but maybe not since driver implementation (the 10k number comes from day 0), perhaps up to 6.x series makes sense. [0] Commit 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race") [1] A note about that: this syzkaller report presents multiple reproducers that differs by the type of emulated USB device. For this specific case, check the entry from 2024/08/08 06:23 in the list of crashes; the C repro is available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000. CVE-2024-53190 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix warning when unbinding If there is an error during some initialization related to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80 Call Trace: free_large_kmalloc ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ... The issue is always reproducible from a VM because the MSI addressing initialization is failing. In order to fix the issue, just set the buffers to NULL after releasing in order to avoid the double free. CVE-2024-53191 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free of slot->bus on hot remove Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot firmware"), USB4 v2 and v1 Host Routers are reset on probe of the thunderbolt driver. The reset clears the Presence Detect State and Data Link Layer Link Active bits at the USB4 Host Router's Root Port and thus causes hot removal of the dock. The crash occurs when pciehp is unbound from one of the dock's Downstream Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The pci_slot contains a pointer to the pci_bus below the Downstream Port, but a reference on that pci_bus is never acquired. The pci_bus is destroyed before the pci_slot, so a use-after-free ensues when pci_slot_release() accesses slot->bus. In principle this should not happen because pci_stop_bus_device() unbinds pciehp (and therefore destroys the pci_slot) before the pci_bus is destroyed by pci_remove_bus_device(). However the stacktrace provided by Dennis shows that pciehp is unbound from pci_remove_bus_device() instead of pci_stop_bus_device(). To understand the significance of this, one needs to know that the PCI core uses a two step process to remove a portion of the hierarchy: It first unbinds all drivers in the sub-hierarchy in pci_stop_bus_device() and then actually removes the devices in pci_remove_bus_device(). There is no precaution to prevent driver binding in-between pci_stop_bus_device() and pci_remove_bus_device(). In Dennis' case, it seems removal of the hierarchy by pciehp races with driver binding by pci_bus_add_devices(). pciehp is bound to the Downstream Port after pci_stop_bus_device() has run, so it is unbound by pci_remove_bus_device() instead of pci_stop_bus_device(). Because the pci_bus has already been destroyed at that point, accesses to it result in a use-after-free. One might conclude that driver binding needs to be prevented after pci_stop_bus_device() has run. However it seems risky that pci_slot points to pci_bus without holding a reference. Solely relying on correct ordering of driver unbind versus pci_bus destruction is certainly not defensive programming. If pci_slot has a need to access data in pci_bus, it ought to acquire a reference. Amend pci_create_slot() accordingly. Dennis reports that the crash is not reproducible with this change. Abridged stacktrace: pcieport 0000:00:07.0: PME: Signaling with IRQ 156 pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+ pci_bus 0000:20: dev 00, created physical slot 12 pcieport 0000:00:07.0: pciehp: Slot(12): Card not present ... pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0 Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1 RIP: 0010:dev_driver_string+0x12/0x40 pci_destroy_slot pciehp_remove pcie_port_remove_service device_release_driver_internal bus_remove_device device_del device_unregister remove_iter device_for_each_child pcie_portdrv_remove pci_device_remove device_release_driver_internal bus_remove_device device_del pci_remove_bus_device (recursive invocation) pci_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist CVE-2024-53194 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Get rid of userspace_irqchip_in_use Improper use of userspace_irqchip_in_use led to syzbot hitting the following WARN_ON() in kvm_timer_update_irq(): WARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459 kvm_timer_update_irq+0x21c/0x394 Call trace: kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459 kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968 kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264 kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline] kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline] kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695 kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The following sequence led to the scenario: - Userspace creates a VM and a vCPU. - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during KVM_ARM_VCPU_INIT. - Without any other setup, such as vGIC or vPMU, userspace issues KVM_RUN on the vCPU. Since the vPMU is requested, but not setup, kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change(). As a result, KVM_RUN returns after enabling the timer, but before incrementing 'userspace_irqchip_in_use': kvm_arch_vcpu_run_pid_change() ret = kvm_arm_pmu_v3_enable() if (!vcpu->arch.pmu.created) return -EINVAL; if (ret) return ret; [...] if (!irqchip_in_kernel(kvm)) static_branch_inc(&userspace_irqchip_in_use); - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again. Since the timer is already enabled, control moves through the following flow, ultimately hitting the WARN_ON(): kvm_timer_vcpu_reset() if (timer->enabled) kvm_timer_update_irq() if (!userspace_irqchip()) ret = kvm_vgic_inject_irq() ret = vgic_lazy_init() if (unlikely(!vgic_initialized(kvm))) if (kvm->arch.vgic.vgic_model != KVM_DEV_TYPE_ARM_VGIC_V2) return -EBUSY; WARN_ON(ret); Theoretically, since userspace_irqchip_in_use's functionality can be simply replaced by '!irqchip_in_kernel()', get rid of the static key to avoid the mismanagement, which also helps with the syzbot issue. CVE-2024-53195 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Don't retire aborted MMIO instruction Returning an abort to the guest for an unsupported MMIO access is a documented feature of the KVM UAPI. Nevertheless, it's clear that this plumbing has seen limited testing, since userspace can trivially cause a WARN in the MMIO return: WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 Call trace: kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133 kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487 __do_sys_ioctl fs/ioctl.c:51 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The splat is complaining that KVM is advancing PC while an exception is pending, i.e. that KVM is retiring the MMIO instruction despite a pending synchronous external abort. Womp womp. Fix the glaring UAPI bug by skipping over all the MMIO emulation in case there is a pending synchronous exception. Note that while userspace is capable of pending an asynchronous exception (SError, IRQ, or FIQ), it is still safe to retire the MMIO instruction in this case as (1) they are by definition asynchronous, and (2) KVM relies on hardware support for pending/delivering these exceptions instead of the software state machine for advancing PC. CVE-2024-53196 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. CVE-2024-53197 moderate In the Linux kernel, the following vulnerability has been resolved: xen: Fix the issue of resource not being properly released in xenbus_dev_probe() This patch fixes an issue in the function xenbus_dev_probe(). In the xenbus_dev_probe() function, within the if (err) branch at line 313, the program incorrectly returns err directly without releasing the resources allocated by err = drv->probe(dev, id). As the return value is non-zero, the upper layers assume the processing logic has failed. However, the probe operation was performed earlier without a corresponding remove operation. Since the probe actually allocates resources, failing to perform the remove operation could lead to problems. To fix this issue, we followed the resource release logic of the xenbus_dev_remove() function by adding a new block fail_remove before the fail_put block. After entering the branch if (err) at line 313, the function will use a goto statement to jump to the fail_remove block, ensuring that the previously acquired resources are correctly released, thus preventing the reference count leak. This bug was identified by an experimental static analysis tool developed by our team. The tool specializes in analyzing reference count operations and detecting potential issues where resources are not properly managed. In this case, the tool flagged the missing release operation as a potential problem, which led to the development of this patch. CVE-2024-53198 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in hwss_setup_dpp This commit addresses a null pointer dereference issue in hwss_setup_dpp(). The issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure `pipe_ctx->plane_state` is not null before accessing. This prevents a null pointer dereference. CVE-2024-53200 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe This commit addresses a null pointer dereference issue in dcn20_program_pipe(). Previously, commit 8e4ed3cf1642 ("drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe") partially fixed the null pointer dereference issue. However, in dcn20_update_dchubp_dpp(), the variable pipe_ctx is passed in, and plane_state is accessed again through pipe_ctx. Multiple if statements directly call attributes of plane_state, leading to potential null pointer dereference issues. This patch adds necessary null checks to ensure stability. CVE-2024-53201 moderate In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Fix possible resource leak in fw_log_firmware_info() The alg instance should be released under the exception path, otherwise there may be resource leak here. To mitigate this, free the alg instance with crypto_free_shash when kmalloc fails. CVE-2024-53202 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential array underflow in ucsi_ccg_sync_control() The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. CVE-2024-53203 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible deadlocks This fixes possible deadlocks like the following caused by hci_cmd_sync_dequeue causing the destroy function to run: INFO: task kworker/u19:0:143 blocked for more than 120 seconds. Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: <TASK> __schedule+0x374/0xaf0 schedule+0x3c/0xf0 schedule_preempt_disabled+0x1c/0x30 __mutex_lock.constprop.0+0x3ef/0x7a0 __mutex_lock_slowpath+0x13/0x20 mutex_lock+0x3c/0x50 mgmt_set_connectable_complete+0xa4/0x150 [bluetooth] ? kfree+0x211/0x2a0 hci_cmd_sync_dequeue+0xae/0x130 [bluetooth] ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth] cmd_complete_rsp+0x26/0x80 [bluetooth] mgmt_pending_foreach+0x4d/0x70 [bluetooth] __mgmt_power_off+0x8d/0x180 [bluetooth] ? _raw_spin_unlock_irq+0x23/0x40 hci_dev_close_sync+0x445/0x5b0 [bluetooth] hci_set_powered_sync+0x149/0x250 [bluetooth] set_powered_sync+0x24/0x60 [bluetooth] hci_cmd_sync_work+0x90/0x150 [bluetooth] process_one_work+0x13e/0x300 worker_thread+0x2f7/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x107/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3d/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> CVE-2024-53207 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54 CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 q kasan_report+0x143/0x180 mm/kasan/report.c:601 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5246: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-53208 important In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix receive ring space parameters when XDP is active The MTU setting at the time an XDP multi-buffer is attached determines whether the aggregation ring will be used and the rx_skb_func handler. This is done in bnxt_set_rx_skb_mode(). If the MTU is later changed, the aggregation ring setting may need to be changed and it may become out-of-sync with the settings initially done in bnxt_set_rx_skb_mode(). This may result in random memory corruption and crashes as the HW may DMA data larger than the allocated buffer size, such as: BUG: kernel NULL pointer dereference, address: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] To address the issue, we now call bnxt_set_rx_skb_mode() within bnxt_change_mtu() to properly set the AGG rings configuration and update rx_skb_func based on the new MTU value. Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU. CVE-2024-53209 moderate In the Linux kernel, the following vulnerability has been resolved: s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() Passing MSG_PEEK flag to skb_recv_datagram() increments skb refcount (skb->users) and iucv_sock_recvmsg() does not decrement skb refcount at exit. This results in skb memory leak in skb_queue_purge() and WARN_ON in iucv_sock_destruct() during socket close. To fix this decrease skb refcount by one if MSG_PEEK is set in order to prevent memory leak and WARN_ON. WARNING: CPU: 2 PID: 6292 at net/iucv/af_iucv.c:286 iucv_sock_destruct+0x144/0x1a0 [af_iucv] CPU: 2 PID: 6292 Comm: afiucv_test_msg Kdump: loaded Tainted: G W 6.10.0-rc7 #1 Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) Call Trace: [<001587c682c4aa98>] iucv_sock_destruct+0x148/0x1a0 [af_iucv] [<001587c682c4a9d0>] iucv_sock_destruct+0x80/0x1a0 [af_iucv] [<001587c704117a32>] __sk_destruct+0x52/0x550 [<001587c704104a54>] __sock_release+0xa4/0x230 [<001587c704104c0c>] sock_close+0x2c/0x40 [<001587c702c5f5a8>] __fput+0x2e8/0x970 [<001587c7024148c4>] task_work_run+0x1c4/0x2c0 [<001587c7023b0716>] do_exit+0x996/0x1050 [<001587c7023b13aa>] do_group_exit+0x13a/0x360 [<001587c7023b1626>] __s390x_sys_exit_group+0x56/0x60 [<001587c7022bccca>] do_syscall+0x27a/0x380 [<001587c7049a6a0c>] __do_syscall+0x9c/0x160 [<001587c7049ce8a8>] system_call+0x70/0x98 Last Breaking-Event-Address: [<001587c682c4a9d4>] iucv_sock_destruct+0x84/0x1a0 [af_iucv] CVE-2024-53210 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: Fix double free issue with interrupt buffer allocation In lan78xx_probe(), the buffer `buf` was being freed twice: once implicitly through `usb_free_urb(dev->urb_intr)` with the `URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused a double free issue. To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to simplify the initialization sequence and removed the redundant `kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring it is correctly managed by `usb_fill_int_urb()` and freed by `usb_free_urb()` as intended. CVE-2024-53213 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-53214 important In the Linux kernel, the following vulnerability has been resolved: svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() There's issue as follows: RPC: Registered rdma transport module. RPC: Registered rdma backchannel transport module. RPC: Unregistered rdma transport module. RPC: Unregistered rdma backchannel transport module. BUG: unable to handle page fault for address: fffffbfff80c609a PGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI RIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0 Call Trace: <TASK> __die+0x1f/0x70 page_fault_oops+0x2cd/0x860 spurious_kernel_fault+0x36/0x450 do_kern_addr_fault+0xca/0x100 exc_page_fault+0x128/0x150 asm_exc_page_fault+0x26/0x30 percpu_counter_destroy_many+0xf7/0x2a0 mmdrop+0x209/0x350 finish_task_switch.isra.0+0x481/0x840 schedule_tail+0xe/0xd0 ret_from_fork+0x23/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> If register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not destroy the percpu counters which init in svc_rdma_proc_init(). If CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the 'percpu_counters' list. The above issue may occur once the module is removed. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory leakage occurs. To solve above issue just destroy all percpu counters when register_sysctl() return NULL. CVE-2024-53215 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period. CVE-2024-53216 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. If __nfsd4_find_backchannel() finds no available backchannel session, setup_callback_client() will try to dereference @ses and segfault. CVE-2024-53217 moderate In the Linux kernel, the following vulnerability has been resolved: zram: fix NULL pointer in comp_algorithm_show() LTP reported a NULL pointer dereference as followed: CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_strcmp+0x24/0x140 lr : zcomp_available_show+0x60/0x100 [zram] sp : ffff800088b93b90 x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0 x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000 x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280 x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000 Call trace: __pi_strcmp+0x24/0x140 comp_algorithm_show+0x40/0x70 [zram] dev_attr_show+0x28/0x80 sysfs_kf_seq_show+0x90/0x140 kernfs_seq_show+0x34/0x48 seq_read_iter+0x1d4/0x4e8 kernfs_fop_read_iter+0x40/0x58 new_sync_read+0x9c/0x168 vfs_read+0x1a8/0x1f8 ksys_read+0x74/0x108 __arm64_sys_read+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x138 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190 The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if comp_algorithm_set() has not been called. User can access the zram device by sysfs after device_add_disk(), so there is a time window to trigger the NULL pointer dereference. Move it ahead device_add_disk() to make sure when user can access the zram device, it is ready. comp_algorithm_set() is protected by zram->init_lock in other places and no such problem. CVE-2024-53222 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Move events notifier registration to be after device registration Move pkey change work initialization and cleanup from device resources stage to notifier stage, since this is the stage which handles this work events. Fix a race between the device deregistration and pkey change work by moving MLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to ensure that the notifier is deregistered before the device during cleanup. Which ensures there are no works that are being executed after the device has already unregistered which can cause the panic below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023 Workqueue: events pkey_change_handler [mlx5_ib] RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib] Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40 RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36 RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128 RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001 R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000 R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905 FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib] process_one_work+0x1e8/0x3c0 worker_thread+0x50/0x3b0 ? rescuer_thread+0x380/0x380 kthread+0x149/0x170 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core] CR2: 0000000000000000 ---[ end trace f6f8be4eae12f7bc ]--- CVE-2024-53224 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument. The driver needs to check whether it is a NULL pointer before dereferencing it. CVE-2024-53226 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Fix use-after-free in bfad_im_module_exit() BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20 Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303 Call Trace: <TASK> dump_stack_lvl+0x95/0xe0 print_report+0xcb/0x620 kasan_report+0xbd/0xf0 __lock_acquire+0x2aca/0x3a20 lock_acquire+0x19b/0x520 _raw_spin_lock+0x2b/0x40 attribute_container_unregister+0x30/0x160 fc_release_transport+0x19/0x90 [scsi_transport_fc] bfad_im_module_exit+0x23/0x60 [bfa] bfad_init+0xdb/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 fc_attach_transport+0x4f/0x4740 [scsi_transport_fc] bfad_im_module_init+0x17/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x38/0x50 kfree+0x212/0x480 bfad_im_module_init+0x7e/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Above issue happens as follows: bfad_init error = bfad_im_module_init() fc_release_transport(bfad_im_scsi_transport_template); if (error) goto ext; ext: bfad_im_module_exit(); fc_release_transport(bfad_im_scsi_transport_template); --> Trigger double release Don't call bfad_im_module_exit() if bfad_im_module_init() failed. CVE-2024-53227 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the qp flush warnings in req When the qp is in error state, the status of WQEs in the queue should be set to error. Or else the following will appear. [ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6 [ 920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G O 6.1.113-storage+ #65 [ 920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24 [ 920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246 [ 920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008 [ 920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac [ 920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450 [ 920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800 [ 920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000 [ 920.622609] FS: 0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000 [ 920.622979] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0 [ 920.623680] Call Trace: [ 920.623815] <TASK> [ 920.623933] ? __warn+0x79/0xc0 [ 920.624116] ? rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.624356] ? report_bug+0xfb/0x150 [ 920.624594] ? handle_bug+0x3c/0x60 [ 920.624796] ? exc_invalid_op+0x14/0x70 [ 920.624976] ? asm_exc_invalid_op+0x16/0x20 [ 920.625203] ? rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.625474] ? rxe_completer+0x329/0xcc0 [rdma_rxe] [ 920.625749] rxe_do_task+0x80/0x110 [rdma_rxe] [ 920.626037] rxe_requester+0x625/0xde0 [rdma_rxe] [ 920.626310] ? rxe_cq_post+0xe2/0x180 [rdma_rxe] [ 920.626583] ? do_complete+0x18d/0x220 [rdma_rxe] [ 920.626812] ? rxe_completer+0x1a3/0xcc0 [rdma_rxe] [ 920.627050] rxe_do_task+0x80/0x110 [rdma_rxe] [ 920.627285] tasklet_action_common.constprop.0+0xa4/0x120 [ 920.627522] handle_softirqs+0xc2/0x250 [ 920.627728] ? sort_range+0x20/0x20 [ 920.627942] run_ksoftirqd+0x1f/0x30 [ 920.628158] smpboot_thread_fn+0xc7/0x1b0 [ 920.628334] kthread+0xd6/0x100 [ 920.628504] ? kthread_complete_and_exit+0x20/0x20 [ 920.628709] ret_from_fork+0x1f/0x30 [ 920.628892] </TASK> CVE-2024-53229 moderate In the Linux kernel, the following vulnerability has been resolved: cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() cpufreq_cpu_get_raw() may return NULL if the cpu is not in policy->cpus cpu mask and it will cause null pointer dereference, so check NULL for cppc_get_cpu_cost(). CVE-2024-53230 moderate In the Linux kernel, the following vulnerability has been resolved: cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() cpufreq_cpu_get_raw() may return NULL if the cpu is not in policy->cpus cpu mask and it will cause null pointer dereference. CVE-2024-53231 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Implement blocking domain This fixes a crash when surprise hot-unplugging a PCI device. This crash happens because during hot-unplug __iommu_group_set_domain_nofail() attaching the default domain fails when the platform no longer recognizes the device as it has already been removed and we end up with a NULL domain pointer and UAF. This is exactly the case referred to in the second comment in __iommu_device_set_domain() and just as stated there if we can instead attach the blocking domain the UAF is prevented as this can handle the already removed device. Implement the blocking domain to use this handling. With this change, the crash is fixed but we still hit a warning attempting to change DMA ownership on a blocked device. CVE-2024-53232 moderate In the Linux kernel, the following vulnerability has been resolved: unicode: Fix utf8_load() error path utf8_load() requests the symbol "utf8_data_table" and then checks if the requested UTF-8 version is supported. If it's unsupported, it tries to put the data table using symbol_put(). If an unsupported version is requested, symbol_put() fails like this: kernel BUG at kernel/module/main.c:786! RIP: 0010:__symbol_put+0x93/0xb0 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? __symbol_put+0x93/0xb0 ? exc_invalid_op+0x51/0x70 ? __symbol_put+0x93/0xb0 ? asm_exc_invalid_op+0x1a/0x20 ? __pfx_cmp_name+0x10/0x10 ? __symbol_put+0x93/0xb0 ? __symbol_put+0x62/0xb0 utf8_load+0xf8/0x150 That happens because symbol_put() expects the unique string that identify the symbol, instead of a pointer to the loaded symbol. Fix that by using such string. CVE-2024-53233 moderate In the Linux kernel, the following vulnerability has been resolved: erofs: handle NONHEAD !delta[1] lclusters gracefully syzbot reported a WARNING in iomap_iter_done: iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80 ioctl_fiemap fs/ioctl.c:220 [inline] Generally, NONHEAD lclusters won't have delta[1]==0, except for crafted images and filesystems created by pre-1.0 mkfs versions. Previously, it would immediately bail out if delta[1]==0, which led to inadequate decompressed lengths (thus FIEMAP is impacted). Treat it as delta[1]=1 to work around these legacy mkfs versions. `lclusterbits > 14` is illegal for compact indexes, error out too. CVE-2024-53234 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: Free skb when TX metadata options are invalid When a new skb is allocated for transmitting an xsk descriptor, i.e., for every non-multibuf descriptor or the first frag of a multibuf descriptor, but the descriptor is later found to have invalid options set for the TX metadata, the new skb is never freed. This can leak skbs until the send buffer is full which makes sending more packets impossible. Fix this by freeing the skb in the error path if we are currently dealing with the first frag, i.e., an skb allocated in this iteration of xsk_build_skb. CVE-2024-53236 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix use-after-free in device_for_each_child() Syzbot has reported the following KASAN splat: BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980 CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x100/0x190 ? device_for_each_child+0x18f/0x1a0 print_report+0x13a/0x4cb ? __virt_addr_valid+0x5e/0x590 ? __phys_addr+0xc6/0x150 ? device_for_each_child+0x18f/0x1a0 kasan_report+0xda/0x110 ? device_for_each_child+0x18f/0x1a0 ? __pfx_dev_memalloc_noio+0x10/0x10 device_for_each_child+0x18f/0x1a0 ? __pfx_device_for_each_child+0x10/0x10 pm_runtime_set_memalloc_noio+0xf2/0x180 netdev_unregister_kobject+0x1ed/0x270 unregister_netdevice_many_notify+0x123c/0x1d80 ? __mutex_trylock_common+0xde/0x250 ? __pfx_unregister_netdevice_many_notify+0x10/0x10 ? trace_contention_end+0xe6/0x140 ? __mutex_lock+0x4e7/0x8f0 ? __pfx_lock_acquire.part.0+0x10/0x10 ? rcu_is_watching+0x12/0xc0 ? unregister_netdev+0x12/0x30 unregister_netdevice_queue+0x30d/0x3f0 ? __pfx_unregister_netdevice_queue+0x10/0x10 ? __pfx_down_write+0x10/0x10 unregister_netdev+0x1c/0x30 bnep_session+0x1fb3/0x2ab0 ? __pfx_bnep_session+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_woken_wake_function+0x10/0x10 ? __kthread_parkme+0x132/0x200 ? __pfx_bnep_session+0x10/0x10 ? kthread+0x13a/0x370 ? __pfx_bnep_session+0x10/0x10 kthread+0x2b7/0x370 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x48/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 4974: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 __kmalloc_noprof+0x1d1/0x440 hci_alloc_dev_priv+0x1d/0x2820 __vhci_create_device+0xef/0x7d0 vhci_write+0x2c7/0x480 vfs_write+0x6a0/0xfc0 ksys_write+0x12f/0x260 do_syscall_64+0xc7/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 4979: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x4f/0x70 kfree+0x141/0x490 hci_release_dev+0x4d9/0x600 bt_host_release+0x6a/0xb0 device_release+0xa4/0x240 kobject_put+0x1ec/0x5a0 put_device+0x1f/0x30 vhci_release+0x81/0xf0 __fput+0x3f6/0xb30 task_work_run+0x151/0x250 do_exit+0xa79/0x2c30 do_group_exit+0xd5/0x2a0 get_signal+0x1fcd/0x2210 arch_do_signal_or_restart+0x93/0x780 syscall_exit_to_user_mode+0x140/0x290 do_syscall_64+0xd4/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when an underlying (kobject) reference counter is greater than 1. This means that reparenting (happened when the device is actually freed) is delayed and, during that delay, parent controller device (hciX) may be deleted. Since the latter may create a dangling pointer to freed parent, avoid that scenario by reparenting to NULL explicitly. CVE-2024-53237 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. CVE-2024-53239 important In the Linux kernel, the following vulnerability has been resolved: xen/netfront: fix crash when removing device When removing a netfront device directly after a suspend/resume cycle it might happen that the queues have not been setup again, causing a crash during the attempt to stop the queues another time. Fix that by checking the queues are existing before trying to stop them. This is XSA-465 / CVE-2024-53240. CVE-2024-53240 moderate In the Linux kernel, the following vulnerability has been resolved: x86/xen: don't do PV iret hypercall through hypercall page Instead of jumping to the Xen hypercall page for doing the iret hypercall, directly code the required sequence in xen-asm.S. This is done in preparation of no longer using hypercall page at all, as it has shown to cause problems with speculation mitigations. This is part of XSA-466 / CVE-2024-53241. CVE-2024-53241 moderate In the Linux kernel, the following vulnerability has been resolved: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB. CVE-2024-53680 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: give up on paths longer than PATH_MAX If the full path to be built by ceph_mdsc_build_path() happens to be longer than PATH_MAX, then this function will enter an endless (retry) loop, effectively blocking the whole task. Most of the machine becomes unusable, making this a very simple and effective DoS vulnerability. I cannot imagine why this retry was ever implemented, but it seems rather useless and harmful to me. Let's remove it and fail with ENAMETOOLONG instead. CVE-2024-53685 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: prevent use of deleted inode syzbot reported a WARNING in nilfs_rmdir. [1] Because the inode bitmap is corrupted, an inode with an inode number that should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", causing an inode duplication during execution. And this causes an underflow of i_nlink in rmdir operations. The inode is used twice by the same task to unmount and remove directories ".nilfs" and "file0", it trigger warning in nilfs_rmdir. Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means that this inode has been deleted, and iput is executed to reclaim it. [1] WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 ... Call Trace: <TASK> nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 do_rmdir+0x3b5/0x580 fs/namei.c:4453 __do_sys_rmdir fs/namei.c:4472 [inline] __se_sys_rmdir fs/namei.c:4470 [inline] __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-53690 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: IDLETIMER: Fix for possible ABBA deadlock Deletion of the last rule referencing a given idletimer may happen at the same time as a read of its file in sysfs: | ====================================================== | WARNING: possible circular locking dependency detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | ------------------------------------------------------ | iptables/3303 is trying to acquire lock: | ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 | | but task is already holding lock: | ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] | | which lock already depends on the new lock. A simple reproducer is: | #!/bin/bash | | while true; do | iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | done & | while true; do | cat /sys/class/xt_idletimer/timers/testme >/dev/null | done Avoid this by freeing list_mutex right after deleting the element from the list, then continuing with the teardown. CVE-2024-54683 moderate xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. CVE-2024-55549 important In the Linux kernel, the following vulnerability has been resolved: net: renesas: rswitch: avoid use-after-put for a device tree node The device tree node saved in the rswitch_device structure is used at several driver locations. So passing this node to of_node_put() after the first use is wrong. Move of_node_put() for this node to exit paths. CVE-2024-55639 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Play nice with protected guests in complete_hypercall_exit() Use is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit hypercall when completing said hypercall. For guests with protected state, e.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit mode as the vCPU state needed to detect 64-bit mode is unavailable. Hacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE hypercall via VMGEXIT trips the WARN: ------------[ cut here ]------------ WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm] Modules linked in: kvm_amd kvm ... [last unloaded: kvm] CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470 Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024 RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm] Call Trace: <TASK> kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm] kvm_vcpu_ioctl+0x54f/0x630 [kvm] __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- CVE-2024-55881 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below: hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done(). 2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference. To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds. Fix the panic by reordering the steps in util_probe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbus_open() has completed. This reordering prevents the race condition from happening. CVE-2024-55916 moderate libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2024-56171 important In the Linux kernel, the following vulnerability has been resolved: drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() drm_mode_vrefresh() is trying to avoid divide by zero by checking whether htotal or vtotal are zero. But we may still end up with a div-by-zero of vtotal*htotal*... CVE-2024-56369 moderate In the Linux kernel, the following vulnerability has been resolved: net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-56372 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. This patch also splits the code to the disconnect and the free phases; the former is called immediately at the USB disconnect callback while the latter is called from the card destructor. CVE-2024-56531 low In the Linux kernel, the following vulnerability has been resolved: ALSA: us122l: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. The loop of us122l->mmap_count check is dropped as well. The check is useless for the asynchronous operation with *_when_closed(). CVE-2024-56532 low In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. CVE-2024-56533 low In the Linux kernel, the following vulnerability has been resolved: wifi: cw1200: Fix potential NULL dereference A recent refactoring was identified by static analysis to cause a potential NULL dereference, fix this! CVE-2024-56536 moderate In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals. CVE-2024-56538 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Replace one-element array with a flexible-array member in `struct mwifiex_ie_types_wildcard_ssid_params` to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana): [ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like: ssid_len = user_scan_in->ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv->ssid, user_scan_in->ssid_list[i].ssid, ssid_len); There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed. CVE-2024-56539 important In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Skip Rx TID cleanup for self peer During peer create, dp setup for the peer is done where Rx TID is updated for all the TIDs. Peer object for self peer will not go through dp setup. When core halts, dp cleanup is done for all the peers. While cleanup, rx_tid::ab is accessed which causes below stack trace for self peer. WARNING: CPU: 6 PID: 12297 at drivers/net/wireless/ath/ath12k/dp_rx.c:851 Call Trace: __warn+0x7b/0x1a0 ath12k_dp_rx_frags_cleanup+0xd2/0xe0 [ath12k] report_bug+0x10b/0x200 handle_bug+0x3f/0x70 exc_invalid_op+0x13/0x60 asm_exc_invalid_op+0x16/0x20 ath12k_dp_rx_frags_cleanup+0xd2/0xe0 [ath12k] ath12k_dp_rx_frags_cleanup+0xca/0xe0 [ath12k] ath12k_dp_rx_peer_tid_cleanup+0x39/0xa0 [ath12k] ath12k_mac_peer_cleanup_all+0x61/0x100 [ath12k] ath12k_core_halt+0x3b/0x100 [ath12k] ath12k_core_reset+0x494/0x4c0 [ath12k] sta object in peer will be updated when remote peer is created. Hence use peer::sta to detect the self peer and skip the cleanup. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 CVE-2024-56543 moderate In the Linux kernel, the following vulnerability has been resolved: drivers: soc: xilinx: add the missing kfree in xlnx_add_cb_for_suspend() If we fail to allocate memory for cb_data by kmalloc, the memory allocation for eve_data is never freed, add the missing kfree() in the error handling path. CVE-2024-56546 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] <TASK> [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: ---truncated--- CVE-2024-56548 important In the Linux kernel, the following vulnerability has been resolved: cachefiles: Fix NULL pointer dereference in object->file At present, the object->file has the NULL pointer dereference problem in ondemand-mode. The root cause is that the allocated fd and object->file lifetime are inconsistent, and the user-space invocation to anon_fd uses object->file. Following is the process that triggers the issue: [write fd] [umount] cachefiles_ondemand_fd_write_iter fscache_cookie_state_machine cachefiles_withdraw_cookie if (!file) return -ENOBUFS cachefiles_clean_up_object cachefiles_unmark_inode_in_use fput(object->file) object->file = NULL // file NULL pointer dereference! __cachefiles_write(..., file, ...) Fix this issue by add an additional reference count to the object->file before write/llseek, and decrement after it finished. CVE-2024-56549 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix usage slab after free [ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147 [ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1 [ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000016] Call Trace: [ +0.000008] <TASK> [ +0.000009] dump_stack_lvl+0x76/0xa0 [ +0.000017] print_report+0xce/0x5f0 [ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] ? srso_return_thunk+0x5/0x5f [ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200 [ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] kasan_report+0xbe/0x110 [ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000023] __asan_report_load8_noabort+0x14/0x30 [ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? enable_work+0x124/0x220 [ +0.000015] ? __pfx_enable_work+0x10/0x10 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? free_large_kmalloc+0x85/0xf0 [ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched] [ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu] [ +0.000735] ? __kasan_check_read+0x11/0x20 [ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu] [ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu] [ +0.000679] ? mutex_unlock+0x80/0xe0 [ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu] [ +0.000662] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? mutex_unlock+0x80/0xe0 [ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] [ +0.000663] drm_minor_release+0xc9/0x140 [drm] [ +0.000081] drm_release+0x1fd/0x390 [drm] [ +0.000082] __fput+0x36c/0xad0 [ +0.000018] __fput_sync+0x3c/0x50 [ +0.000014] __x64_sys_close+0x7d/0xe0 [ +0.000014] x64_sys_call+0x1bc6/0x2680 [ +0.000014] do_syscall_64+0x70/0x130 [ +0.000014] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit+0x43/0x50 [ +0.000012] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? exc_page_fault+0x7c/0x110 [ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000014] RIP: 0033:0x7ffff7b14f67 [ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 [ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 [ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 [ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 [ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 [ +0.000020] </TASK> [ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: [ +0.000014] kasan_save_stack+0x28/0x60 [ +0.000008] kasan_save_track+0x18/0x70 [ +0.000007] kasan_save_alloc_info+0x38/0x60 [ +0.000007] __kasan_kmalloc+0xc1/0xd0 [ +0.000007] kmalloc_trace_noprof+0x180/0x380 [ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched] [ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu] [ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu] [ +0.000662] amdgpu_pci_p ---truncated--- CVE-2024-56551 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer The AD7923 was updated to support devices with 8 channels, but the size of tx_buf and ring_xfer was not increased accordingly, leading to a potential buffer overflow in ad7923_update_scan_mode(). CVE-2024-56557 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: make sure exp active before svc_export_show The function `e_show` was called with protection from RCU. This only ensures that `exp` will not be freed. Therefore, the reference count for `exp` can drop to zero, which will trigger a refcount use-after-free warning when `exp_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `exp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 819 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 ... Call Trace: <TASK> e_show+0x20b/0x230 [nfsd] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-56558 moderate In the Linux kernel, the following vulnerability has been resolved: i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() if (dev->boardinfo && dev->boardinfo->init_dyn_addr) ^^^ here check "init_dyn_addr" i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, ...) ^^^^ free "dyn_addr" Fix copy/paste error "dyn_addr" by replacing it with "init_dyn_addr". CVE-2024-56562 moderate In the Linux kernel, the following vulnerability has been resolved: mm/slub: Avoid list corruption when removing a slab from the full list Boot with slub_debug=UFPZ. If allocated object failed in alloc_consistency_checks, all objects of the slab will be marked as used, and then the slab will be removed from the partial list. When an object belonging to the slab got freed later, the remove_full() function is called. Because the slab is neither on the partial list nor on the full list, it eventually lead to a list corruption (actually a list poison being detected). So we need to mark and isolate the slab page with metadata corruption, do not put it back in circulation. Because the debug caches avoid all the fastpaths, reusing the frozen bit to mark slab page with metadata corruption seems to be fine. [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) [ 4277.387023] ------------[ cut here ]------------ [ 4277.387880] kernel BUG at lib/list_debug.c:56! [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4277.410000] PKRU: 55555554 [ 4277.410645] Call Trace: [ 4277.411234] <TASK> [ 4277.411777] ? die+0x32/0x80 [ 4277.412439] ? do_trap+0xd6/0x100 [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.414158] ? do_error_trap+0x6a/0x90 [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.415915] ? exc_invalid_op+0x4c/0x60 [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.420410] free_to_partial_list+0x515/0x5e0 [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.430479] process_one_work+0x171/0x340 [ 4277.431227] worker_thread+0x277/0x390 [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 [ 4277.432752] kthread+0xf0/0x120 [ 4277.433382] ? __pfx_kthread+0x10/0x10 [ 4277.434134] ret_from_fork+0x2d/0x50 [ 4277.434837] ? __pfx_kthread+0x10/0x10 [ 4277.435566] ret_from_fork_asm+0x1b/0x30 [ 4277.436280] </TASK> CVE-2024-56566 moderate In the Linux kernel, the following vulnerability has been resolved: ad7780: fix division by zero in ad7780_write_raw() In the ad7780_write_raw() , val2 can be zero, which might lead to a division by zero error in DIV_ROUND_CLOSEST(). The ad7780_write_raw() is based on iio_info's write_raw. While val is explicitly declared that can be zero (in read mode), val2 is not specified to be non-zero. CVE-2024-56567 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. [will: Add comment] CVE-2024-56568 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix regression with module command in stack_trace_filter When executing the following command: # echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter The current mod command causes a null pointer dereference. While commit 0f17976568b3f ("ftrace: Fix regression with module command in stack_trace_filter") has addressed part of the issue, it left a corner case unhandled, which still results in a kernel crash. CVE-2024-56569 moderate In the Linux kernel, the following vulnerability has been resolved: ovl: Filter invalid inodes with missing lookup function Add a check to the ovl_dentry_weird() function to prevent the processing of directory inodes that lack the lookup function. This is important because such inodes can cause errors in overlayfs when passed to the lowerstack. CVE-2024-56570 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-56571 moderate In the Linux kernel, the following vulnerability has been resolved: media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() The buffer in the loop should be released under the exception path, otherwise there may be a memory leak here. To mitigate this, free the buffer when allegro_alloc_buffer fails. CVE-2024-56572 moderate In the Linux kernel, the following vulnerability has been resolved: efi/libstub: Free correct pointer on failure cmdline_ptr is an out parameter, which is not allocated by the function itself, and likely points into the caller's stack. cmdline refers to the pool allocation that should be freed when cleaning up after a failure, so pass this instead to free_pool(). CVE-2024-56573 moderate In the Linux kernel, the following vulnerability has been resolved: media: ts2020: fix null-ptr-deref in ts2020_probe() KASAN reported a null-ptr-deref issue when executing the following command: # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020] RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809 RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010 RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6 R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790 R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001 FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ts2020_probe+0xad/0xe10 [ts2020] i2c_device_probe+0x421/0xb40 really_probe+0x266/0x850 ... The cause of the problem is that when using sysfs to dynamically register an i2c device, there is no platform data, but the probe process of ts2020 needs to use platform data, resulting in a null pointer being accessed. Solve this problem by adding checks to platform data. CVE-2024-56574 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Ensure power suppliers be suspended before detach them The power suppliers are always requested to suspend asynchronously, dev_pm_domain_detach() requires the caller to ensure proper synchronization of this function with power management callbacks. otherwise the detach may led to kernel panic, like below: [ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [ 1457.116777] Mem abort info: [ 1457.119589] ESR = 0x0000000096000004 [ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits [ 1457.128692] SET = 0, FnV = 0 [ 1457.131764] EA = 0, S1PTW = 0 [ 1457.134920] FSC = 0x04: level 0 translation fault [ 1457.139812] Data abort info: [ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000 [ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000 [ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec] [ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66 [ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT) [ 1457.199236] Workqueue: pm pm_runtime_work [ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290 [ 1457.214886] lr : __rpm_callback+0x48/0x1d8 [ 1457.218968] sp : ffff80008250bc50 [ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000 [ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240 [ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008 [ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff [ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674 [ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002 [ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0 [ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000 [ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000 [ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000 [ 1457.293510] Call trace: [ 1457.295946] genpd_runtime_suspend+0x20/0x290 [ 1457.300296] __rpm_callback+0x48/0x1d8 [ 1457.304038] rpm_callback+0x6c/0x78 [ 1457.307515] rpm_suspend+0x10c/0x570 [ 1457.311077] pm_runtime_work+0xc4/0xc8 [ 1457.314813] process_one_work+0x138/0x248 [ 1457.318816] worker_thread+0x320/0x438 [ 1457.322552] kthread+0x110/0x114 [ 1457.325767] ret_from_fork+0x10/0x20 CVE-2024-56575 moderate In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix crash in the probe error path when using polling If an error occurs in the probe() function, we should remove the polling timer that was alarmed earlier, otherwise the timer is called with arguments that are already freed, which results in a crash. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 Modules linked in: CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __run_timers+0x244/0x268 lr : __run_timers+0x1d4/0x268 sp : ffffff80eff2baf0 x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 Call trace: __run_timers+0x244/0x268 timer_expire_remote+0x50/0x68 tmigr_handle_remote+0x388/0x39c run_timer_softirq+0x38/0x44 handle_softirqs+0x138/0x298 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0x9c/0xcc el1_interrupt+0x48/0xc0 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x7c/0x80 default_idle_call+0x34/0x68 do_idle+0x23c/0x294 cpu_startup_entry+0x38/0x3c secondary_start_kernel+0x128/0x160 __secondary_switched+0xb8/0xbc ---[ end trace 0000000000000000 ]--- CVE-2024-56576 moderate In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix null-ptr-deref during unload module The workqueue should be destroyed in mtk_jpeg_core.c since commit 09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise the below calltrace can be easily triggered. [ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023 [ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] ... [ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17 ... [ 677.882838] pc : destroy_workqueue+0x3c/0x770 [ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.884314] sp : ffff80008ad974f0 [ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070 [ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690 [ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000 [ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0 [ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10 [ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d [ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90 [ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001 [ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000 [ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118 [ 677.893977] Call trace: [ 677.894297] destroy_workqueue+0x3c/0x770 [ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.895677] devm_action_release+0x50/0x90 [ 677.896211] release_nodes+0xe8/0x170 [ 677.896688] devres_release_all+0xf8/0x178 [ 677.897219] device_unbind_cleanup+0x24/0x170 [ 677.897785] device_release_driver_internal+0x35c/0x480 [ 677.898461] device_release_driver+0x20/0x38 ... [ 677.912665] ---[ end trace 0000000000000000 ]--- CVE-2024-56577 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. CVE-2024-56578 moderate In the Linux kernel, the following vulnerability has been resolved: media: amphion: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. CVE-2024-56579 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and ---truncated--- CVE-2024-56582 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/tctx: work around xa_store() allocation error issue syzbot triggered the following WARN_ON: WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51 which is the WARN_ON_ONCE(!xa_empty(&tctx->xa)); sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray. Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found. CVE-2024-56584 moderate In the Linux kernel, the following vulnerability has been resolved: leds: class: Protect brightness_show() with led_cdev->led_access mutex There is NULL pointer issue observed if from Process A where hid device being added which results in adding a led_cdev addition and later a another call to access of led_cdev attribute from Process B can result in NULL pointer issue. Use mutex led_cdev->led_access to protect access to led->cdev and its attribute inside brightness_show() and max_brightness_show() and also update the comment for mutex that it should be used to protect the led class device fields. Process A Process B kthread+0x114 worker_thread+0x244 process_scheduled_works+0x248 uhid_device_add_worker+0x24 hid_add_device+0x120 device_add+0x268 bus_probe_device+0x94 device_initial_probe+0x14 __device_attach+0xfc bus_for_each_drv+0x10c __device_attach_driver+0x14c driver_probe_device+0x3c __driver_probe_device+0xa0 really_probe+0x190 hid_device_probe+0x130 ps_probe+0x990 ps_led_register+0x94 devm_led_classdev_register_ext+0x58 led_classdev_register_ext+0x1f8 device_create_with_groups+0x48 device_create_groups_vargs+0xc8 device_add+0x244 kobject_uevent+0x14 kobject_uevent_env[jt]+0x224 mutex_unlock[jt]+0xc4 __mutex_unlock_slowpath+0xd4 wake_up_q+0x70 try_to_wake_up[jt]+0x48c preempt_schedule_common+0x28 __schedule+0x628 __switch_to+0x174 el0t_64_sync+0x1a8/0x1ac el0t_64_sync_handler+0x68/0xbc el0_svc+0x38/0x68 do_el0_svc+0x1c/0x28 el0_svc_common+0x80/0xe0 invoke_syscall+0x58/0x114 __arm64_sys_read+0x1c/0x2c ksys_read+0x78/0xe8 vfs_read+0x1e0/0x2c8 kernfs_fop_read_iter+0x68/0x1b4 seq_read_iter+0x158/0x4ec kernfs_seq_show+0x44/0x54 sysfs_kf_seq_show+0xb4/0x130 dev_attr_show+0x38/0x74 brightness_show+0x20/0x4c dualshock4_led_get_brightness+0xc/0x74 [ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 [ 3313.874301][ T4013] Mem abort info: [ 3313.874303][ T4013] ESR = 0x0000000096000006 [ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits [ 3313.874307][ T4013] SET = 0, FnV = 0 [ 3313.874309][ T4013] EA = 0, S1PTW = 0 [ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault [ 3313.874313][ T4013] Data abort info: [ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000 .. [ 3313.874332][ T4013] Dumping ftrace buffer: [ 3313.874334][ T4013] (ftrace buffer empty) .. .. [ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader [ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74 [ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60 [ 3313.874656][ T4013] sp : ffffffc0b910bbd0 .. .. [ 3313.874685][ T4013] Call trace: [ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74 [ 3313.874690][ T4013] brightness_show+0x20/0x4c [ 3313.874692][ T4013] dev_attr_show+0x38/0x74 [ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130 [ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54 [ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec [ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4 [ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8 [ 3313.874711][ T4013] ksys_read+0x78/0xe8 [ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c [ 3313.874718][ T4013] invoke_syscall+0x58/0x114 [ 3313.874721][ T4013] el0_svc_common+0x80/0xe0 [ 3313.874724][ T4013] do_el0_svc+0x1c/0x28 [ 3313.874727][ T4013] el0_svc+0x38/0x68 [ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc [ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac CVE-2024-56587 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Create all dump files during debugfs initialization For the current debugfs of hisi_sas, after user triggers dump, the driver allocate memory space to save the register information and create debugfs files to display the saved information. In this process, the debugfs files created after each dump. Therefore, when the dump is triggered while the driver is unbind, the following hang occurs: [67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [67840.862947] Mem abort info: [67840.865855] ESR = 0x0000000096000004 [67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits [67840.875125] SET = 0, FnV = 0 [67840.878291] EA = 0, S1PTW = 0 [67840.881545] FSC = 0x04: level 0 translation fault [67840.886528] Data abort info: [67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000 [67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000 [67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [67841.003628] pc : down_write+0x30/0x98 [67841.007546] lr : start_creating.part.0+0x60/0x198 [67841.012495] sp : ffff8000b979ba20 [67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40 [67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8 [67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18 [67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020 [67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff [67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18 [67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18 [67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9 [67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001 [67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0 [67841.089759] Call trace: [67841.092456] down_write+0x30/0x98 [67841.096017] start_creating.part.0+0x60/0x198 [67841.100613] debugfs_create_dir+0x48/0x1f8 [67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw] [67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw] [67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw] [67841.125115] full_proxy_write+0x68/0xc8 [67841.129175] vfs_write+0xd8/0x3f0 [67841.132708] ksys_write+0x70/0x108 [67841.136317] __arm64_sys_write+0x24/0x38 [67841.140440] invoke_syscall+0x50/0x128 [67841.144385] el0_svc_common.constprop.0+0xc8/0xf0 [67841.149273] do_el0_svc+0x24/0x38 [67841.152773] el0_svc+0x38/0xd8 [67841.156009] el0t_64_sync_handler+0xc0/0xc8 [67841.160361] el0t_64_sync+0x1a4/0x1a8 [67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05) [67841.170443] ---[ end trace 0000000000000000 ]--- To fix this issue, create all directories and files during debugfs initialization. In this way, the driver only needs to allocate memory space to save information each time the user triggers dumping. CVE-2024-56588 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Add cond_resched() for no forced preemption model For no forced preemption model kernel, in the scenario where the expander is connected to 12 high performance SAS SSDs, the following call trace may occur: [ 214.409199][ C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211] [ 214.568533][ C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [ 214.575224][ C240] pc : fput_many+0x8c/0xdc [ 214.579480][ C240] lr : fput+0x1c/0xf0 [ 214.583302][ C240] sp : ffff80002de2b900 [ 214.587298][ C240] x29: ffff80002de2b900 x28: ffff1082aa412000 [ 214.593291][ C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000 [ 214.599284][ C240] x25: ffff1062bbac5c40 x24: 0000000000001000 [ 214.605277][ C240] x23: 000000000000000a x22: 0000000000000001 [ 214.611270][ C240] x21: 0000000000001000 x20: 0000000000000000 [ 214.617262][ C240] x19: ffff3062a41ae580 x18: 0000000000010000 [ 214.623255][ C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0 [ 214.629248][ C240] x15: ffffffffffffffff x14: 0000000003ffffff [ 214.635241][ C240] x13: 000000000000ffff x12: 000000000000029c [ 214.641234][ C240] x11: 0000000000000006 x10: ffff80003a9f7fd0 [ 214.647226][ C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001 [ 214.653219][ C240] x7 : 0000000000000002 x6 : 0000000000000080 [ 214.659212][ C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554 [ 214.665205][ C240] x3 : 0000000000000002 x2 : 0000000000000020 [ 214.671198][ C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8 [ 214.677191][ C240] Call trace: [ 214.680320][ C240] fput_many+0x8c/0xdc [ 214.684230][ C240] fput+0x1c/0xf0 [ 214.687707][ C240] aio_complete_rw+0xd8/0x1fc [ 214.692225][ C240] blkdev_bio_end_io+0x98/0x140 [ 214.696917][ C240] bio_endio+0x160/0x1bc [ 214.701001][ C240] blk_update_request+0x1c8/0x3bc [ 214.705867][ C240] scsi_end_request+0x3c/0x1f0 [ 214.710471][ C240] scsi_io_completion+0x7c/0x1a0 [ 214.715249][ C240] scsi_finish_command+0x104/0x140 [ 214.720200][ C240] scsi_softirq_done+0x90/0x180 [ 214.724892][ C240] blk_mq_complete_request+0x5c/0x70 [ 214.730016][ C240] scsi_mq_done+0x48/0xac [ 214.734194][ C240] sas_scsi_task_done+0xbc/0x16c [libsas] [ 214.739758][ C240] slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw] [ 214.746185][ C240] cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw] [ 214.752179][ C240] irq_thread_fn+0x34/0xa4 [ 214.756435][ C240] irq_thread+0xc4/0x130 [ 214.760520][ C240] kthread+0x108/0x13c [ 214.764430][ C240] ret_from_fork+0x10/0x18 This is because in the hisi_sas driver, both the hardware interrupt handler and the interrupt thread are executed on the same CPU. In the performance test scenario, function irq_wait_for_interrupt() will always return 0 if lots of interrupts occurs and the CPU will be continuously consumed. As a result, the CPU cannot run the watchdog thread. When the watchdog time exceeds the specified time, call trace occurs. To fix it, add cond_resched() to execute the watchdog thread. CVE-2024-56589 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet This fixes not checking if skb really contains an ACL header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. CVE-2024-56590 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Call free_htab_elem() after htab_unlock_bucket() For htab of maps, when the map is removed from the htab, it may hold the last reference of the map. bpf_map_fd_put_ptr() will invoke bpf_map_free_id() to free the id of the removed map element. However, bpf_map_fd_put_ptr() is invoked while holding a bucket lock (raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock (spinlock_t), triggering the following lockdep warning: ============================= [ BUG: Invalid wait context ] 6.11.0-rc4+ #49 Not tainted ----------------------------- test_maps/4881 is trying to lock: ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70 other info that might help us debug this: context-{5:5} 2 locks held by test_maps/4881: #0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270 #1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80 stack backtrace: CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... Call Trace: <TASK> dump_stack_lvl+0x6e/0xb0 dump_stack+0x10/0x20 __lock_acquire+0x73e/0x36c0 lock_acquire+0x182/0x450 _raw_spin_lock_irqsave+0x43/0x70 bpf_map_free_id.part.0+0x21/0x70 bpf_map_put+0xcf/0x110 bpf_map_fd_put_ptr+0x9a/0xb0 free_htab_elem+0x69/0xe0 htab_map_update_elem+0x50f/0xa80 bpf_fd_htab_map_update_elem+0x131/0x270 htab_map_update_elem+0x50f/0xa80 bpf_fd_htab_map_update_elem+0x131/0x270 bpf_map_update_value+0x266/0x380 __sys_bpf+0x21bb/0x36b0 __x64_sys_bpf+0x45/0x60 x64_sys_call+0x1b2a/0x20d0 do_syscall_64+0x5d/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e One way to fix the lockdep warning is using raw_spinlock_t for map_idr_lock as well. However, bpf_map_alloc_id() invokes idr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a similar lockdep warning because the slab's lock (s->cpu_slab->lock) is still a spinlock. Instead of changing map_idr_lock's type, fix the issue by invoking htab_put_fd_value() after htab_unlock_bucket(). However, only deferring the invocation of htab_put_fd_value() is not enough, because the old map pointers in htab of maps can not be saved during batched deletion. Therefore, also defer the invocation of free_htab_elem(), so these to-be-freed elements could be linked together similar to lru map. There are four callers for ->map_fd_put_ptr: (1) alloc_htab_elem() (through htab_put_fd_value()) It invokes ->map_fd_put_ptr() under a raw_spinlock_t. The invocation of htab_put_fd_value() can not simply move after htab_unlock_bucket(), because the old element has already been stashed in htab->extra_elems. It may be reused immediately after htab_unlock_bucket() and the invocation of htab_put_fd_value() after htab_unlock_bucket() may release the newly-added element incorrectly. Therefore, saving the map pointer of the old element for htab of maps before unlocking the bucket and releasing the map_ptr after unlock. Beside the map pointer in the old element, should do the same thing for the special fields in the old element as well. (2) free_htab_elem() (through htab_put_fd_value()) Its caller includes __htab_map_lookup_and_delete_elem(), htab_map_delete_elem() and __htab_map_lookup_and_delete_batch(). For htab_map_delete_elem(), simply invoke free_htab_elem() after htab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just like lru map, linking the to-be-freed element into node_to_free list and invoking free_htab_elem() for these element after unlock. It is safe to reuse batch_flink as the link for node_to_free, because these elements have been removed from the hash llist. Because htab of maps doesn't support lookup_and_delete operation, __htab_map_lookup_and_delete_elem() doesn't have the problem, so kept it as ---truncated--- CVE-2024-56592 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue. The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. Given the default [rt]xglom_size=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tail_pad. At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return NULL and this causes the oops. The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 additional bytes of memory. CVE-2024-56593 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: set the right AMDGPU sg segment limitation The driver needs to set the correct max_segment_size; otherwise debug_dma_map_sg() will complain about the over-mapping of the AMDGPU sg length as following: WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370 [ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd [ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492 [ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370 [ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05 [ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286 [ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027 [ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680 [ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930 [ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000 [ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800 [ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000 [ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0 [ 364.049605] Call Trace: [ 364.049607] <TASK> [ 364.049609] ? show_regs+0x6d/0x80 [ 364.049614] ? __warn+0x8c/0x140 [ 364.049618] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049621] ? report_bug+0x193/0x1a0 [ 364.049627] ? handle_bug+0x46/0x80 [ 364.049631] ? exc_invalid_op+0x1d/0x80 [ 364.049635] ? asm_exc_invalid_op+0x1f/0x30 [ 364.049642] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049647] __dma_map_sg_attrs+0x90/0xe0 [ 364.049651] dma_map_sgtable+0x25/0x40 [ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu] [ 364.049935] ? srso_return_thunk+0x5/0x5f [ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu] [ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm] [ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm] [ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu] [ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu] [ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu] [ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu] [ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu] [ 364.05105 ---truncated--- CVE-2024-56594 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. CVE-2024-56595 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in jfs_readdir The stbl might contain some invalid values. Added a check to return error code in that case. CVE-2024-56596 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix shift-out-of-bounds in dbSplit When dmt_budmin is less than zero, it causes errors in the later stages. Added a check to return an error beforehand in dbAllocCtl itself. CVE-2024-56597 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: array-index-out-of-bounds fix in dtReadFirst The value of stbl can be sometimes out of bounds due to a bad filesystem. Added a check with appopriate return of error code in that case. CVE-2024-56598 important In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister ...... ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free ...... ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189 CVE-2024-56599 moderate Use of Hardware Page Aggregation (HPA) and Stage-1 and/or Stage-2 translation on Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE, Cortex-A710, Cortex-X1, Cortex-X1C, Cortex-X2, Cortex-X3, Cortex-X4, Cortex-X925, Neoverse V1, Neoverse V2, Neoverse V3, Neoverse V3AE, Neoverse N2 may permit bypass of Stage-2 translation and/or GPT protection. CVE-2024-5660 moderate In the Linux kernel, the following vulnerability has been resolved: net: inet6: do not leave a dangling sk pointer in inet6_create() sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. CVE-2024-56600 important In the Linux kernel, the following vulnerability has been resolved: net: inet: do not leave a dangling sk pointer in inet_create() sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. CVE-2024-56601 important In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. CVE-2024-56602 important In the Linux kernel, the following vulnerability has been resolved: net: af_can: do not leave a dangling sk pointer in can_create() On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. CVE-2024-56603 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). CVE-2024-56604 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. CVE-2024-56605 important In the Linux kernel, the following vulnerability has been resolved: af_packet: avoid erroring out after sock_init_data() in packet_create() After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. CVE-2024-56606 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask() When I try to manually set bitrates: iw wlan0 set bitrates legacy-2.4 1 I get sleeping from invalid context error, see below. Fix that by switching to use recently introduced ieee80211_iterate_stations_mtx(). Do note that WCN6855 firmware is still crashing, I'm not sure if that firmware even supports bitrate WMI commands and should we consider disabling ath12k_mac_op_set_bitrate_mask() for WCN6855? But that's for another patch. BUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 3 locks held by iw/2236: #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40 #1: ffff888138410810 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211] #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211] CPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0xa4/0xe0 dump_stack+0x10/0x20 __might_resched+0x363/0x5a0 ? __alloc_skb+0x165/0x340 __might_sleep+0xad/0x160 ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k] ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k] ? __netdev_alloc_skb+0x45/0x7b0 ? __asan_memset+0x39/0x40 ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k] ? reacquire_held_locks+0x4d0/0x4d0 ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k] ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k] ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k] ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211] ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k] ? ath12k_mac_vif_chan+0x320/0x320 [ath12k] drv_set_bitrate_mask+0x267/0x470 [mac80211] ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211] ? __this_cpu_preempt_check+0x13/0x20 nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? trace_contention_end+0xef/0x140 ? rtnl_unlock+0x9/0x10 ? nl80211_pre_doit+0x557/0x800 [cfg80211] genl_family_rcv_msg_doit+0x1f0/0x2e0 ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250 ? ns_capable+0x57/0xd0 genl_family_rcv_msg+0x34c/0x600 ? genl_family_rcv_msg_dumpit+0x310/0x310 ? __lock_acquire+0xc62/0x1de0 ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? cfg80211_external_auth_request+0x690/0x690 [cfg80211] genl_rcv_msg+0xa0/0x130 netlink_rcv_skb+0x14c/0x400 ? genl_family_rcv_msg+0x600/0x600 ? netlink_ack+0xd70/0xd70 ? rwsem_optimistic_spin+0x4f0/0x4f0 ? genl_rcv+0x14/0x40 ? down_read_killable+0x580/0x580 ? netlink_deliver_tap+0x13e/0x350 ? __this_cpu_preempt_check+0x13/0x20 genl_rcv+0x23/0x40 netlink_unicast+0x45e/0x790 ? netlink_attachskb+0x7f0/0x7f0 netlink_sendmsg+0x7eb/0xdb0 ? netlink_unicast+0x790/0x790 ? __this_cpu_preempt_check+0x13/0x20 ? selinux_socket_sendmsg+0x31/0x40 ? netlink_unicast+0x790/0x790 __sock_sendmsg+0xc9/0x160 ____sys_sendmsg+0x620/0x990 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x410/0x410 ? __kasan_check_read+0x11/0x20 ? mark_lock+0xe6/0x1470 ___sys_sendmsg+0xe9/0x170 ? copy_msghdr_from_user+0x120/0x120 ? __lock_acquire+0xc62/0x1de0 ? do_fault_around+0x2c6/0x4e0 ? do_user_addr_fault+0x8c1/0xde0 ? reacquire_held_locks+0x220/0x4d0 ? do_user_addr_fault+0x8c1/0xde0 ? __kasan_check_read+0x11/0x20 ? __fdget+0x4e/0x1d0 ? sockfd_lookup_light+0x1a/0x170 __sys_sendmsg+0xd2/0x180 ? __sys_sendmsg_sock+0x20/0x20 ? reacquire_held_locks+0x4d0/0x4d0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_sendmsg+0x72/0xb0 ? lockdep_hardirqs_on+0x7d/0x100 x64_sys_call+0x894/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_ ---truncated--- CVE-2024-56607 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' An issue was identified in the dcn21_link_encoder_create function where an out-of-bounds access could occur when the hpd_source index was used to reference the link_enc_hpd_regs array. This array has a fixed size and the index was not being checked against the array's bounds before accessing it. This fix adds a conditional check to ensure that the hpd_source index is within the valid range of the link_enc_hpd_regs array. If the index is out of bounds, the function now returns NULL to prevent undefined behavior. References: [ 65.920507] ------------[ cut here ]------------ [ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29 [ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]' [ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13 [ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020 [ 65.920527] Call Trace: [ 65.920529] <TASK> [ 65.920532] dump_stack_lvl+0x48/0x70 [ 65.920541] dump_stack+0x10/0x20 [ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0 [ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu] [ 65.921009] link_create+0x6d3/0xed0 [amdgpu] [ 65.921355] create_links+0x18a/0x4e0 [amdgpu] [ 65.921679] dc_create+0x360/0x720 [amdgpu] [ 65.921999] ? dmi_matches+0xa0/0x220 [ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu] [ 65.922342] ? console_unlock+0x77/0x120 [ 65.922348] ? dev_printk_emit+0x86/0xb0 [ 65.922354] dm_hw_init+0x15/0x40 [amdgpu] [ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu] [ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu] [ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu] [ 65.923087] local_pci_probe+0x4b/0xb0 [ 65.923087] pci_device_probe+0xc8/0x280 [ 65.923087] really_probe+0x187/0x300 [ 65.923087] __driver_probe_device+0x85/0x130 [ 65.923087] driver_probe_device+0x24/0x110 [ 65.923087] __driver_attach+0xac/0x1d0 [ 65.923087] ? __pfx___driver_attach+0x10/0x10 [ 65.923087] bus_for_each_dev+0x7d/0xd0 [ 65.923087] driver_attach+0x1e/0x30 [ 65.923087] bus_add_driver+0xf2/0x200 [ 65.923087] driver_register+0x64/0x130 [ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu] [ 65.923087] __pci_register_driver+0x61/0x70 [ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu] [ 65.923087] do_one_initcall+0x49/0x310 [ 65.923087] ? kmalloc_trace+0x136/0x360 [ 65.923087] do_init_module+0x6a/0x270 [ 65.923087] load_module+0x1fce/0x23a0 [ 65.923087] init_module_from_file+0x9c/0xe0 [ 65.923087] ? init_module_from_file+0x9c/0xe0 [ 65.923087] idempotent_init_module+0x179/0x230 [ 65.923087] __x64_sys_finit_module+0x5d/0xa0 [ 65.923087] do_syscall_64+0x76/0x120 [ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 65.923087] RIP: 0033:0x7f2d80f1e88d [ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d [ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f [ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002 [ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480 [ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0 [ 65.923087] </TASK> [ 65.923927] ---[ end trace ]--- CVE-2024-56608 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb When removing kernel modules by: rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core Driver uses skb_queue_purge() to purge TX skb, but not report tx status causing "Have pending ack frames!" warning. Use ieee80211_purge_tx_queue() to correct this. Since ieee80211_purge_tx_queue() doesn't take locks, to prevent racing between TX work and purge TX queue, flush and destroy TX work in advance. wlan0: deauthenticating from aa:f5:fd:60:4c:a8 by local choice (Reason: 3=DEAUTH_LEAVING) ------------[ cut here ]------------ Have pending ack frames! WARNING: CPU: 3 PID: 9232 at net/mac80211/main.c:1691 ieee80211_free_ack_frame+0x5c/0x90 [mac80211] CPU: 3 PID: 9232 Comm: rmmod Tainted: G C 6.10.1-200.fc40.aarch64 #1 Hardware name: pine64 Pine64 PinePhone Braveheart (1.1)/Pine64 PinePhone Braveheart (1.1), BIOS 2024.01 01/01/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ieee80211_free_ack_frame+0x5c/0x90 [mac80211] lr : ieee80211_free_ack_frame+0x5c/0x90 [mac80211] sp : ffff80008c1b37b0 x29: ffff80008c1b37b0 x28: ffff000003be8000 x27: 0000000000000000 x26: 0000000000000000 x25: ffff000003dc14b8 x24: ffff80008c1b37d0 x23: ffff000000ff9f80 x22: 0000000000000000 x21: 000000007fffffff x20: ffff80007c7e93d8 x19: ffff00006e66f400 x18: 0000000000000000 x17: ffff7ffffd2b3000 x16: ffff800083fc0000 x15: 0000000000000000 x14: 0000000000000000 x13: 2173656d61726620 x12: 6b636120676e6964 x11: 0000000000000000 x10: 000000000000005d x9 : ffff8000802af2b0 x8 : ffff80008c1b3430 x7 : 0000000000000001 x6 : 0000000000000001 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000003be8000 Call trace: ieee80211_free_ack_frame+0x5c/0x90 [mac80211] idr_for_each+0x74/0x110 ieee80211_free_hw+0x44/0xe8 [mac80211] rtw_sdio_remove+0x9c/0xc0 [rtw88_sdio] sdio_bus_remove+0x44/0x180 device_remove+0x54/0x90 device_release_driver_internal+0x1d4/0x238 driver_detach+0x54/0xc0 bus_remove_driver+0x78/0x108 driver_unregister+0x38/0x78 sdio_unregister_driver+0x2c/0x40 rtw_8723cs_driver_exit+0x18/0x1000 [rtw88_8723cs] __do_sys_delete_module.isra.0+0x190/0x338 __arm64_sys_delete_module+0x1c/0x30 invoke_syscall+0x74/0x100 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x158 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 ---[ end trace 0000000000000000 ]--- CVE-2024-56609 moderate In the Linux kernel, the following vulnerability has been resolved: kcsan: Turn report_filterlist_lock into a raw_spinlock Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ> On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock *non-raw* spinlock which may sleep on RT kernels. Since KCSAN may report data races in any context, convert it to a raw_spinlock. This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused. CVE-2024-56610 moderate In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [akpm@linux-foundation.org: add unlikely()] CVE-2024-56611 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: fix OOB map writes when deleting elements Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], which results in an out-of-bounds access. spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock); The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption. " It indeed results in following splat: [76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108 [76612.904330] #PF: supervisor write access in kernel mode [76612.909639] #PF: error_code(0x0002) - not-present page [76612.914855] PGD 0 P4D 0 [76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP [76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470 [76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60 [76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31 [76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246 [76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000 [76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000 [76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007 [76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8 [76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0 [76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000 [76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0 [76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [76613.041086] PKRU: 55555554 [76613.043842] Call Trace: [76613.046331] <TASK> [76613.048468] ? __die+0x20/0x60 [76613.051581] ? page_fault_oops+0x15a/0x450 [76613.055747] ? search_extable+0x22/0x30 [76613.059649] ? search_bpf_extables+0x5f/0x80 [76613.063988] ? exc_page_fault+0xa9/0x140 [76613.067975] ? asm_exc_page_fault+0x22/0x30 [76613.072229] ? xsk_map_delete_elem+0x2d/0x60 [76613.076573] ? xsk_map_delete_elem+0x23/0x60 [76613.080914] __sys_bpf+0x19b7/0x23c0 [76613.084555] __x64_sys_bpf+0x1a/0x20 [76613.088194] do_syscall_64+0x37/0xb0 [76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [76613.096962] RIP: 0033:0x7f80b6d1e88d [76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d [76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003 [76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000 [76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8 [76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00 ---truncated--- CVE-2024-56614 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK> CVE-2024-56615 moderate In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix MST sideband message body length check Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drm_dp_sideband_append_payload() and the following errors in dmesg: UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256) Call Trace: drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] CVE-2024-56616 moderate In the Linux kernel, the following vulnerability has been resolved: cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU Commit 5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU") adds functionality that architectures can use to optionally allocate and build cacheinfo early during boot. Commit 6539cffa9495 ("cacheinfo: Add arch specific early level initializer") lets secondary CPUs correct (and reallocate memory) cacheinfo data if needed. If the early build functionality is not used and cacheinfo does not need correction, memory for cacheinfo is never allocated. x86 does not use the early build functionality. Consequently, during the cacheinfo CPU hotplug callback, last_level_cache_is_valid() attempts to dereference a NULL pointer: BUG: kernel NULL pointer dereference, address: 0000000000000100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not present page PGD 0 P4D 0 Oops: 0000 [#1] PREEPMT SMP NOPTI CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1 RIP: 0010: last_level_cache_is_valid+0x95/0xe0a Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback if not done earlier. Moreover, before determining the validity of the last-level cache info, ensure that it has been allocated. Simply checking for non-zero cache_leaves() is not sufficient, as some architectures (e.g., Intel processors) have non-zero cache_leaves() before allocation. Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size(). This function iterates over all online CPUs. However, a CPU may have come online recently, but its cacheinfo may not have been allocated yet. While here, remove an unnecessary indentation in allocate_cache_info(). [ bp: Massage. ] CVE-2024-56617 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required. CVE-2024-56619 important In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: mutex_lock+0xc/0x54 platform_device_msi_free_irqs_all+0x14/0x20 ufs_qcom_remove+0x34/0x48 [ufs_qcom] platform_remove+0x28/0x44 device_remove+0x4c/0x80 device_release_driver_internal+0xd8/0x178 driver_detach+0x50/0x9c bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] __arm64_sys_delete_module+0x180/0x260 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xdc el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x190/0x194 CVE-2024-56620 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: sysfs: Prevent div by zero Prevent a division by 0 when monitoring is not enabled. CVE-2024-56622 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix use after free on unload System crash is observed with stack trace warning of use after free. There are 2 signals to tell dpc_thread to terminate (UNLOADING flag and kthread_stop). On setting the UNLOADING flag when dpc_thread happens to run at the time and sees the flag, this causes dpc_thread to exit and clean up itself. When kthread_stop is called for final cleanup, this causes use after free. Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop as the main signal to exit dpc_thread. [596663.812935] kernel BUG at mm/slub.c:294! [596663.812950] invalid opcode: 0000 [#1] SMP PTI [596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1 [596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 [596663.812974] RIP: 0010:__slab_free+0x17d/0x360 ... [596663.813008] Call Trace: [596663.813022] ? __dentry_kill+0x121/0x170 [596663.813030] ? _cond_resched+0x15/0x30 [596663.813034] ? _cond_resched+0x15/0x30 [596663.813039] ? wait_for_completion+0x35/0x190 [596663.813048] ? try_to_wake_up+0x63/0x540 [596663.813055] free_task+0x5a/0x60 [596663.813061] kthread_stop+0xf3/0x100 [596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx] CVE-2024-56623 important In the Linux kernel, the following vulnerability has been resolved: can: dev: can_set_termination(): allow sleeping GPIOs In commit 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") GPIO based termination support was added. For no particular reason that patch uses gpiod_set_value() to set the GPIO. This leads to the following warning, if the systems uses a sleeping GPIO, i.e. behind an I2C port expander: | WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c | CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the use of sleeping GPIOs. CVE-2024-56625 moderate In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix when get product name maybe null pointer Due to incorrect dev->product reporting by certain devices, null pointer dereferences occur when dev->product is empty, leading to potential system crashes. This issue was found on EXCELSIOR DL37-D05 device with Loongson-LS3A6000-7A2000-DL37 motherboard. Kernel logs: [ 56.470885] usb 4-3: new full-speed USB device number 4 using ohci-pci [ 56.671638] usb 4-3: string descriptor 0 read error: -22 [ 56.671644] usb 4-3: New USB device found, idVendor=056a, idProduct=0374, bcdDevice= 1.07 [ 56.671647] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 56.678839] hid-generic 0003:056A:0374.0004: hiddev0,hidraw3: USB HID v1.10 Device [HID 056a:0374] on usb-0000:00:05.0-3/input0 [ 56.697719] CPU 2 Unable to handle kernel paging request at virtual address 0000000000000000, era == 90000000066e35c8, ra == ffff800004f98a80 [ 56.697732] Oops[#1]: [ 56.697734] CPU: 2 PID: 2742 Comm: (udev-worker) Tainted: G OE 6.6.0-loong64-desktop #25.00.2000.015 [ 56.697737] Hardware name: Inspur CE520L2/C09901N000000000, BIOS 2.09.00 10/11/2024 [ 56.697739] pc 90000000066e35c8 ra ffff800004f98a80 tp 9000000125478000 sp 900000012547b8a0 [ 56.697741] a0 0000000000000000 a1 ffff800004818b28 a2 0000000000000000 a3 0000000000000000 [ 56.697743] a4 900000012547b8f0 a5 0000000000000000 a6 0000000000000000 a7 0000000000000000 [ 56.697745] t0 ffff800004818b2d t1 0000000000000000 t2 0000000000000003 t3 0000000000000005 [ 56.697747] t4 0000000000000000 t5 0000000000000000 t6 0000000000000000 t7 0000000000000000 [ 56.697748] t8 0000000000000000 u0 0000000000000000 s9 0000000000000000 s0 900000011aa48028 [ 56.697750] s1 0000000000000000 s2 0000000000000000 s3 ffff800004818e80 s4 ffff800004810000 [ 56.697751] s5 90000001000b98d0 s6 ffff800004811f88 s7 ffff800005470440 s8 0000000000000000 [ 56.697753] ra: ffff800004f98a80 wacom_update_name+0xe0/0x300 [wacom] [ 56.697802] ERA: 90000000066e35c8 strstr+0x28/0x120 [ 56.697806] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 56.697816] PRMD: 0000000c (PPLV0 +PIE +PWE) [ 56.697821] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 56.697827] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) [ 56.697831] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 56.697835] BADV: 0000000000000000 [ 56.697836] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000) [ 56.697838] Modules linked in: wacom(+) bnep bluetooth rfkill qrtr nls_iso8859_1 nls_cp437 snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore input_leds mousedev led_class joydev deepin_netmonitor(OE) fuse nfnetlink dmi_sysfs ip_tables x_tables overlay amdgpu amdxcp drm_exec gpu_sched drm_buddy radeon drm_suballoc_helper i2c_algo_bit drm_ttm_helper r8169 ttm drm_display_helper spi_loongson_pci xhci_pci cec xhci_pci_renesas spi_loongson_core hid_generic realtek gpio_loongson_64bit [ 56.697887] Process (udev-worker) (pid: 2742, threadinfo=00000000aee0d8b4, task=00000000a9eff1f3) [ 56.697890] Stack : 0000000000000000 ffff800004817e00 0000000000000000 0000251c00000000 [ 56.697896] 0000000000000000 00000011fffffffd 0000000000000000 0000000000000000 [ 56.697901] 0000000000000000 1b67a968695184b9 0000000000000000 90000001000b98d0 [ 56.697906] 90000001000bb8d0 900000011aa48028 0000000000000000 ffff800004f9d74c [ 56.697911] 90000001000ba000 ffff800004f9ce58 0000000000000000 ffff800005470440 [ 56.697916] ffff800004811f88 90000001000b98d0 9000000100da2aa8 90000001000bb8d0 [ 56.697921] 0000000000000000 90000001000ba000 900000011aa48028 ffff800004f9d74c [ 56.697926] ffff8000054704e8 90000001000bb8b8 90000001000ba000 0000000000000000 [ 56.697931] 90000001000bb8d0 ---truncated--- CVE-2024-56629 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: free inode when ocfs2_get_init_inode() fails syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when new_inode() succeeded and dquot_initialize() failed. CVE-2024-56630 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release(). CVE-2024-56631 important In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix the memleak while create new ctrl failed Now while we create new ctrl failed, we have not free the tagset occupied by admin_q, here try to fix it. CVE-2024-56632 moderate In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here. CVE-2024-56633 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: grgpio: Add NULL check in grgpio_probe devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. CVE-2024-56634 moderate In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated--- CVE-2024-56635 moderate In the Linux kernel, the following vulnerability has been resolved: geneve: do not assume mac header is set in geneve_xmit_skb() We should not assume mac header is set in output path. Use skb_eth_hdr() instead of eth_hdr() to fix the issue. sysbot reported the following : WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Modules linked in: CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 dev_direct_xmit include/linux/netdevice.h:3181 [inline] packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x488/0x4f0 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-56636 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Hold module reference while requesting a module User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call. CVE-2024-56637 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area. CVE-2024-56638 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations. CVE-2024-56640 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: initialize close_work early to avoid warning We encountered a warning that close_work was canceled before initialization. WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0 Workqueue: events smc_lgr_terminate_work [smc] RIP: 0010:__flush_work+0x19e/0x1b0 Call Trace: ? __wake_up_common+0x7a/0x190 ? work_busy+0x80/0x80 __cancel_work_timer+0xe3/0x160 smc_close_cancel_work+0x1a/0x70 [smc] smc_close_active_abort+0x207/0x360 [smc] __smc_lgr_terminate.part.38+0xc8/0x180 [smc] process_one_work+0x19e/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x117/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x22/0x30 This is because when smc_close_cancel_work is triggered, e.g. the RDMA driver is rmmod and the LGR is terminated, the conn->close_work is flushed before initialization, resulting in WARN_ON(!work->func). __smc_lgr_terminate | smc_connect_{rdma|ism} ------------------------------------------------------------- | smc_conn_create | \- smc_lgr_register_conn for conn in lgr->conns_all | \- smc_conn_kill | \- smc_close_active_abort | \- smc_close_cancel_work | \- cancel_work_sync | \- __flush_work | (close_work) | | smc_close_init | \- INIT_WORK(&close_work) So fix this by initializing close_work before establishing the connection. CVE-2024-56641 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer CVE-2024-56642 important In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2024-56643 moderate In the Linux kernel, the following vulnerability has been resolved: net/ipv6: release expired exception dst cached in socket Dst objects get leaked in ip6_negative_advice() when this function is executed for an expired IPv6 route located in the exception table. There are several conditions that must be fulfilled for the leak to occur: * an ICMPv6 packet indicating a change of the MTU for the path is received, resulting in an exception dst being created * a TCP connection that uses the exception dst for routing packets must start timing out so that TCP begins retransmissions * after the exception dst expires, the FIB6 garbage collector must not run before TCP executes ip6_negative_advice() for the expired exception dst When TCP executes ip6_negative_advice() for an exception dst that has expired and if no other socket holds a reference to the exception dst, the refcount of the exception dst is 2, which corresponds to the increment made by dst_init() and the increment made by the TCP socket for which the connection is timing out. The refcount made by the socket is never released. The refcount of the dst is decremented in sk_dst_reset() but that decrement is counteracted by a dst_hold() intentionally placed just before the sk_dst_reset() in ip6_negative_advice(). After ip6_negative_advice() has finished, there is no other object tied to the dst. The socket lost its reference stored in sk_dst_cache and the dst is no longer in the exception table. The exception dst becomes a leaked object. As a result of this dst leak, an unbalanced refcount is reported for the loopback device of a net namespace being destroyed under kernels that do not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"): unregister_netdevice: waiting for lo to become free. Usage count = 2 Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The patch that introduced the dst_hold() in ip6_negative_advice() was 92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22 merely refactored the code with regards to the dst refcount so the issue was present even before 92f1655aa2b22. The bug was introduced in 54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually expired.") where the expired cached route is deleted and the sk_dst_cache member of the socket is set to NULL by calling dst_negative_advice() but the refcount belonging to the socket is left unbalanced. The IPv4 version - ipv4_negative_advice() - is not affected by this bug. When the TCP connection times out ipv4_negative_advice() merely resets the sk_dst_cache of the socket while decrementing the refcount of the exception dst. CVE-2024-56644 low In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. [mkl: clean up commit message] CVE-2024-56645 important In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it. CVE-2024-56647 moderate In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid potential out-of-bound access in fill_frame_info() syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one. Since fill_frame_info() is relying on skb->mac_len already, extend the check to cover this case. BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 fill_frame_info net/hsr/hsr_forward.c:709 [inline] hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606 __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434 dev_queue_xmit include/linux/netdevice.h:3168 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881 packet_alloc_skb net/packet/af_packet.c:2995 [inline] packet_snd net/packet/af_packet.c:3089 [inline] packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-56648 important In the Linux kernel, the following vulnerability has been resolved: net: enetc: Do not configure preemptible TCs if SIs do not support Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows. root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]--- In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers. CVE-2024-56649 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? strlen+0x58/0x70 kasan_report+0x143/0x180 ? strlen+0x58/0x70 strlen+0x58/0x70 kstrdup+0x20/0x80 led_tg_check+0x18b/0x3c0 xt_check_target+0x3bb/0xa40 ? __pfx_xt_check_target+0x10/0x10 ? stack_depot_save_flags+0x6e4/0x830 ? nft_target_init+0x174/0xc30 nft_target_init+0x82d/0xc30 ? __pfx_nft_target_init+0x10/0x10 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? rcu_is_watching+0x15/0xb0 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? __kmalloc_noprof+0x21a/0x400 nf_tables_newrule+0x1860/0x2980 ? __pfx_nf_tables_newrule+0x10/0x10 ? __nla_parse+0x40/0x60 nfnetlink_rcv+0x14e5/0x2ab0 ? __pfx_validate_chain+0x10/0x10 ? __pfx_nfnetlink_rcv+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? netlink_deliver_tap+0x2e/0x1b0 ? __pfx_lock_release+0x10/0x10 ? netlink_deliver_tap+0x2e/0x1b0 netlink_unicast+0x7f8/0x990 ? __pfx_netlink_unicast+0x10/0x10 ? __virt_addr_valid+0x183/0x530 ? __check_object_size+0x48e/0x900 netlink_sendmsg+0x8e4/0xcb0 ? __pfx_netlink_sendmsg+0x10/0x10 ? aa_sock_msg_perm+0x91/0x160 ? __pfx_netlink_sendmsg+0x10/0x10 __sock_sendmsg+0x223/0x270 ____sys_sendmsg+0x52a/0x7e0 ? __pfx_____sys_sendmsg+0x10/0x10 __sys_sendmsg+0x292/0x380 ? __pfx___sys_sendmsg+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? exc_page_fault+0x590/0x8c0 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> Since an invalid (without '\0' byte at all) byte sequence may be passed from userspace, add an extra check to ensure that such a sequence is rejected as possible ID and so never passed to 'kstrdup()' and further. CVE-2024-56650 important In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr during bus-off") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting. CVE-2024-56651 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is not safe since for the most part entries fetched this way shall be treated as rcu_dereference: Note that the value returned by rcu_dereference() is valid only within the enclosing RCU read-side critical section [1]_. For example, the following is **not** legal:: rcu_read_lock(); p = rcu_dereference(head.next); rcu_read_unlock(); x = p->address; /* BUG!!! */ rcu_read_lock(); y = p->data; /* BUG!!! */ rcu_read_unlock(); CVE-2024-56654 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of the previous generation (5750X or P5). However, the aggregation ID fields in the completion structures on P7 have been redefined from 16 bits to 12 bits. The freed up 4 bits are redefined for part of the metadata such as the VLAN ID. The aggregation ID mask was not modified when adding support for P7 chips. Including the extra 4 bits for the aggregation ID can potentially cause the driver to store or fetch the packet header of GRO/LRO packets in the wrong TPA buffer. It may hit the BUG() condition in __skb_pull() because the SKB contains no valid packet header: kernel BUG at include/linux/skbuff.h:2766! Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022 RIP: 0010:eth_type_trans+0xda/0x140 Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48 RSP: 0018:ff615003803fcc28 EFLAGS: 00010283 RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040 RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000 RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001 R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0 R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000 FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? eth_type_trans+0xda/0x140 ? do_error_trap+0x65/0x80 ? eth_type_trans+0xda/0x140 ? exc_invalid_op+0x4e/0x70 ? eth_type_trans+0xda/0x140 ? asm_exc_invalid_op+0x16/0x20 ? eth_type_trans+0xda/0x140 bnxt_tpa_end+0x10b/0x6b0 [bnxt_en] ? bnxt_tpa_start+0x195/0x320 [bnxt_en] bnxt_rx_pkt+0x902/0xd90 [bnxt_en] ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en] ? kmem_cache_free+0x343/0x440 ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en] __bnxt_poll_work+0x193/0x370 [bnxt_en] bnxt_poll_p5+0x9a/0x300 [bnxt_en] ? try_to_wake_up+0x209/0x670 __napi_poll+0x29/0x1b0 Fix it by redefining the aggregation ID mask for P5_PLUS chips to be 12 bits. This will work because the maximum aggregation ID is less than 4096 on all P5_PLUS chips. CVE-2024-56656 moderate In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated--- CVE-2024-56658 important In the Linux kernel, the following vulnerability has been resolved: net: lapb: increase LAPB_HEADER_LEN It is unclear if net/lapb code is supposed to be ready for 8021q. We can at least avoid crashes like the following : skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282 RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60 R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140 R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016 FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 nr_header+0x36/0x320 net/netrom/nr_dev.c:69 dev_hard_header include/linux/netdevice.h:3148 [inline] vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83 dev_hard_header include/linux/netdevice.h:3148 [inline] lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149 lapb_establish_data_link+0x84/0xd0 lapb_device_event+0x4e0/0x670 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922 devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188 inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x158/0x460 net/socket.c:1227 sock_ioctl+0x626/0x8e0 net/socket.c:1346 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 CVE-2024-56659 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, prevent potential error pointer dereference The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the error pointer is propogated back and eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). CVE-2024-56660 moderate In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 array is accessed without verifying that call_pkg points to a buffer that is appropriately sized as a struct nd_cmd_pkg. This can lead to out-of-bounds access and undefined behavior if the buffer does not have sufficient space. To address this, a check was added in acpi_nfit_ctl() to ensure that buf is not NULL and that buf_len is less than sizeof(*call_pkg) before accessing it. This ensures safe access to the members of call_pkg, including the nd_reserved2 array. CVE-2024-56662 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation. CVE-2024-56663 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: <TASK> dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The bu ---truncated--- CVE-2024-56664 important In the Linux kernel, the following vulnerability has been resolved: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its child -> release both events - first perf_event_detach_bpf_prog call will release tp_event->prog_array and second perf_event_detach_bpf_prog will crash, because tp_event->prog_array is NULL The fix makes sure the perf_event_detach_bpf_prog checks prog_array is valid before it tries to remove the bpf program from it. [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad CVE-2024-56665 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL pointer dereference in capture_engine When the intel_context structure contains NULL, it raises a NULL pointer dereference error in drm_info(). (cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d) CVE-2024-56667 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash. If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect. So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb. Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68 CVE-2024-56670 moderate In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's. CVE-2024-56672 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event. CVE-2024-56675 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE, since pageblock_order is still zero and it gets initialized later during initmem_init() e.g. setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order() One such use case where this causes issue is - early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init() This causes CMA memory alignment check to be bypassed in cma_init_reserved_mem(). Then later cma_activate_area() can hit a VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory area was not pageblock_order aligned. Fix it by moving the fadump_cma_init() after initmem_init(), where other such cma reservations also gets called. <stack trace> ============== page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010 flags: 0x13ffff800000000(node=1|zone=0|lastcpupid=0x7ffff) CMA raw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) ------------[ cut here ]------------ kernel BUG at mm/page_alloc.c:778! Call Trace: __free_one_page+0x57c/0x7b0 (unreliable) free_pcppages_bulk+0x1a8/0x2c8 free_unref_page_commit+0x3d4/0x4e4 free_unref_page+0x458/0x6d0 init_cma_reserved_pageblock+0x114/0x198 cma_init_reserved_areas+0x270/0x3e0 do_one_initcall+0x80/0x2f8 kernel_init_freeable+0x33c/0x530 kernel_init+0x34/0x26c ret_from_kernel_user_thread+0x14/0x1c CVE-2024-56677 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm/fault: Fix kfence page fault reporting copy_from_kernel_nofault() can be called when doing read of /proc/kcore. /proc/kcore can have some unmapped kfence objects which when read via copy_from_kernel_nofault() can cause page faults. Since *_nofault() functions define their own fixup table for handling fault, use that instead of asking kfence to handle such faults. Hence we search the exception tables for the nip which generated the fault. If there is an entry then we let the fixup table handler handle the page fault by returning an error from within ___do_page_fault(). This can be easily triggered if someone tries to do dd from /proc/kcore. eg. dd if=/proc/kcore of=/dev/null bs=1M Some example false negatives: =============================== BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0 Invalid read at 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0 Use-after-free read at 0xc0000000fe050000 (in kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec CVE-2024-56678 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c Add error pointer check after calling otx2_mbox_get_rsp(). CVE-2024-56679 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - add error check in the ahash_hmac_init function The ahash_init functions may return fails. The ahash_hmac_init should not return ok when ahash_init returns error. For an example, ahash_init will return -ENOMEM when allocation memory is error. CVE-2024-56681 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Avoid hang with debug registers when suspended Trying to read /sys/kernel/debug/dri/1/hdmi1_regs when the hdmi is disconnected results in a fatal system hang. This is due to the pm suspend code disabling the dvp clock. That is just a gate of the 108MHz clock in DVP_HT_RPI_MISC_CONFIG, which results in accesses hanging AXI bus. Protect against this. CVE-2024-56683 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls): req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300) According to the docstring of usb_ep_queue(), this should not happen: "Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations." In fact, a hardware lockup might occur in the following sequence: 1. The gadget is initialized using musb_gadget_enable(). 2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an interrupt. 3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an empty queue (next_request() returns NULL). The interrupt flag has already been cleared by the glue layer handler, but the RXPKTRDY flag remains set. 4. The first request is enqueued using usb_ep_queue(), leading to the call of req->complete(), as shown in the call trace above. 5. If the callback enables IRQs and another packet is waiting, step (3) repeats. The request queue is empty because usb_g_giveback() removes the request before invoking the callback. 6. The endpoint remains locked up, as the interrupt triggered by hardware setting the RXPKTRDY flag has been handled, but the flag itself remains set. For this scenario to occur, it is only necessary for IRQs to be enabled at some point during the complete callback. This happens with the USB Ethernet gadget, whose rx_complete() callback calls netif_rx(). If called in the task context, netif_rx() disables the bottom halves (BHs). When the BHs are re-enabled, IRQs are also enabled to allow soft IRQs to be processed. The gadget itself is initialized at module load (or at boot if built-in), but the first request is enqueued when the network interface is brought up, triggering rx_complete() in the task context via ioctl(). If a packet arrives while the interface is down, it can prevent the interface from receiving any further packets from the USB host. The situation is quite complicated with many parties involved. This particular issue can be resolved in several possible ways: 1. Ensure that callbacks never enable IRQs. This would be difficult to enforce, as discovering how netif_rx() interacts with interrupts was already quite challenging and u_ether is not the only function driver. Similar "bugs" could be hidden in other drivers as well. 2. Disable MUSB interrupts in musb_g_giveback() before calling the callback and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(), for example). This would ensure that MUSB interrupts are not handled during the callback, even if IRQs are enabled. In fact, it would allow IRQs to be enabled when releasing the lock. However, this feels like an inelegant hack. 3. Modify the interrupt handler to clear the RXPKTRDY flag if the request queue is empty. While this approach also feels like a hack, it wastes CPU time by attempting to handle incoming packets when the software is not ready to process them. 4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart(). This ensures that the hardware can receive packets when there is at least one request in the queue. Once I ---truncated--- CVE-2024-56687 moderate In the Linux kernel, the following vulnerability has been resolved: sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Since transport->sock has been set to NULL during reset transport, XPRT_SOCK_UPD_TIMEOUT also needs to be cleared. Otherwise, the xs_tcp_set_socket_timeouts() may be triggered in xs_tcp_send_request() to dereference the transport->sock that has been set to NULL. CVE-2024-56688 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET"), the pcrypt encryption and decryption operations return -EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns -EAGAIN, the unnecessary panic will occur when panic_on_warn set 1. Fix this issue by calling crypto layer directly without parallelization in that case. CVE-2024-56690 moderate In the Linux kernel, the following vulnerability has been resolved: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linux IRQ number (also known as vIRQ). Rework the driver to respect IRQ domain when creating each MFD device separately, as the domain is not the same for all of them. CVE-2024-56691 moderate In the Linux kernel, the following vulnerability has been resolved: brd: defer automatic disk creation until module initialization succeeds My colleague Wupeng found the following problems during fault injection: BUG: unable to handle page fault for address: fffffbfff809d073 PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__asan_load8+0x4c/0xa0 ... Call Trace: <TASK> blkdev_put_whole+0x41/0x70 bdev_release+0x1a3/0x250 blkdev_release+0x11/0x20 __fput+0x1d7/0x4a0 task_work_run+0xfc/0x180 syscall_exit_to_user_mode+0x1de/0x1f0 do_syscall_64+0x6b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e loop_init() is calling loop_add() after __register_blkdev() succeeds and is ignoring disk_add() failure from loop_add(), for loop_add() failure is not fatal and successfully created disks are already visible to bdev_open(). brd_init() is currently calling brd_alloc() before __register_blkdev() succeeds and is releasing successfully created disks when brd_init() returns an error. This can cause UAF for the latter two case: case 1: T1: modprobe brd brd_init brd_alloc(0) // success add_disk disk_scan_partitions bdev_file_open_by_dev // alloc file fput // won't free until back to userspace brd_alloc(1) // failed since mem alloc error inject // error path for modprobe will release code segment // back to userspace __fput blkdev_release bdev_release blkdev_put_whole bdev->bd_disk->fops->release // fops is freed now, UAF! case 2: T1: T2: modprobe brd brd_init brd_alloc(0) // success open(/dev/ram0) brd_alloc(1) // fail // error path for modprobe close(/dev/ram0) ... /* UAF! */ bdev->bd_disk->fops->release Fix this problem by following what loop_init() does. Besides, reintroduce brd_devices_mutex to help serialize modifications to brd_list. CVE-2024-56693 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: fix recursive lock when verdict program return SK_PASS When the stream_verdict program returns SK_PASS, it places the received skb into its own receive queue, but a recursive lock eventually occurs, leading to an operating system deadlock. This issue has been present since v6.9. ''' sk_psock_strp_data_ready write_lock_bh(&sk->sk_callback_lock) strp_data_ready strp_read_sock read_sock -> tcp_read_sock strp_recv cb.rcv_msg -> sk_psock_strp_read # now stream_verdict return SK_PASS without peer sock assign __SK_PASS = sk_psock_map_verd(SK_PASS, NULL) sk_psock_verdict_apply sk_psock_skb_ingress_self sk_psock_skb_ingress_enqueue sk_psock_data_ready read_lock_bh(&sk->sk_callback_lock) <= dead lock ''' This topic has been discussed before, but it has not been fixed. Previous discussion: https://lore.kernel.org/all/6684a5864ec86_403d20898@john.notmuch CVE-2024-56694 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Fix looping of queued SG entries The dwc3_request->num_queued_sgs is decremented on completion. If a partially completed request is handled, then the dwc3_request->num_queued_sgs no longer reflects the total number of num_queued_sgs (it would be cleared). Correctly check the number of request SG entries remained to be prepare and queued. Failure to do this may cause null pointer dereference when accessing non-existent SG entry. CVE-2024-56698 moderate In the Linux kernel, the following vulnerability has been resolved: media: wl128x: Fix atomicity violation in fmc_send_cmd() Atomicity violation occurs when the fmc_send_cmd() function is executed simultaneously with the modification of the fmdev->resp_skb value. Consider a scenario where, after passing the validity check within the function, a non-null fmdev->resp_skb variable is assigned a null value. This results in an invalid fmdev->resp_skb variable passing the validity check. As seen in the later part of the function, skb = fmdev->resp_skb; when the invalid fmdev->resp_skb passes the check, a null pointer dereference error may occur at line 478, evt_hdr = (void *)skb->data; To address this issue, it is recommended to include the validity check of fmdev->resp_skb within the locked section of the function. This modification ensures that the value of fmdev->resp_skb does not change during the validation process, thereby maintaining its validity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. CVE-2024-56700 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore The dtl_access_lock needs to be a rw_sempahore, a sleeping lock, because the code calls kmalloc() while holding it, which can sleep: # echo 1 > /proc/powerpc/vcpudispatch_stats BUG: sleeping function called from invalid context at include/linux/sched/mm.h:337 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 199, name: sh preempt_count: 1, expected: 0 3 locks held by sh/199: #0: c00000000a0743f8 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x324/0x438 #1: c0000000028c7058 (dtl_enable_mutex){+.+.}-{3:3}, at: vcpudispatch_stats_write+0xd4/0x5f4 #2: c0000000028c70b8 (dtl_access_lock){+.+.}-{2:2}, at: vcpudispatch_stats_write+0x220/0x5f4 CPU: 0 PID: 199 Comm: sh Not tainted 6.10.0-rc4 #152 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries Call Trace: dump_stack_lvl+0x130/0x148 (unreliable) __might_resched+0x174/0x410 kmem_cache_alloc_noprof+0x340/0x3d0 alloc_dtl_buffers+0x124/0x1ac vcpudispatch_stats_write+0x2a8/0x5f4 proc_reg_write+0xf4/0x150 vfs_write+0xfc/0x438 ksys_write+0x88/0x148 system_call_exception+0x1c4/0x5a0 system_call_common+0xf4/0x258 CVE-2024-56701 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Mark raw_tp arguments with PTR_MAYBE_NULL Arguments to a raw tracepoint are tagged as trusted, which carries the semantics that the pointer will be non-NULL. However, in certain cases, a raw tracepoint argument may end up being NULL. More context about this issue is available in [0]. Thus, there is a discrepancy between the reality, that raw_tp arguments can actually be NULL, and the verifier's knowledge, that they are never NULL, causing explicit NULL checks to be deleted, and accesses to such pointers potentially crashing the kernel. To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special case the dereference and pointer arithmetic to permit it, and allow passing them into helpers/kfuncs; these exceptions are made for raw_tp programs only. Ensure that we don't do this when ref_obj_id > 0, as in that case this is an acquired object and doesn't need such adjustment. The reason we do mask_raw_tp_trusted_reg logic is because other will recheck in places whether the register is a trusted_reg, and then consider our register as untrusted when detecting the presence of the PTR_MAYBE_NULL flag. To allow safe dereference, we enable PROBE_MEM marking when we see loads into trusted pointers with PTR_MAYBE_NULL. While trusted raw_tp arguments can also be passed into helpers or kfuncs where such broken assumption may cause issues, a future patch set will tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can already be passed into helpers and causes similar problems. Thus, they are left alone for now. It is possible that these checks also permit passing non-raw_tp args that are trusted PTR_TO_BTF_ID with null marking. In such a case, allowing dereference when pointer is NULL expands allowed behavior, so won't regress existing programs, and the case of passing these into helpers is the same as above and will be dealt with later. Also update the failure case in tp_btf_nullable selftest to capture the new behavior, as the verifier will no longer cause an error when directly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb CVE-2024-56702 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core-indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb CVE-2024-56703 moderate In the Linux kernel, the following vulnerability has been resolved: 9p/xen: fix release of IRQ Kernel logs indicate an IRQ was double-freed. Pass correct device ID during IRQ release. [Dominique: remove confusing variable reset to 0] CVE-2024-56704 moderate In the Linux kernel, the following vulnerability has been resolved: media: atomisp: Add check for rgby_data memory allocation failure In ia_css_3a_statistics_allocate(), there is no check on the allocation result of the rgby_data memory. If rgby_data is not successfully allocated, it may trigger the assert(host_stats->rgby_data) assertion in ia_css_s3a_hmem_decode(). Adding a check to fix this potential issue. CVE-2024-56705 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c Add error pointer checks after calling otx2_mbox_get_rsp(). CVE-2024-56707 moderate In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Avoid segmentation fault on module unload The segmentation fault happens because: During modprobe: 1. In igen6_probe(), igen6_pvt will be allocated with kzalloc() 2. In igen6_register_mci(), mci->pvt_info will point to &igen6_pvt->imc[mc] During rmmod: 1. In mci_release() in edac_mc.c, it will kfree(mci->pvt_info) 2. In igen6_remove(), it will kfree(igen6_pvt); Fix this issue by setting mci->pvt_info to NULL to avoid the double kfree. CVE-2024-56708 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries to forward the request to io_queue_iowq(). Make io_queue_iowq() fail requests in this case. Note that it also checks PF_KTHREAD, because the user can first close a DEFER_TASKRUN ring and shortly after kill the task, in which case ->iowq check would race. CVE-2024-56709 moderate In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix memory leak on last export_udmabuf() error path In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf. CVE-2024-56712 moderate In the Linux kernel, the following vulnerability has been resolved: ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered. CVE-2024-56715 moderate In the Linux kernel, the following vulnerability has been resolved: netdevsim: prevent bad user input in nsim_dev_health_break_write() If either a zero count or a large one is provided, kernel can crash. CVE-2024-56716 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30 CVE-2024-56718 moderate In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/ CVE-2024-56719 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Several fixes to bpf_msg_pop_data Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG. CVE-2024-56720 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix cpu stuck caused by printings during reset During reset, cmd to destroy resources such as qp, cq, and mr may fail, and error logs will be printed. When a large number of resources are destroyed, there will be lots of printings, and it may lead to a cpu stuck. Delete some unnecessary printings and replace other printing functions in these paths with the ratelimited version. CVE-2024-56722 moderate In the Linux kernel, the following vulnerability has been resolved: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linux IRQ number (also known as vIRQ). Rework the driver to respect IRQ domain when creating each MFD device separately, as the domain is not the same for all of them. CVE-2024-56723 moderate In the Linux kernel, the following vulnerability has been resolved: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linux IRQ number (also known as vIRQ). Rework the driver to respect IRQ domain when creating each MFD device separately, as the domain is not the same for all of them. CVE-2024-56724 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c Add error pointer check after calling otx2_mbox_get_rsp(). CVE-2024-56725 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c Add error pointer check after calling otx2_mbox_get_rsp(). CVE-2024-56726 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c Adding error pointer check after calling otx2_mbox_get_rsp(). CVE-2024-56727 moderate In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c Add error pointer check after calling otx2_mbox_get_rsp(). CVE-2024-56728 moderate In the Linux kernel, the following vulnerability has been resolved: smb: Initialize cfid->tcon before performing network ops Avoid leaking a tcon ref when a lease break races with opening the cached directory. Processing the leak break might take a reference to the tcon in cached_dir_lease_break() and then fail to release the ref in cached_dir_offload_close, since cfid->tcon is still NULL. CVE-2024-56729 moderate In the Linux kernel, the following vulnerability has been resolved: rtc: check if __rtc_read_time was successful in rtc_timer_do_work() If the __rtc_read_time call fails,, the struct rtc_time tm; may contain uninitialized data, or an illegal date/time read from the RTC hardware. When calling rtc_tm_to_ktime later, the result may be a very large value (possibly KTIME_MAX). If there are periodic timers in rtc->timerqueue, they will continually expire, may causing kernel softlockup. CVE-2024-56739 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-56741 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: Fix reset_method_store() memory leak In reset_method_store(), a string is allocated via kstrndup() and assigned to the local "options". options is then used in with strsep() to find spaces: while ((name = strsep(&options, " ")) != NULL) { If there are no remaining spaces, then options is set to NULL by strsep(), so the subsequent kfree(options) doesn't free the memory allocated via kstrndup(). Fix by using a separate tmp_options to iterate with strsep() so options is preserved. CVE-2024-56745 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() When information such as info->screen_base is not ready, calling sh7760fb_free_mem() does not release memory correctly. Call dma_free_coherent() instead. CVE-2024-56746 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. Add dma_free_coherent() to free it. This is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb(). CVE-2024-56747 low In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() Hook "qed_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. Add dma_free_coherent() to free it. This is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb(). CVE-2024-56748 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: release nexthop on device removal The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test: unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6 ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at dst_init+0x84/0x4a0 dst_alloc+0x97/0x150 ip6_dst_alloc+0x23/0x90 ip6_rt_pcpu_alloc+0x1e6/0x520 ip6_pol_route+0x56f/0x840 fib6_rule_lookup+0x334/0x630 ip6_route_output_flags+0x259/0x480 ip6_dst_lookup_tail.constprop.0+0x5c2/0x940 ip6_dst_lookup_flow+0x88/0x190 udp_tunnel6_dst_lookup+0x2a7/0x4c0 vxlan_xmit_one+0xbde/0x4a50 [vxlan] vxlan_xmit+0x9ad/0xf20 [vxlan] dev_hard_start_xmit+0x10e/0x360 __dev_queue_xmit+0xf95/0x18c0 arp_solicit+0x4a2/0xe00 neigh_probe+0xaa/0xf0 While the first suspect is the dst_cache, explicitly tracking the dst owing the last device reference via probes proved such dst is held by the nexthop in the originating fib6_info. Similar to commit f5b51fe804ec ("ipv6: route: purge exception on removal"), we need to explicitly release the originating fib info when disconnecting a to-be-removed device from a live ipv6 dst: move the fib6_info cleanup into ip6_dst_ifdown(). Tested running: ./pmtu.sh cleanup_ipv6_exception in a tight loop for more than 400 iterations with no spat, running an unpatched kernel I observed a splat every ~10 iterations. CVE-2024-56751 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/gr/gf100: Fix missing unlock in gf100_gr_chan_new() When the call to gf100_grctx_generate() fails, unlock gr->fecs.mutex before returning the error. Fixes smatch warning: drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c:480 gf100_gr_chan_new() warn: inconsistent returns '&gr->fecs.mutex'. CVE-2024-56752 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: caam - Fix the pointer passed to caam_qi_shutdown() The type of the last parameter given to devm_add_action_or_reset() is "struct caam_drv_private *", but in caam_qi_shutdown(), it is casted to "struct device *". Pass the correct parameter to devm_add_action_or_reset() so that the resources are released as expected. CVE-2024-56754 moderate In the Linux kernel, the following vulnerability has been resolved: netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING In fscache_create_volume(), there is a missing memory barrier between the bit-clearing operation and the wake-up operation. This may cause a situation where, after a wake-up, the bit-clearing operation hasn't been detected yet, leading to an indefinite wait. The triggering process is as follows: [cookie1] [cookie2] [volume_work] fscache_perform_lookup fscache_create_volume fscache_perform_lookup fscache_create_volume fscache_create_volume_work cachefiles_acquire_volume clear_and_wake_up_bit test_and_set_bit test_and_set_bit goto maybe_wait goto no_wait In the above process, cookie1 and cookie2 has the same volume. When cookie1 enters the -no_wait- process, it will clear the bit and wake up the waiting process. If a barrier is missing, it may cause cookie2 to remain in the -wait- process indefinitely. In commit 3288666c7256 ("fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work()"), barriers were added to similar operations in fscache_create_volume_work(), but fscache_create_volume() was missed. By combining the clear and wake operations into clear_and_wake_up_bit() to fix this issue. CVE-2024-56755 low In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix freeing of the HMB descriptor table The HMB descriptor table is sized to the maximum number of descriptors that could be used for a given device, but __nvme_alloc_host_mem could break out of the loop earlier on memory allocation failure and end up using less descriptors than planned for, which leads to an incorrect size passed to dma_free_coherent. In practice this was not showing up because the number of descriptors tends to be low and the dma coherent allocator always allocates and frees at least a page. CVE-2024-56756 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice. CVE-2024-56758 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. CVE-2024-56759 important In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Handle lack of irqdomain gracefully Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a RISCV platform which does not provide PCI/MSI support: WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32 __pci_enable_msix_range+0x30c/0x596 pci_msi_setup_msi_irqs+0x2c/0x32 pci_alloc_irq_vectors_affinity+0xb8/0xe2 RISCV uses hierarchical interrupt domains and correctly does not implement the legacy fallback. The warning triggers from the legacy fallback stub. That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent domain is associated with the device or not. There is a check for MSI-X, which has a legacy assumption. But that legacy fallback assumption is only valid when legacy support is enabled, but otherwise the check should simply return -ENOTSUPP. Loongarch tripped over the same problem and blindly enabled legacy support without implementing the legacy fallbacks. There are weak implementations which return an error, so the problem was papered over. Correct pci_msi_domain_supports() to evaluate the legacy mode and add the missing supported check into the MSI enable path to complete it. CVE-2024-56760 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Prevent bad count for tracing_cpumask_write If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. CVE-2024-56763 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated--- CVE-2024-56765 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc(). Calling kfree(user) will lead to a double free. CVE-2024-56766 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset The at_xdmac_memset_create_desc may return NULL, which will lead to a null pointer dereference. For example, the len input is error, or the atchan->free_descs_list is empty and memory is exhausted. Therefore, add check to avoid this. CVE-2024-56767 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case that call fails, the buffer may end up with some undefined values. Since no elaborate error handling is expected in dib3000_write_reg(), simply zero out rb buffer to mitigate the problem. [1] Syzkaller report dvb-usb: bulk message failed: -22 (6/0) ===================================================== BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31 dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline] dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310 dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110 ... Local variable rb created at: dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54 dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 ... CVE-2024-56769 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev <oif> Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics. CVE-2024-56770 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: add a sanity check for btrfs root in btrfs_search_slot() Syzbot reports a null-ptr-deref in btrfs_search_slot(). The reproducer is using rescue=ibadroots, and the extent tree root is corrupted thus the extent tree is NULL. When scrub tries to search the extent tree to gather the needed extent info, btrfs_search_slot() doesn't check if the target root is NULL or not, resulting the null-ptr-deref. Add sanity check for btrfs root before using it in btrfs_search_slot(). CVE-2024-56774 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix handling of plane refcount [Why] The mechanism to backup and restore plane states doesn't maintain refcount, which can cause issues if the refcount of the plane changes in between backup and restore operations, such as memory leaks if the refcount was supposed to go down, or double frees / invalid memory accesses if the refcount was supposed to go up. [How] Cache and re-apply current refcount when restoring plane states. CVE-2024-56775 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. CVE-2024-56776 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. CVE-2024-56777 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. CVE-2024-56778 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur The action force umount(umount -f) will attempt to kill all rpc_task even umount operation may ultimately fail if some files remain open. Consequently, if an action attempts to open a file, it can potentially send two rpc_task to nfs server. NFS CLIENT thread1 thread2 open("file") ... nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 */ rpc_run_task rpc_wait_for_completion_task umount -f nfs_umount_begin rpc_killall_tasks rpc_signal_task rpc_task1 been wakeup and return -512 _nfs4_do_open // while loop ... nfs4_run_open_task /* rpc_task2 */ rpc_run_task rpc_wait_for_completion_task While processing an open request, nfsd will first attempt to find or allocate an nfs4_openowner. If it finds an nfs4_openowner that is not marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since two rpc_task can attempt to open the same file simultaneously from the client to server, and because two instances of nfsd can run concurrently, this situation can lead to lots of memory leak. Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be triggered. NFS SERVER nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // alloc oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // find oo1, without NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&oo->oo_perclient) // cannot find this oo // from client, LEAK!!! alloc_stateowner // alloc oo2 nfsd4_process_open2 init_open_stateid // associate oo1 // with stateid1, stateid1 LEAK!!! nfs4_get_vfs_file // alloc nfsd_file1 and nfsd_file_mark1 // all LEAK!!! nfsd4_process_open2 ... write_threads ... nfsd_destroy_serv nfsd_shutdown_net nfs4_state_shutdown_net nfs4_state_destroy_net destroy_client __destroy_client // won't find oo1!!! nfsd_shutdown_generic nfsd_file_cache_shutdown kmem_cache_destroy for nfsd_file_slab and nfsd_file_mark_slab // bark since nfsd_file1 // and nfsd_file_mark1 // still alive ======================================================================= BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() ----------------------------------------------------------------------- Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dum ---truncated--- CVE-2024-56779 moderate In the Linux kernel, the following vulnerability has been resolved: quota: flush quota_release_work upon quota writeback One of the paths quota writeback is called from is: freeze_super() sync_filesystem() ext4_sync_fs() dquot_writeback_dquots() Since we currently don't always flush the quota_release_work queue in this path, we can end up with the following race: 1. dquot are added to releasing_dquots list during regular operations. 2. FS Freeze starts, however, this does not flush the quota_release_work queue. 3. Freeze completes. 4. Kernel eventually tries to flush the workqueue while FS is frozen which hits a WARN_ON since transaction gets started during frozen state: ext4_journal_check_start+0x28/0x110 [ext4] (unreliable) __ext4_journal_start_sb+0x64/0x1c0 [ext4] ext4_release_dquot+0x90/0x1d0 [ext4] quota_release_workfn+0x43c/0x4d0 Which is the following line: WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE); Which ultimately results in generic/390 failing due to dmesg noise. This was detected on powerpc machine 15 cores. To avoid this, make sure to flush the workqueue during dquot_writeback_dquots() so we dont have any pending workitems after freeze. CVE-2024-56780 moderate In the Linux kernel, the following vulnerability has been resolved: soc: imx8m: Probe the SoC driver as platform driver With driver_async_probe=* on kernel command line, the following trace is produced because on i.MX8M Plus hardware because the soc-imx8m.c driver calls of_clk_get_by_name() which returns -EPROBE_DEFER because the clock driver is not yet probed. This was not detected during regular testing without driver_async_probe. Convert the SoC code to platform driver and instantiate a platform device in its current device_initcall() to probe the platform driver. Rework .soc_revision callback to always return valid error code and return SoC revision via parameter. This way, if anything in the .soc_revision callback return -EPROBE_DEFER, it gets propagated to .probe and the .probe will get retried later. " ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1 at drivers/soc/imx/soc-imx8m.c:115 imx8mm_soc_revision+0xdc/0x180 CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-next-20240924-00002-g2062bb554dea #603 Hardware name: DH electronics i.MX8M Plus DHCOM Premium Developer Kit (3) (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : imx8mm_soc_revision+0xdc/0x180 lr : imx8mm_soc_revision+0xd0/0x180 sp : ffff8000821fbcc0 x29: ffff8000821fbce0 x28: 0000000000000000 x27: ffff800081810120 x26: ffff8000818a9970 x25: 0000000000000006 x24: 0000000000824311 x23: ffff8000817f42c8 x22: ffff0000df8be210 x21: fffffffffffffdfb x20: ffff800082780000 x19: 0000000000000001 x18: ffffffffffffffff x17: ffff800081fff418 x16: ffff8000823e1000 x15: ffff0000c03b65e8 x14: ffff0000c00051b0 x13: ffff800082790000 x12: 0000000000000801 x11: ffff80008278ffff x10: ffff80008209d3a6 x9 : ffff80008062e95c x8 : ffff8000821fb9a0 x7 : 0000000000000000 x6 : 00000000000080e3 x5 : ffff0000df8c03d8 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : fffffffffffffdfb x0 : fffffffffffffdfb Call trace: imx8mm_soc_revision+0xdc/0x180 imx8_soc_init+0xb0/0x1e0 do_one_initcall+0x94/0x1a8 kernel_init_freeable+0x240/0x2a8 kernel_init+0x28/0x140 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- SoC: i.MX8MP revision 1.1 " CVE-2024-56787 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: check return value of sock_recvmsg when draining clc data When receiving clc msg, the field length in smc_clc_msg_hdr indicates the length of msg should be received from network and the value should not be fully trusted as it is from the network. Once the value of length exceeds the value of buflen in function smc_clc_wait_msg it may run into deadloop when trying to drain the remaining data exceeding buflen. This patch checks the return value of sock_recvmsg when draining data in case of deadloop in draining. CVE-2024-57791 important In the Linux kernel, the following vulnerability has been resolved: power: supply: gpio-charger: Fix set charge current limits Fix set charge current limits for devices which allow to set the lowest charge current limit to be greater zero. If requested charge current limit is below lowest limit, the index equals current_limit_map_size which leads to accessing memory beyond allocated memory. CVE-2024-57792 important In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Just leak decrypted memory on unrecoverable errors In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE(). CVE-2024-57793 important In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000 CVE-2024-57795 moderate In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails. CVE-2024-57798 important In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded. CVE-2024-57801 moderate In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ===================================================== BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== This issue occurs because the skb buffer is too small, and it's actual allocation is aligned. This hides an actual issue, which is that nr_route_frame does not validate the buffer size before using it. Fix this issue by checking skb->len before accessing any fields in skb->data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2024-57802 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs The driver, through the SAS transport, exposes a sysfs interface to enable/disable PHYs in a controller/expander setup. When multiple PHYs are disabled and enabled in rapid succession, the persistent and current config pages related to SAS IO unit/SAS Expander pages could get corrupted. Use separate memory for each config request. CVE-2024-57804 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix for a potential deadlock This fixes a 'possible circular locking dependency detected' warning CPU0 CPU1 ---- ---- lock(&instance->reset_mutex); lock(&shost->scan_mutex); lock(&instance->reset_mutex); lock(&shost->scan_mutex); Fix this by temporarily releasing the reset_mutex. CVE-2024-57807 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: imx6: Fix suspend/resume support on i.MX6QDL The suspend/resume functionality is currently broken on the i.MX6QDL platform, as documented in the NXP errata (ERR005723): https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf This patch addresses the issue by sharing most of the suspend/resume sequences used by other i.MX devices, while avoiding modifications to critical registers that disrupt the PCIe functionality. It targets the same problem as the following downstream commit: https://github.com/nxp-imx/linux-imx/commit/4e92355e1f79d225ea842511fcfd42b343b32995 Unlike the downstream commit, this patch also resets the connected PCIe device if possible. Without this reset, certain drivers, such as ath10k or iwlwifi, will crash on resume. The device reset is also done by the driver on other i.MX platforms, making this patch consistent with existing practices. Upon resuming, the kernel will hang and display an error. Here's an example of the error encountered with the ath10k driver: ath10k_pci 0000:01:00.0: Unable to change power state from D3hot to D0, device inaccessible Unhandled fault: imprecise external abort (0x1406) at 0x0106f944 Without this patch, suspend/resume will fail on i.MX6QDL devices if a PCIe device is connected. [kwilczynski: commit log, added tag for stable releases] CVE-2024-57809 moderate In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] If dvb->mux is not initialized successfully by vidtv_mux_init() in the vidtv_start_streaming(), it will trigger null pointer dereference about mux in vidtv_mux_stop_thread(). Adjust the timing of streaming initialization and check it before stopping it. [1] KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 get_signal+0x1d3/0x2610 kernel/signal.c:2790 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-57834 moderate In the Linux kernel, the following vulnerability has been resolved: s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies. CVE-2024-57838 moderate In the Linux kernel, the following vulnerability has been resolved: s390/cpum_sf: Handle CPU hotplug remove during sampling CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. CVE-2024-57849 important In the Linux kernel, the following vulnerability has been resolved: jffs2: Prevent rtime decompress memory corruption The rtime decompression routine does not fully check bounds during the entirety of the decompression pass and can corrupt memory outside the decompression buffer if the compressed data is corrupted. This adds the required check to prevent this failure mode. CVE-2024-57850 important In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device. Rely on associated ib_devices net_device management, not doubling the effort locally. A badly managed local link to net_device was causing a 'KASAN: slab-use-after-free' exception during siw_query_port() call. CVE-2024-57857 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not missing in either case. CVE-2024-57874 moderate In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply or MST up request sideband message, the drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with the reading/parsing of the message from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is possible since the reader/parser doesn't hold any lock while accessing the reception state. This in turn can lead to a memory corruption in the reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check"). Fix the above by resetting the message reception state if needed before reading/parsing a message. Another solution would be to hold the drm_dp_mst_topology_mgr::lock for the whole duration of the message reception/parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(), however this would require a bigger change. Since the fix is also needed for stable, opting for the simpler solution in this patch. CVE-2024-57876 important In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if ---truncated--- CVE-2024-57882 moderate In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages ---truncated--- CVE-2024-57884 moderate In the Linux kernel, the following vulnerability has been resolved: drm: adv7511: Fix use-after-free in adv7533_attach_dsi() The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). CVE-2024-57887 moderate In the Linux kernel, the following vulnerability has been resolved: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") CVE-2024-57888 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. CVE-2024-57889 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbs_request_next_ptr() which also could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems. This patch does two things. First, I've re-arranged the condition in uverbs_request_next_ptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use size_mul() for the multiplications. CVE-2024-57890 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm@linux-foundation.org: coding-style cleanups] CVE-2024-57892 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine those. It stores the data in the internal buffer and this access is racy as of now, which may lead to the out-of-bounds access. As a temporary band-aid fix, introduce a mutex for serializing the process of the SysEx message packets. CVE-2024-57893 important In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delalloc_workers queue running inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the task_struct. Syzbot reported this with the following stack traces: BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 run_ordered_work fs/btrfs/async-thread.c:288 [inline] btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 kernel_thread+0x1bc/0x240 kernel/fork.c:2869 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4700 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 ---truncated--- CVE-2024-57896 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Correct the migration DMA map direction The SVM DMA device map direction should be set the same as the DMA unmap setting, otherwise the DMA core will report the following warning. Before finialize this solution, there're some discussion on the DMA mapping type(stream-based or coherent) in this KFD migration case, followed by https://lore.kernel.org/all/04d4ab32 -45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/. As there's no dma_sync_single_for_*() in the DMA buffer accessed that because this migration operation should be sync properly and automatically. Give that there's might not be a performance problem in various cache sync policy of DMA sync. Therefore, in order to simplify the DMA direction setting alignment, let's set the DMA map direction as BIDIRECTIONAL. [ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930 [ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds [ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492 [ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930 [ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50 [ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086 [ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027 [ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680 [ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850 [ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40 [ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b [ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000 [ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0 [ 150.834383] Call Trace: [ 150.834385] <TASK> [ 150.834387] ? show_regs+0x6d/0x80 [ 150.834393] ? __warn+0x8c/0x140 [ 150.834397] ? check_unmap+0x1cc/0x930 [ 150.834400] ? report_bug+0x193/0x1a0 [ 150.834406] ? handle_bug+0x46/0x80 [ 150.834410] ? exc_invalid_op+0x1d/0x80 [ 150.834413] ? asm_exc_invalid_op+0x1f/0x30 [ 150.834420] ? check_unmap+0x1cc/0x930 [ 150.834425] debug_dma_unmap_page+0x86/0x90 [ 150.834431] ? srso_return_thunk+0x5/0x5f [ 150.834435] ---truncated--- CVE-2024-57897 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. Therefore, when using or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), the code is incorrectly searching for a bit in a 32-bit variable that is expected to be 64 bits in size, leading to incorrect bit finding. Solution: Ensure that the size of the bits variable is correctly adjusted for each architecture. Call Trace: ? show_regs+0x54/0x58 ? __warn+0x6b/0xd4 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? report_bug+0x113/0x150 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x44 ? exc_invalid_op+0x18/0x50 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? ieee80211_mesh_work+0xff/0x260 [mac80211] ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] ? process_one_work+0xf1/0x1fc ? worker_thread+0x2c0/0x3b4 ? kthread+0xc7/0xf0 ? mod_delayed_work_on+0x4c/0x4c ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork+0x24/0x38 ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork_asm+0xf/0x14 ? entry_INT80_32+0xf0/0xf0 [restore no-op path for no changes] CVE-2024-57899 moderate In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 CVE-2024-57900 moderate In the Linux kernel, the following vulnerability has been resolved: net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1]. Trying to acquire a mutex in RCU callback is not allowed. Restrict SO_REUSEPORT socket option to inet sockets. v1 of this patch supported TCP, UDP and SCTP sockets, but fcnal-test.sh test needed RAW and ICMP support. [1] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by ksoftirqd/1/24: #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823 Preemption disabled at: [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline] [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 __might_resched+0x5d4/0x780 kernel/sched/core.c:8758 __mutex_lock_common kernel/locking/mutex.c:562 [inline] __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735 crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179 aead_release+0x3d/0x50 crypto/algif_aead.c:489 alg_do_release crypto/af_alg.c:118 [inline] alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502 __sk_destruct+0x58/0x5f0 net/core/sock.c:2260 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 run_ksoftirqd+0xca/0x130 kernel/softirq.c:950 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2024-57903 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91: call input_free_device() on allocated iio_dev Current implementation of at91_ts_register() calls input_free_deivce() on st->ts_input, however, the err label can be reached before the allocated iio_dev is stored to st->ts_input. Thus call input_free_device() on input instead of st->ts_input. CVE-2024-57904 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads8688: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. CVE-2024-57906 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: rockchip_saradc: fix information leak in triggered buffer The 'data' local struct is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. CVE-2024-57907 moderate In the Linux kernel, the following vulnerability has been resolved: iio: imu: kmx61: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. CVE-2024-57908 moderate In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. CVE-2024-57910 moderate In the Linux kernel, the following vulnerability has been resolved: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer The 'data' array is allocated via kmalloc() and it is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Use kzalloc for the memory allocation to avoid pushing uninitialized information to userspace. CVE-2024-57911 moderate In the Linux kernel, the following vulnerability has been resolved: iio: pressure: zpa2326: fix information leak in triggered buffer The 'sample' local struct is used to push data to user space from a triggered buffer, but it has a hole between the temperature and the timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. CVE-2024-57912 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind This commit addresses an issue related to below kernel panic where panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON in functionsfs_bind, which easily leads to the following scenarios. 1.adb_write in adbd 2. UDC write via configfs ================= ===================== ->usb_ffs_open_thread() ->UDC write ->open_functionfs() ->configfs_write_iter() ->adb_open() ->gadget_dev_desc_UDC_store() ->adb_write() ->usb_gadget_register_driver_owner ->driver_register() ->StartMonitor() ->bus_add_driver() ->adb_read() ->gadget_bind_driver() <times-out without BIND event> ->configfs_composite_bind() ->usb_add_function() ->open_functionfs() ->ffs_func_bind() ->adb_open() ->functionfs_bind() <ffs->state !=FFS_ACTIVE> The adb_open, adb_read, and adb_write operations are invoked from the daemon, but trying to bind the function is a process that is invoked by UDC write through configfs, which opens up the possibility of a race condition between the two paths. In this race scenario, the kernel panic occurs due to the WARN_ON from functionfs_bind when panic_on_warn is enabled. This commit fixes the kernel panic by removing the unnecessary WARN_ON. Kernel panic - not syncing: kernel: panic_on_warn set ... [ 14.542395] Call trace: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] driver_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] driver_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] driver_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138 CVE-2024-57913 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-57915 moderate In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Resolve kernel panic caused by improper handling of IRQs while accessing GPIO values. This is done by replacing generic_handle_irq with handle_nested_irq. CVE-2024-57916 moderate In the Linux kernel, the following vulnerability has been resolved: topology: Keep the cpumask unchanged when printing cpumap During fuzz testing, the following warning was discovered: different return values (15 and 11) from vsnprintf("%*pbl ", ...) test:keyward is WARNING in kvasprintf WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 Call Trace: kvasprintf+0x121/0x130 kasprintf+0xa6/0xe0 bitmap_print_to_buf+0x89/0x100 core_siblings_list_read+0x7e/0xb0 kernfs_file_read_iter+0x15b/0x270 new_sync_read+0x153/0x260 vfs_read+0x215/0x290 ksys_read+0xb9/0x160 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The call trace shows that kvasprintf() reported this warning during the printing of core_siblings_list. kvasprintf() has several steps: (1) First, calculate the length of the resulting formatted string. (2) Allocate a buffer based on the returned length. (3) Then, perform the actual string formatting. (4) Check whether the lengths of the formatted strings returned in steps (1) and (2) are consistent. If the core_cpumask is modified between steps (1) and (3), the lengths obtained in these two steps may not match. Indeed our test includes cpu hotplugging, which should modify core_cpumask while printing. To fix this issue, cache the cpumask into a temporary variable before calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged during the printing process. CVE-2024-57917 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add check for granularity in dml ceil/floor helpers [Why] Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2() should check for granularity is non zero to avoid assert and divide-by-zero error in dcn_bw_ functions. [How] Add check for granularity 0. (cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec) CVE-2024-57922 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err The pointer need to be set to NULL, otherwise KASAN complains about use-after-free. Because in mtk_drm_bind, all private's drm are set as follows. private->all_drm_private[i]->drm = drm; And drm will be released by drm_dev_put in case mtk_drm_kms_init returns failure. However, the shutdown path still accesses the previous allocated memory in drm_atomic_helper_shutdown. [ 84.874820] watchdog: watchdog0: watchdog did not stop! [ 86.512054] ================================================================== [ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378 [ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1 [ 86.515213] [ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55 [ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022 [ 86.517960] Call trace: [ 86.518333] show_stack+0x20/0x38 (C) [ 86.518891] dump_stack_lvl+0x90/0xd0 [ 86.519443] print_report+0xf8/0x5b0 [ 86.519985] kasan_report+0xb4/0x100 [ 86.520526] __asan_report_load8_noabort+0x20/0x30 [ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378 [ 86.521966] mtk_drm_shutdown+0x54/0x80 [ 86.522546] platform_shutdown+0x64/0x90 [ 86.523137] device_shutdown+0x260/0x5b8 [ 86.523728] kernel_restart+0x78/0xf0 [ 86.524282] __do_sys_reboot+0x258/0x2f0 [ 86.524871] __arm64_sys_reboot+0x90/0xd8 [ 86.525473] invoke_syscall+0x74/0x268 [ 86.526041] el0_svc_common.constprop.0+0xb0/0x240 [ 86.526751] do_el0_svc+0x4c/0x70 [ 86.527251] el0_svc+0x4c/0xc0 [ 86.527719] el0t_64_sync_handler+0x144/0x168 [ 86.528367] el0t_64_sync+0x198/0x1a0 [ 86.528920] [ 86.529157] The buggy address belongs to the physical page: [ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc [ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff) [ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000 [ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000 [ 86.534511] page dumped because: kasan: bad access detected [ 86.535323] [ 86.535559] Memory state around the buggy address: [ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.544733] ^ [ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.563928] ================================================================== [ 86.571093] Disabling lock debugging due to kernel taint [ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b [ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f] ... CVE-2024-57926 moderate In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR> CVE-2024-57929 moderate In the Linux kernel, the following vulnerability has been resolved: selinux: ignore unknown extended permissions When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. CVE-2024-57931 moderate In the Linux kernel, the following vulnerability has been resolved: gve: guard XDP xmit NDO on existence of xdp queues In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false. In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL. The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete. CVE-2024-57932 moderate In the Linux kernel, the following vulnerability has been resolved: gve: guard XSK operations on the existence of queues This patch predicates the enabling and disabling of XSK pools on the existence of queues. As it stands, if the interface is down, disabling or enabling XSK pools would result in a crash, as the RX queue pointer would be NULL. XSK pool registration will occur as part of the next interface up. Similarly, xsk_wakeup needs be guarded against queues disappearing while the function is executing, so a check against the GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the disabling of the bit and the synchronize_net() in gve_turndown. CVE-2024-57933 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix accessing invalid dip_ctx during destroying QP If it fails to modify QP to RTR, dip_ctx will not be attached. And during detroying QP, the invalid dip_ctx pointer will be accessed. CVE-2024-57935 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix max SGEs for the Work Request Gen P7 supports up to 13 SGEs for now. WQE software structure can hold only 6 now. Since the max send sge is reported as 13, the stack can give requests up to 13 SGEs. This is causing traffic failures and system crashes. Use the define for max SGE supported for variable size. This will work for both static and variable WQEs. CVE-2024-57936 moderate In the Linux kernel, the following vulnerability has been resolved: net/sctp: Prevent autoclose integer overflow in sctp_association_init() While by default max_autoclose equals to INT_MAX / HZ, one may set net.sctp.max_autoclose to UINT_MAX. There is code in sctp_association_init() that can consequently trigger overflow. CVE-2024-57938 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix the infinite loop in exfat_readdir() If the file system is corrupted so that a cluster is linked to itself in the cluster chain, and there is an unused directory entry in the cluster, 'dentry' will not be incremented, causing condition 'dentry < max_dentries' unable to prevent an infinite loop. This infinite loop causes s_lock not to be released, and other tasks will hang, such as exfat_sync_fs(). This commit stops traversing the cluster chain when there is unused directory entry in the cluster to avoid this infinite loop. CVE-2024-57940 moderate In the Linux kernel, the following vulnerability has been resolved: virtio-blk: don't keep queue frozen during system suspend Commit 4ce6e2db00de ("virtio-blk: Ensure no requests in virtqueues before deleting vqs.") replaces queue quiesce with queue freeze in virtio-blk's PM callbacks. And the motivation is to drain inflight IOs before suspending. block layer's queue freeze looks very handy, but it is also easy to cause deadlock, such as, any attempt to call into bio_queue_enter() may run into deadlock if the queue is frozen in current context. There are all kinds of ->suspend() called in suspend context, so keeping queue frozen in the whole suspend context isn't one good idea. And Marek reported lockdep warning[1] caused by virtio-blk's freeze queue in virtblk_freeze(). [1] https://lore.kernel.org/linux-block/ca16370e-d646-4eee-b9cc-87277c89c43c@samsung.com/ Given the motivation is to drain in-flight IOs, it can be done by calling freeze & unfreeze, meantime restore to previous behavior by keeping queue quiesced during suspend. CVE-2024-57946 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo: fix initial map fill The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. CVE-2024-57947 moderate In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-57948 moderate In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this. CVE-2024-57973 moderate In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad ("udp: bind() optimisation") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 ("udp: add rehash on connect()") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.1 || sleep 1 taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null wait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')" while :; do ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.2 || sleep 1 socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null wait cmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated--- CVE-2024-57974 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() The proble is on the first line: if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) If jpeg->pd_dev[i] is an error pointer, then passing it to pm_runtime_suspended() will lead to an Oops. The other conditions check for both error pointers and NULL, but it would be more clear to use the IS_ERR_OR_NULL() check for that. CVE-2024-57978 moderate In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1 CVE-2024-57979 moderate In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda <ribalda@chromium.org> CVE-2024-57980 moderate In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes. CVE-2024-57981 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop in hid_apply_multiplier."), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: * "The Resolution Multiplier control must be contained in the same * Logical Collection as the control(s) to which it is to be applied. ... * If no Logical Collection is * defined, the Resolution Multiplier is associated with all * controls in the report." * HID Usage Table, v1.12, Section 4.3.1, p30 * * Thus, search from the current collection upwards until we find a * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection. CVE-2024-57986 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison should be >= instead of > to prevent an out of bounds read and write. CVE-2024-57990 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622 CVE-2024-57993 moderate In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 CVE-2024-57994 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access. CVE-2024-57996 important In the Linux kernel, the following vulnerability has been resolved: wifi: wcn36xx: fix channel survey memory allocation size KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel. CVE-2024-57997 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing. These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range. The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100 LR [c00000000005e830] iommu_init_table+0x80/0x1e0 Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable) [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net] [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18 There are 2 issues in the code 1. The index is "int" while the address is "unsigned long". This results in negative value when setting the bitmap. 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well. CVE-2024-57999 moderate In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. CVE-2024-58002 moderate In the Linux kernel, the following vulnerability has been resolved: tpm: Change to kvalloc() in eventlog/acpi.c The following failure was reported on HPE ProLiant D320: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 The above transcript shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by moving from devm_kmalloc() to devm_add_action() and kvmalloc() and devm_add_action(). CVE-2024-58005 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update inbound map address") set_bar() was modified to support dynamically changing the backing physical address of a BAR that was already configured. This means that set_bar() can be called twice, without ever calling clear_bar() (as calling clear_bar() would clear the BAR's PCI address assigned by the host). This can only be done if the new BAR size/flags does not differ from the existing BAR configuration. Add these missing checks. If we allow set_bar() to set e.g. a new BAR size that differs from the existing BAR size, the new address translation range will be smaller than the BAR size already determined by the host, which would mean that a read past the new BAR size would pass the iATU untranslated, which could allow the host to read memory not belonging to the new struct pci_epf_bar. While at it, add comments which clarifies the support for dynamically changing the physical address of a BAR. (Which was also missing.) CVE-2024-58006 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account. CVE-2024-58007 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. CVE-2024-58009 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer(). CVE-2024-58011 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps. CVE-2024-58012 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-58013 important In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN() instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-58014 important In the Linux kernel, the following vulnerability has been resolved: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer. CVE-2024-58017 moderate In the Linux kernel, the following vulnerability has been resolved: nvkm: correctly calculate the available space of the GSP cmdq buffer r535_gsp_cmdq_push() waits for the available page in the GSP cmdq buffer when handling a large RPC request. When it sees at least one available page in the cmdq, it quits the waiting with the amount of free buffer pages in the queue. Unfortunately, it always takes the [write pointer, buf_size) as available buffer pages before rolling back and wrongly calculates the size of the data should be copied. Thus, it can overwrite the RPC request that GSP is currently reading, which causes GSP hang due to corrupted RPC request: [ 549.209389] ------------[ cut here ]------------ [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E) [ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)] [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1 [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff <0f> 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246 [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28 [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730 [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70 [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020 [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000 [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000 [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0 [ 549.427963] PKRU: 55555554 [ 549.430672] Call Trace: [ 549.433126] <TASK> [ 549.435233] ? __warn+0x7f/0x130 [ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.443426] ? report_bug+0x18a/0x1a0 [ 549.447098] ? handle_bug+0x3c/0x70 [ 549.450589] ? exc_invalid_op+0x14/0x70 [ 549.454430] ? asm_exc_invalid_op+0x16/0x20 [ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm] [ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm] [ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm] [ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm] [ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm] [ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm] [ 549.498338] local_pci_probe+0x46/ ---truncated--- CVE-2024-58018 moderate In the Linux kernel, the following vulnerability has been resolved: nvkm/gsp: correctly advance the read pointer of GSP message queue A GSP event message consists three parts: message header, RPC header, message body. GSP calculates the number of pages to write from the total size of a GSP message. This behavior can be observed from the movement of the write pointer. However, nvkm takes only the size of RPC header and message body as the message size when advancing the read pointer. When handling a two-page GSP message in the non rollback case, It wrongly takes the message body of the previous message as the message header of the next message. As the "message length" tends to be zero, in the calculation of size needs to be copied (0 - size of (message header)), the size needs to be copied will be "0xffffffxx". It also triggers a kernel panic due to a NULL pointer error. [ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@....... [ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ [ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................ [ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ [ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 547.669485] #PF: supervisor read access in kernel mode [ 547.674624] #PF: error_code(0x0000) - not-present page [ 547.679755] PGD 0 P4D 0 [ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1 [ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm] [ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05 [ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203 [ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f [ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010 [ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0 [ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000 [ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000 [ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000 [ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0 [ 547.793896] PKRU: 55555554 [ 547.796600] Call Trace: [ 547.799046] <TASK> [ 547.801152] ? __die+0x20/0x70 [ 547.804211] ? page_fault_oops+0x75/0x170 [ 547.808221] ? print_hex_dump+0x100/0x160 [ 547.812226] ? exc_page_fault+0x64/0x150 [ 547.816152] ? asm_exc_page_fault+0x22/0x30 [ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm] [ 547.829845] process_one_work+0x196/0x3d0 [ 547.833861] worker_thread+0x2fc/0x410 [ 547.837613] ? __pfx_worker_thread+0x10/0x10 [ 547.841885] kthread+0xdf/0x110 [ 547.845031] ? __pfx_kthread+0x10/0x10 [ 547.848775] ret_from_fork+0x30/0x50 [ 547.852354] ? __pfx_kthread+0x10/0x10 [ 547.856097] ret_from_fork_asm+0x1a/0x30 [ 547.860019] </TASK> [ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd ---truncated--- CVE-2024-58019 moderate In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt_input_configured() is not checked. Add NULL check in mt_input_configured(), to handle kernel NULL pointer dereference error. CVE-2024-58020 moderate In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument device node, tegra_emc_find_node_by_ram_code() releases some device nodes while still in use, resulting in possible UAFs. According to the bindings and the in-tree DTS files, the "emc-tables" node is always device's child node with the property "nvidia,use-ram-code", and the "lpddr2" node is a child of the "emc-tables" node. Thus utilize the for_each_child_of_node() macro and of_get_child_by_name() instead of of_find_node_by_name() to simplify the code. This bug was found by an experimental verification tool that I am developing. [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts] CVE-2024-58034 moderate In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: Add check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. CVE-2024-58051 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table The function atomctrl_get_smc_sclk_range_table() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve SMU_Info table, it returns NULL which is later dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE. In practice this should never happen as this code only gets called on polaris chips and the vbios data table will always be present on those chips. CVE-2024-58052 moderate In the Linux kernel, the following vulnerability has been resolved: staging: media: max96712: fix kernel oops when removing module The following kernel oops is thrown when trying to remove the max96712 module: Unable to handle kernel paging request at virtual address 00007375746174db Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 [00007375746174db] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi] CPU: 0 UID: 0 PID: 754 Comm: rmmod Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 Tainted: [C]=CRAP Hardware name: NXP i.MX95 19X19 board (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : led_put+0x1c/0x40 lr : v4l2_subdev_put_privacy_led+0x48/0x58 sp : ffff80008699bbb0 x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) ---[ end trace 0000000000000000 ]--- This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() is called again and the data is overwritten to point to sd, instead of priv. So, in remove(), the wrong pointer is passed to v4l2_async_unregister_subdev(), leading to a crash. CVE-2024-58054 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command. CVE-2024-58055 moderate In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set. CVE-2024-58056 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with `WQ_UNBOUND`, its work items are served by special worker-pools, whose host workers are not bound to any specific CPU. In the default configuration (i.e. when `queue_delayed_work` and friends do not specify which CPU to run the work item on), `WQ_UNBOUND` allows the work item to be executed on any CPU in the same node of the CPU it was enqueued on. While this solution potentially sacrifices locality, it avoids contention with other processes that might dominate the CPU time of the processor the work item was scheduled on. This is not just a theoretical problem: in a particular scenario misconfigured process was hogging most of the time from CPU0, leaving less than 0.5% of its CPU time to the kworker. The IDPF workqueues that were using the kworker on CPU0 suffered large completion delays as a result, causing performance degradation, timeouts and eventual system crash. * I have also run a manual test to gauge the performance improvement. The test consists of an antagonist process (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This process is run under `taskset 01` to bind it to CPU0, and its priority is changed with `chrt -pQ 9900 10000 ${pid}` and `renice -n -20 ${pid}` after start. Then, the IDPF driver is forced to prefer CPU0 by editing all calls to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0. Finally, `ktraces` for the workqueue events are collected. Without the current patch, the antagonist process can force arbitrary delays between `workqueue_queue_work` and `workqueue_execute_start`, that in my tests were as high as `30ms`. With the current patch applied, the workqueue can be migrated to another unloaded CPU in the same node, and, keeping everything else equal, the maximum delay I could see was `6us`. CVE-2024-58057 moderate In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference. CVE-2024-58058 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly. CVE-2024-58061 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory"). CVE-2024-58063 moderate In the Linux kernel, the following vulnerability has been resolved: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value. CVE-2024-58069 moderate In the Linux kernel, the following vulnerability has been resolved: team: prevent adding a device which is already a team device lower Prevent adding a device which is already a team device lower, e.g. adding veth0 if vlan1 was already added and veth0 is a lower of vlan1. This is not useful in practice and can lead to recursive locking: $ ip link add veth0 type veth peer name veth1 $ ip link set veth0 up $ ip link set veth1 up $ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 $ ip link add team0 type team $ ip link set veth0.1 down $ ip link set veth0.1 master team0 team0: Port device veth0.1 added $ ip link set veth0 down $ ip link set veth0 master team0 ============================================ WARNING: possible recursive locking detected 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted -------------------------------------------- ip/7684 is trying to acquire lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) but task is already holding lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977) other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(team->team_lock_key); lock(team->team_lock_key); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by ip/7684: stack backtrace: CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_deadlock_bug.cold (kernel/locking/lockdep.c:3040) __lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) ? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548) lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2)) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? lock_acquire (kernel/locking/lockdep.c:5822) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) __mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? fib_sync_up (net/ipv4/fib_semantics.c:2167) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) __dev_notify_flags (net/core/dev.c:8993) ? __dev_change_flags (net/core/dev.c:8975) dev_change_flags (net/core/dev.c:9027) vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470) ? br_device_event (net/bridge/br.c:143) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) dev_open (net/core/dev.c:1519 net/core/dev.c:1505) team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977) ? __pfx_team_add_slave (drivers/net/team/team_core.c:1972) do_set_master (net/core/rtnetlink.c:2917) do_setlink.isra.0 (net/core/rtnetlink.c:3117) CVE-2024-58071 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures. Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails. CVE-2024-58072 moderate In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for two clocks where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together. CVE-2024-58076 moderate In the Linux kernel, the following vulnerability has been resolved: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors misc_minor_alloc was allocating id using ida for minor only in case of MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids using ida_free causing a mismatch and following warn: > > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f > > ida_free called for id=127 which is not allocated. > > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ... > > [<60941eb4>] ida_free+0x3e0/0x41f > > [<605ac993>] misc_minor_free+0x3e/0xbc > > [<605acb82>] misc_deregister+0x171/0x1b3 misc_minor_alloc is changed to allocate id from ida for all minors falling in the range of dynamic/ misc dynamic minors CVE-2024-58078 moderate In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix crash during unbind if gpio unit is in use We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions may be called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error. CVE-2024-58079 moderate In the Linux kernel, the following vulnerability has been resolved: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for the clock where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together. CVE-2024-58080 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. CVE-2024-58083 moderate In the Linux kernel, the following vulnerability has been resolved: tomoyo: don't emit warning in tomoyo_write_control() syzbot is reporting too large allocation warning at tomoyo_write_control(), for one can write a very very long line without new line character. To fix this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE, for practically a valid line should be always shorter than 32KB where the "too small to fail" memory-allocation rule applies. One might try to write a valid line that is longer than 32KB, but such request will likely fail with -ENOMEM. Therefore, I feel that separately returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant. There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE. CVE-2024-58085 moderate In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop active perfmon if it is being destroyed If the active performance monitor (`v3d->active_perfmon`) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the `v3d->active_perfmon` pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed"). CVE-2024-58086 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 moderate A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 important BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177. CVE-2024-8805 important A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files. CVE-2024-9407 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 moderate When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. CVE-2025-0395 low libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. CVE-2025-0665 moderate In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Our syzkaller report a following UAF for v6.6: BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 hlist_add_head include/linux/list.h:1023 [inline] bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Allocated by task 232719: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:768 [inline] slab_alloc_node mm/slub.c:3492 [inline] kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4_lookup_entry fs/ext4/namei.c:1774 [inline] ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 __lookup_slow+0x257/0x480 fs/namei.c:1696 lookup_slow fs/namei.c:1713 [inline] walk_component+0x454/0x5c0 fs/namei.c:2004 link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 link_path_walk fs/namei.c:3826 [inline] path_openat+0x1b9/0x520 fs/namei.c:3826 do_filp_open+0x1b7/0x400 fs/namei.c:3857 do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x148/0x200 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_6 ---truncated--- CVE-2025-21631 moderate In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure shadow stack is active before "getting" registers The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can not touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI for XSAVE state. Thus, there is a new ptrace get/set interface for it. The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the thread struct. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place. As a result, both the set/get handlers can be called with XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an ssp_active() check to avoid surprising the kernel with shadow stack behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That check just happened to avoid the warning. But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe: WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 [...] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? ssp_get+0x89/0xa0 ? __warn+0x91/0x150 ? ssp_get+0x89/0xa0 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? __pfx_ssp_get+0x10/0x10 ? ssp_get+0x89/0xa0 ? ssp_get+0x52/0xa0 __regset_get+0xad/0xf0 copy_regset_to_user+0x52/0xc0 ptrace_regset+0x119/0x140 ptrace_request+0x13c/0x850 ? wait_task_inactive+0x142/0x1d0 ? do_syscall_64+0x6d/0x90 arch_ptrace+0x102/0x300 [...] Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer. [ dhansen: changelog/subject tweaks ] CVE-2025-21632 moderate In the Linux kernel, the following vulnerability has been resolved: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The per-netns structure can be obtained from the table->data using container_of(), then the 'net' one can be retrieved from the listen socket (if available). CVE-2025-21635 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used. CVE-2025-21636 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: udp_port: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21637 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21638 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. CVE-2025-21639 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used. CVE-2025-21640 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. [ij: edited the commit message.] CVE-2025-21645 moderate In the Linux kernel, the following vulnerability has been resolved: afs: Fix the maximum cell name length The kafs filesystem limits the maximum length of a cell to 256 bytes, but a problem occurs if someone actually does that: kafs tries to create a directory under /proc/net/afs/ with the name of the cell, but that fails with a warning: WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405 because procfs limits the maximum filename length to 255. However, the DNS limits the maximum lookup length and, by extension, the maximum cell name, to 255 less two (length count and trailing NUL). Fix this by limiting the maximum acceptable cellname length to 253. This also allows us to be sure we can create the "/afs/.<cell>/" mountpoint too. Further, split the YFS VL record cell name maximum to be the 256 allowed by the protocol and ignore the record retrieved by YFSVL.GetCellName if it exceeds 253. CVE-2025-21646 moderate In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour. CVE-2025-21647 important In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices Currently, HIP08 devices does not register the ptp devices, so the hdev->ptp is NULL. But the tx process would still try to set hardware time stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. [ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 ... [ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge] [ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge] [ 128.292938] sp : ffff800059b93140 [ 128.297200] x29: ffff800059b93140 x28: 0000000000003280 [ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080 [ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001 [ 128.315969] x23: 0000000000000000 x22: 0000000000000194 [ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000 [ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000 [ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24 [ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000 [ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368 [ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02 [ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0 [ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000 [ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff [ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294 [ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080 [ 128.390626] Call trace: [ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge] [ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3] [ 128.405468] xmit_one.constprop.0+0xc4/0x200 [ 128.410600] dev_hard_start_xmit+0x54/0xf0 [ 128.415556] sch_direct_xmit+0xe8/0x634 [ 128.420246] __dev_queue_xmit+0x224/0xc70 [ 128.425101] dev_queue_xmit+0x1c/0x40 [ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch] [ 128.435409] do_output+0x60/0x17c [openvswitch] [ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch] [ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch] [ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch] [ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch] [ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch] [ 128.471460] xmit_one.constprop.0+0xc4/0x200 [ 128.476561] dev_hard_start_xmit+0x54/0xf0 [ 128.481489] __dev_queue_xmit+0x968/0xc70 [ 128.486330] dev_queue_xmit+0x1c/0x40 [ 128.490856] ip_finish_output2+0x250/0x570 [ 128.495810] __ip_finish_output+0x170/0x1e0 [ 128.500832] ip_finish_output+0x3c/0xf0 [ 128.505504] ip_output+0xbc/0x160 [ 128.509654] ip_send_skb+0x58/0xd4 [ 128.513892] udp_send_skb+0x12c/0x354 [ 128.518387] udp_sendmsg+0x7a8/0x9c0 [ 128.522793] inet_sendmsg+0x4c/0x8c [ 128.527116] __sock_sendmsg+0x48/0x80 [ 128.531609] __sys_sendto+0x124/0x164 [ 128.536099] __arm64_sys_sendto+0x30/0x5c [ 128.540935] invoke_syscall+0x50/0x130 [ 128.545508] el0_svc_common.constprop.0+0x10c/0x124 [ 128.551205] do_el0_svc+0x34/0xdc [ 128.555347] el0_svc+0x20/0x30 [ 128.559227] el0_sync_handler+0xb8/0xc0 [ 128.563883] el0_sync+0x160/0x180 CVE-2025-21649 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs 1024-1279 are in different BAR space addresses. However, hclge_fetch_pf_reg does not distinguish the tqp space information when reading the tqp space information. When the number of TQPs is greater than 1024, access bar space overwriting occurs. The problem of different segments has been considered during the initialization of tqp.io_base. Therefore, tqp.io_base is directly used when the queue is read in hclge_fetch_pf_reg. The error message: Unable to handle kernel paging request at virtual address ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180 CVE-2025-21650 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: don't auto enable misc vector Currently, there is a time window between misc irq enabled and service task inited. If an interrupte is reported at this time, it will cause warning like below: [ 16.324639] Call trace: [ 16.324641] __queue_delayed_work+0xb8/0xe0 [ 16.324643] mod_delayed_work_on+0x78/0xd0 [ 16.324655] hclge_errhand_task_schedule+0x58/0x90 [hclge] [ 16.324662] hclge_misc_irq_handle+0x168/0x240 [hclge] [ 16.324666] __handle_irq_event_percpu+0x64/0x1e0 [ 16.324667] handle_irq_event+0x80/0x170 [ 16.324670] handle_fasteoi_edge_irq+0x110/0x2bc [ 16.324671] __handle_domain_irq+0x84/0xfc [ 16.324673] gic_handle_irq+0x88/0x2c0 [ 16.324674] el1_irq+0xb8/0x140 [ 16.324677] arch_cpu_idle+0x18/0x40 [ 16.324679] default_idle_call+0x5c/0x1bc [ 16.324682] cpuidle_idle_call+0x18c/0x1c4 [ 16.324684] do_idle+0x174/0x17c [ 16.324685] cpu_startup_entry+0x30/0x6c [ 16.324687] secondary_start_kernel+0x1a4/0x280 [ 16.324688] ---[ end trace 6aa0bff672a964aa ]--- So don't auto enable misc vector when request irq.. CVE-2025-21651 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated--- CVE-2025-21652 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 CVE-2025-21653 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period. CVE-2025-21655 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur scsi_execute_cmd() function can return both negative (linux codes) and positive (scsi_cmnd result field) error codes. Currently the driver just passes error codes of scsi_execute_cmd() to hwmon core, which is incorrect because hwmon only checks for negative error codes. This leads to hwmon reporting uninitialized data to userspace in case of SCSI errors (for example if the disk drive was disconnected). This patch checks scsi_execute_cmd() output and returns -EIO if it's error code is positive. [groeck: Avoid inline variable declaration for portability] CVE-2025-21656 moderate In the Linux kernel, the following vulnerability has been resolved: netdev: prevent accessing NAPI instances from another namespace The NAPI IDs were not fully exposed to user space prior to the netlink API, so they were never namespaced. The netlink API must ensure that at the very least NAPI instance belongs to the same netns as the owner of the genl sock. napi_by_id() can become static now, but it needs to move because of dev_get_by_napi_id(). CVE-2025-21659 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix variable not being completed when function returns When cmd_alloc_index(), fails cmd_work_handler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang: mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/13:2 D 0 4055883 2 0x00000228 Workqueue: events mlx5e_tx_dim_work [mlx5_core] Call trace: __switch_to+0xe8/0x150 __schedule+0x2a8/0x9b8 schedule+0x2c/0x88 schedule_timeout+0x204/0x478 wait_for_common+0x154/0x250 wait_for_completion+0x28/0x38 cmd_exec+0x7a0/0xa00 [mlx5_core] mlx5_cmd_exec+0x54/0x80 [mlx5_core] mlx5_core_modify_cq+0x6c/0x80 [mlx5_core] mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core] mlx5e_tx_dim_work+0x54/0x68 [mlx5_core] process_one_work+0x1b0/0x448 worker_thread+0x54/0x468 kthread+0x134/0x138 ret_from_fork+0x10/0x18 CVE-2025-21662 moderate In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-tegra: Read iommu stream id from device tree Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be written to the MGBE_WRAP_AXI_ASID0_CTRL register. The current driver is hard coded to use MGBE0's SID for all controllers. This causes softirq time outs and kernel panics when using controllers other than MGBE0. Example dmesg errors when an ethernet cable is connected to MGBE1: [ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms [ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter. [ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0 [ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171) [ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features [ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported [ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock [ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode [ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 181.921404] rcu: 7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337 [ 181.921684] rcu: (detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8) [ 181.921878] Sending NMI from CPU 4 to CPUs 7: [ 181.921886] NMI backtrace for cpu 7 [ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 [ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 [ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 181.922847] pc : handle_softirqs+0x98/0x368 [ 181.922978] lr : __do_softirq+0x18/0x20 [ 181.923095] sp : ffff80008003bf50 [ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 [ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 [ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 [ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 [ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 [ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d [ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 [ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74 [ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1 [ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 [ 181.967591] Call trace: [ 181.970043] handle_softirqs+0x98/0x368 (P) [ 181.974240] __do_softirq+0x18/0x20 [ 181.977743] ____do_softirq+0x14/0x28 [ 181.981415] call_on_irq_stack+0x24/0x30 [ 181.985180] do_softirq_own_stack+0x20/0x30 [ 181.989379] __irq_exit_rcu+0x114/0x140 [ 181.993142] irq_exit_rcu+0x14/0x28 [ 181.996816] el1_interrupt+0x44/0xb8 [ 182.000316] el1h_64_irq_handler+0x14/0x20 [ 182.004343] el1h_64_irq+0x80/0x88 [ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P) [ 182.012305] cpuidle_enter+0x3c/0x58 [ 182.015980] cpuidle_idle_call+0x128/0x1c0 [ 182.020005] do_idle+0xe0/0xf0 [ 182.023155] cpu_startup_entry+0x3c/0x48 [ 182.026917] secondary_start_kernel+0xdc/0x120 [ 182.031379] __secondary_switched+0x74/0x78 [ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/. [ 212.985935] rcu: blocking rcu_node structures (internal RCU debug): [ 212.992758] Sending NMI from CPU 0 to CPUs 7: [ 212.998539] NMI backtrace for cpu 7 [ 213.004304] CPU: 7 UID: 0 PI ---truncated--- CVE-2025-21663 moderate In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed. CVE-2025-21664 moderate In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. CVE-2025-21665 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems. CVE-2025-21666 moderate In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. CVE-2025-21667 moderate In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f CVE-2025-21668 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference. CVE-2025-21669 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Call Trace: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), especially for connected sockets (stream/seqpacket) as we already do in __vsock_connectible_recvmsg(). CVE-2025-21670 moderate In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. CVE-2025-21671 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> CVE-2025-21673 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); <Interrupt> lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated--- CVE-2025-21674 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]--- CVE-2025-21675 moderate In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet. CVE-2025-21676 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated--- CVE-2025-21678 moderate In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ] CVE-2025-21680 moderate In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well. CVE-2025-21681 moderate In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues. CVE-2025-21682 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) CVE-2025-21684 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device. CVE-2025-21687 moderate In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated--- CVE-2025-21688 moderate In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of "port" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds. CVE-2025-21689 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. CVE-2025-21690 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]--- CVE-2025-21692 important In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment] CVE-2025-21693 important In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished. CVE-2025-21697 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. CVE-2025-21699 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com> CVE-2025-21700 moderate In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found. CVE-2025-21701 moderate In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. CVE-2025-21703 moderate In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces. CVE-2025-21704 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out. CVE-2025-21705 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before. That's what syzbot found, triggering the following warning: WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48 RSP: 0018:ffffc9000d307240 EFLAGS: 00010293 RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0 R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5fe8785d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29 RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007 RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000 ---truncated--- CVE-2025-21706 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> Modules linked in: CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 __dev_change_flags+0x561/0x720 net/core/dev.c:8838 dev_change_flags+0x8f/0x160 net/core/dev.c:8910 devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x116/0x280 net/socket.c:1222 sock_ioctl+0x22e/0x6c0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc04ef73d49 ... This change has not been tested on real hardware. CVE-2025-21708 moderate In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case. CVE-2025-21711 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 </TASK> CVE-2025-21714 moderate In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool. CVE-2025-21715 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 CVE-2025-21716 moderate In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ> CVE-2025-21718 important In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708 CVE-2025-21719 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: <TASK> mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2 CVE-2025-21723 moderate In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type. CVE-2025-21724 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 </TASK> Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset. CVE-2025-21725 moderate In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. CVE-2025-21726 moderate In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/ CVE-2025-21727 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. CVE-2025-21728 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> CVE-2025-21729 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail. CVE-2025-21731 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error This patch addresses a race condition for an ODP MR that can result in a CQE with an error on the UMR QP. During the __mlx5_ib_dereg_mr() flow, the following sequence of calls occurs: mlx5_revoke_mr() mlx5r_umr_revoke_mr() mlx5r_umr_post_send_wait() At this point, the lkey is freed from the hardware's perspective. However, concurrently, mlx5_ib_invalidate_range() might be triggered by another task attempting to invalidate a range for the same freed lkey. This task will: - Acquire the umem_odp->umem_mutex lock. - Call mlx5r_umr_update_xlt() on the UMR QP. - Since the lkey has already been freed, this can lead to a CQE error, causing the UMR QP to enter an error state [1]. To resolve this race condition, the umem_odp->umem_mutex lock is now also acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke, we set umem_odp->private which points to that MR to NULL, preventing any further invalidation attempts on its lkey. [1] From dmesg: infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2 WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] [..] Call Trace: <TASK> mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib] mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib] __mmu_notifier_invalidate_range_start+0x1e1/0x240 zap_page_range_single+0xf1/0x1a0 madvise_vma_behavior+0x677/0x6e0 do_madvise+0x1a2/0x4b0 __x64_sys_madvise+0x25/0x30 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21732 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix resetting of tracepoints If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD disabled, but then that option is enabled and timerlat is removed, the tracepoints that were enabled on timerlat registration do not get disabled. If the option is disabled again and timelat is started, then it triggers a warning in the tracepoint code due to registering the tracepoint again without ever disabling it. Do not use the same user space defined options to know to disable the tracepoints when timerlat is removed. Instead, set a global flag when it is enabled and use that flag to know to disable the events. ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo nop > /sys/kernel/tracing/current_tracer ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer Triggers: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 Modules linked in: CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __warn.cold+0xb7/0x14d ? tracepoint_add_func+0x3b6/0x3f0 ? report_bug+0xea/0x170 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? tracepoint_add_func+0x3b6/0x3f0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? __pfx_trace_sched_migrate_callback+0x10/0x10 tracepoint_probe_register+0x78/0xb0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 osnoise_workload_start+0x2b5/0x370 timerlat_tracer_init+0x76/0x1b0 tracing_set_tracer+0x244/0x400 tracing_set_trace_write+0xa0/0xe0 vfs_write+0xfc/0x570 ? do_sys_openat2+0x9c/0xe0 ksys_write+0x72/0xf0 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21733 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead of absolute address. CVE-2025-21734 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate(). CVE-2025-21735 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix possible int overflows in nilfs_fiemap() Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unlikely to occur, play it safe and cast right hand expression to wider type to mitigate the issue. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. CVE-2025-21736 moderate In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. CVE-2025-21738 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup CVE-2025-21739 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. CVE-2025-21741 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately. CVE-2025-21742 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length. CVE-2025-21743 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_proto_detach() function is called providing the following sequence: brcmf_detach() brcmf_proto_detach() brcmf_proto_msgbuf_detach() brcmf_flowring_detach() brcmf_msgbuf_delete_flowring() brcmf_msgbuf_remove_flowring() brcmf_flowring_delete() brcmf_get_ifp() brcmf_txfinalize() Since brcmf_get_ip() can and actually will return NULL in this case the call to brcmf_txfinalize() will result in a NULL pointer dereference inside brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. This will only happen if a flowring still has an skb. Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL. CVE-2025-21744 moderate In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit(). CVE-2025-21745 moderate In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue. CVE-2025-21749 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this: BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions violation PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025 Oops: Oops: 0001 [#1] SMP PTI CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1 Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024 RIP: 0010:strlen+0x4/0x30 Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202 RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001 RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379 RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8 R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30 FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x149/0x4c0 ? raw_spin_rq_lock_nested+0xe/0x20 ? sched_balance_newidle+0x22b/0x3c0 ? update_load_avg+0x78/0x770 ? exc_page_fault+0x6f/0x150 ? asm_exc_page_fault+0x26/0x30 ? __pfx_pci_conf1_write+0x10/0x10 ? strlen+0x4/0x30 devm_kstrdup+0x25/0x70 brcmf_of_probe+0x273/0x350 [brcmfmac] CVE-2025-21750 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated--- CVE-2025-21753 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details at btrfs_extract_ordered_extent()), we will fail on the following assertion at btrfs_split_ordered_extent(): ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS)); because the BTRFS_ORDERED_IOERR flag is set and the definition of BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the type of write (regular, nocow, prealloc, compressed, direct IO, encoded). Fix this by returning an error from btrfs_extract_ordered_extent() if we find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will be the error that resulted in the transaction abort or -EIO if no transaction abort happened. This was recently reported by syzbot with the following trace: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 fail_dump lib/fault-inject.c:53 [inline] should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154 should_failslab+0xac/0x100 mm/failslab.c:46 slab_pre_alloc_hook mm/slub.c:4072 [inline] slab_alloc_node mm/slub.c:4148 [inline] __do_kmalloc_node mm/slub.c:4297 [inline] __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742 reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292 check_system_chunk fs/btrfs/block-group.c:4319 [inline] do_chunk_alloc fs/btrfs/block-group.c:3891 [inline] btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187 find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline] find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579 btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672 btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline] btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525 iomap_iter+0x697/0xf60 fs/iomap/iter.c:90 __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702 btrfs_dio_write fs/btrfs/direct-io.c:775 [inline] btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880 btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_pwritev fs/read_write.c:1146 [inline] __do_sys_pwritev2 fs/read_write.c:1204 [inline] __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328 </TASK> BTRFS error (device loop0 state A): Transaction aborted (error -12) BTRFS: error (device loop0 state A ---truncated--- CVE-2025-21754 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-21755 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21756 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. CVE-2025-21759 moderate In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. CVE-2025-21760 moderate In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF. CVE-2025-21761 moderate In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21762 moderate In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21763 moderate In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. CVE-2025-21764 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear. CVE-2025-21765 moderate In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. CVE-2025-21766 moderate In the Linux kernel, the following vulnerability has been resolved: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context The following bug report happened with a PREEMPT_RT kernel: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 get_random_u32+0x4f/0x110 clocksource_verify_choose_cpus+0xab/0x1a0 clocksource_verify_percpu.part.0+0x6b/0x330 clocksource_watchdog_kthread+0x193/0x1a0 It is due to the fact that clocksource_verify_choose_cpus() is invoked with preemption disabled. This function invokes get_random_u32() to obtain random numbers for choosing CPUs. The batched_entropy_32 local lock and/or the base_crng.lock spinlock in driver/char/random.c will be acquired during the call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot be acquired in atomic context. Fix this problem by using migrate_disable() to allow smp_processor_id() to be reliably used without introducing atomic context. preempt_disable() is then called after clocksource_verify_choose_cpus() but before the clocksource measurement is being run to avoid introducing unexpected latency. CVE-2025-21767 moderate In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp(). CVE-2025-21772 important In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: fix potential NULL pointer dereference on udev->serial The driver assumed that es58x_dev->udev->serial could never be NULL. While this is true on commercially available devices, an attacker could spoof the device identity providing a NULL USB serial number. That would trigger a NULL pointer dereference. Add a check on es58x_dev->udev->serial before accessing it. CVE-2025-21773 moderate In the Linux kernel, the following vulnerability has been resolved: can: ctucanfd: handle skb allocation failure If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place. Add the missed NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. CVE-2025-21775 moderate In the Linux kernel, the following vulnerability has been resolved: USB: hub: Ignore non-compliant devices with too many configs or interfaces Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer: Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 ... Call Trace: <TASK> ? die_addr+0x31/0x80 ? exc_general_protection+0x1b4/0x3c0 ? asm_exc_general_protection+0x26/0x30 ? usb_hub_adjust_deviceremovable+0x78/0x110 hub_probe+0x7c7/0xab0 usb_probe_interface+0x14b/0x350 really_probe+0xd0/0x2d0 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x6e/0x110 driver_probe_device+0x1a/0x90 __device_attach_driver+0x7e/0xc0 bus_for_each_drv+0x7f/0xd0 __device_attach+0xaa/0x1a0 bus_probe_device+0x8b/0xa0 device_add+0x62e/0x810 usb_set_configuration+0x65d/0x990 usb_generic_driver_probe+0x4b/0x70 usb_probe_device+0x36/0xd0 The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usb_hub_to_struct_hub() looks. We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface. CVE-2025-21776 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC. CVE-2025-21779 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table(). CVE-2025-21780 important In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix panic during interface removal Reference counting is used to ensure that batadv_hardif_neigh_node and batadv_hard_iface are not freed before/during batadv_v_elp_throughput_metric_update work is finished. But there isn't a guarantee that the hard if will remain associated with a soft interface up until the work is finished. This fixes a crash triggered by reboot that looks like this: Call trace: batadv_v_mesh_free+0xd0/0x4dc [batman_adv] batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x178/0x398 worker_thread+0x2e8/0x4d0 kthread+0xd8/0xdc ret_from_fork+0x10/0x20 (the batadv_v_mesh_free call is misleading, and does not actually happen) I was able to make the issue happen more reliably by changing hardif_neigh->bat_v.metric_work work to be delayed work. This allowed me to track down and confirm the fix. [sven@narfation.org: prevent entering batadv_v_elp_get_throughput without soft_iface] CVE-2025-21781 moderate In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. CVE-2025-21782 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() In function psp_init_cap_microcode(), it should bail out when failed to load firmware, otherwise it may cause invalid memory access. CVE-2025-21784 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: check vxlan_vnigroup_init() return value vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot. Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 unregister_netdevice_many net/core/dev.c:11866 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] __rtnl_newlink net/core/rtnetlink.c:3906 [inline] CVE-2025-21790 moderate In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 moderate In the Linux kernel, the following vulnerability has been resolved: spi: sn-f-ospi: Fix division by zero When there is no dummy cycle in the spi-nor commands, both dummy bus cycle bytes and width are zero. Because of the cpu's warning when divided by zero, the warning should be avoided. Return just zero to avoid such calculations. CVE-2025-21793 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad CVE-2025-21794 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state. CVE-2025-21795 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered. CVE-2025-21796 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns(). CVE-2025-21799 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process. CVE-2025-21802 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior. Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows: $ cat /proc/iomem 30000000-37ffffff : 38000000-3fffffff : Sometimes, garbage may appear after the colon. In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack. Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows: $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log] CVE-2025-21804 moderate In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced). CVE-2025-21806 moderate In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next(). CVE-2025-21810 moderate In the Linux kernel, the following vulnerability has been resolved: mm/compaction: fix UBSAN shift-out-of-bounds warning syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning. CVE-2025-21815 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/display: Use HW lock mgr for PSR1" This reverts commit a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1") Because it may cause system hang while connect with two edp panel. CVE-2025-21819 moderate In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock. CVE-2025-21820 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: omap: use threaded IRQ for LCD DMA When using touchscreen and framebuffer, Nokia 770 crashes easily with: BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000 Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2 Hardware name: Nokia 770 Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x54/0x5c dump_stack_lvl from __schedule_bug+0x50/0x70 __schedule_bug from __schedule+0x4d4/0x5bc __schedule from schedule+0x34/0xa0 schedule from schedule_preempt_disabled+0xc/0x10 schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4 __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4 clk_prepare_lock from clk_set_rate+0x18/0x154 clk_set_rate from sossi_read_data+0x4c/0x168 sossi_read_data from hwa742_read_reg+0x5c/0x8c hwa742_read_reg from send_frame_handler+0xfc/0x300 send_frame_handler from process_pending_requests+0x74/0xd0 process_pending_requests from lcd_dma_irq_handler+0x50/0x74 lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130 __handle_irq_event_percpu from handle_irq_event+0x28/0x68 handle_irq_event from handle_level_irq+0x9c/0x170 handle_level_irq from generic_handle_domain_irq+0x2c/0x3c generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c generic_handle_arch_irq from call_with_stack+0x1c/0x24 call_with_stack from __irq_svc+0x94/0xa8 Exception stack(0xc5255da0 to 0xc5255de8) 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94 5de0: 60000013 ffffffff __irq_svc from clk_prepare_lock+0x4c/0xe4 clk_prepare_lock from clk_get_rate+0x10/0x74 clk_get_rate from uwire_setup_transfer+0x40/0x180 uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664 spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498 __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8 __spi_sync from spi_sync+0x24/0x40 spi_sync from ads7846_halfd_read_state+0x5c/0x1c0 ads7846_halfd_read_state from ads7846_irq+0x58/0x348 ads7846_irq from irq_thread_fn+0x1c/0x78 irq_thread_fn from irq_thread+0x120/0x228 irq_thread from kthread+0xc8/0xe8 kthread from ret_from_fork+0x14/0x28 As a quick fix, switch to a threaded IRQ which provides a stable system. CVE-2025-21821 moderate In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held) CVE-2025-21823 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: <TASK> dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... </TASK> It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled CVE-2025-21825 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSS scenarios) and insertion fails, the station is freed. In this case, the driver never knew about the station, so trying to flush it is unexpected and may crash. Check if the sta was uploaded to the driver before and fix this. CVE-2025-21828 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" The Call Trace is as below: " <TASK> ? show_regs.cold+0x1a/0x1f ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __warn+0x84/0xd0 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? report_bug+0x105/0x180 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __rxe_cleanup+0x124/0x170 [rdma_rxe] rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe] ib_destroy_qp_user+0x118/0x190 [ib_core] rdma_destroy_qp.cold+0x43/0x5e [rdma_cm] rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core] rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server] process_one_work+0x21d/0x3f0 worker_thread+0x4a/0x3c0 ? process_one_work+0x3f0/0x3f0 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> " When too many rdma resources are allocated, rxe needs more time to handle these rdma resources. Sometimes with the current timeout, rxe can not release the rdma resources correctly. Compared with other rdma drivers, a bigger timeout is used. CVE-2025-21829 moderate In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files. CVE-2025-21830 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the policy that all PCIe ports are allowed to use D3. When the system is suspended if the port is not power manageable by the platform and won't be used for wakeup via a PME this sets up the policy for these ports to go into D3hot. This policy generally makes sense from an OSPM perspective but it leads to problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a specific old BIOS. This manifests as a system hang. On the affected Device + BIOS combination, add a quirk for the root port of the problematic controller to ensure that these root ports are not put into D3hot at suspend. This patch is based on https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com but with the added condition both in the documentation and in the code to apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only the affected root ports. CVE-2025-21831 moderate In the Linux kernel, the following vulnerability has been resolved: block: don't revert iter for -EIOCBQUEUED blkdev_read_iter() has a few odd checks, like gating the position and count adjustment on whether or not the result is bigger-than-or-equal to zero (where bigger than makes more sense), and not checking the return value of blkdev_direct_IO() before doing an iov_iter_revert(). The latter can lead to attempting to revert with a negative value, which when passed to iov_iter_revert() as an unsigned value will lead to throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT. Be sane and don't revert for -EIOCBQUEUED, like what is done in other spots. CVE-2025-21832 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. This does not matter when the numbers of in and out ports are equal, but when they differ the host will receive broken descriptors with uninitialized stack memory leaking into the descriptor for whichever value is smaller. The precise meaning of "in" and "out" in the port counts is not clearly defined and can be confusing. But elsewhere the driver consistently uses this to match the USB meaning of IN and OUT viewed from the host, so that "in" ports send data to the host and "out" ports receive data from it. CVE-2025-21835 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: reallocate buf lists on upgrade IORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it was created for legacy selected buffer and has been emptied. It violates the requirement that most of the field should stay stable after publish. Always reallocate it instead. CVE-2025-21836 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: device_del() gadget_unbind_driver() usb_gadget_disconnect_locked() dwc3_gadget_pullup() dwc3_gadget_soft_disconnect() usb_gadget_set_state() schedule_work(&gadget->work) Move flush_work() after device_del() to ensure the workqueue is cleaned up. CVE-2025-21838 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference. CVE-2025-21844 moderate In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though. CVE-2025-21846 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offset() function. Assuming that it is not NULL if sps->stream is NULL is incorrect and can lead to NULL pointer dereference. CVE-2025-21847 moderate In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. CVE-2025-21848 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix crash when a namespace is disabled The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport): [ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] [ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180 as the queue is already torn down when calling submit_bio(); So we need to init the percpu counter in nvmet_ns_enable(), and wait for it to drop to zero in nvmet_ns_disable() to avoid having I/O pending after the namespace has been disabled. CVE-2025-21850 moderate In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set. CVE-2025-21856 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced. Example trace: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower] CVE-2025-21857 moderate In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated--- CVE-2025-21858 moderate In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler. CVE-2025-21859 moderate In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated--- CVE-2025-21861 moderate In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21862 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. CVE-2025-21863 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions. CVE-2025-21864 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated--- CVE-2025-21865 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately. CVE-2025-21866 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated--- CVE-2025-21869 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier CVE-2025-21870 moderate In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover. CVE-2025-21871 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; <TASK> 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0 CVE-2025-21873 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated--- CVE-2025-21875 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix suspicious RCU usage Commit <d74169ceb0d2> ("iommu/vt-d: Allocate DMAR fault interrupts locally") moved the call to enable_drhd_fault_handling() to a code path that does not hold any lock while traversing the drhd list. Fix it by ensuring the dmar_global_lock lock is held when traversing the drhd list. Without this fix, the following warning is triggered: ============================= WARNING: suspicious RCU usage 6.14.0-rc3 #55 Not tainted ----------------------------- drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 1 2 locks held by cpuhp/1/23: #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 stack backtrace: CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55 Call Trace: <TASK> dump_stack_lvl+0xb7/0xd0 lockdep_rcu_suspicious+0x159/0x1f0 ? __pfx_enable_drhd_fault_handling+0x10/0x10 enable_drhd_fault_handling+0x151/0x180 cpuhp_invoke_callback+0x1df/0x990 cpuhp_thread_fun+0x1ea/0x2c0 smpboot_thread_fn+0x1f5/0x2e0 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x12a/0x2d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4a/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Holding the lock in enable_drhd_fault_handling() triggers a lockdep splat about a possible deadlock between dmar_global_lock and cpu_hotplug_lock. This is avoided by not holding dmar_global_lock when calling iommu_device_register(), which initiates the device probe process. CVE-2025-21876 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2025-21877 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds.. CVE-2025-21878 moderate In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ] CVE-2025-21881 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself). CVE-2025-21883 moderate In the Linux kernel, the following vulnerability has been resolved: net: better track kernel sockets lifetime While kernel sockets are dismantled during pernet_operations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skb_set_owner_w() prior calls. This then trigger the following warning from ref_tracker_dir_exit() [1] To fix this, make sure that kernel sockets own a reference on net->passive. Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket is converted to a refcounted one. [1] [ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] sk_alloc+0x2b3/0x370 [ 136.263918][ T35] inet6_create+0x6ce/0x10f0 [ 136.263918][ T35] __sock_create+0x4c0/0xa30 [ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.263918][ T35] igmp6_net_init+0x39/0x390 [ 136.263918][ T35] ops_init+0x31e/0x590 [ 136.263918][ T35] setup_net+0x287/0x9e0 [ 136.263918][ T35] copy_net_ns+0x33f/0x570 [ 136.263918][ T35] create_new_namespaces+0x425/0x7b0 [ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.263918][ T35] ksys_unshare+0x57d/0xa70 [ 136.263918][ T35] __x64_sys_unshare+0x38/0x40 [ 136.263918][ T35] do_syscall_64+0xf3/0x230 [ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] sk_alloc+0x2b3/0x370 [ 136.343488][ T35] inet6_create+0x6ce/0x10f0 [ 136.343488][ T35] __sock_create+0x4c0/0xa30 [ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0 [ 136.343488][ T35] ops_init+0x31e/0x590 [ 136.343488][ T35] setup_net+0x287/0x9e0 [ 136.343488][ T35] copy_net_ns+0x33f/0x570 [ 136.343488][ T35] create_new_namespaces+0x425/0x7b0 [ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.343488][ T35] ksys_unshare+0x57d/0xa70 [ 136.343488][ T35] __x64_sys_unshare+0x38/0x40 [ 136.343488][ T35] do_syscall_64+0xf3/0x230 [ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-21884 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799] <TASK> [ 566.393807] ? __die_body+0x1a/0x60 [ 566.393823] ? die+0x38/0x60 [ 566.393835] ? do_trap+0xe4/0x110 [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393881] ? do_error_trap+0x7c/0x120 [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393911] ? exc_divide_error+0x34/0x50 [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393939] ? asm_exc_divide_error+0x16/0x20 [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re] [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re] [ 566.394057] ? srso_return_thunk+0x5/0x5f [ 566.394068] ? __init_swait_queue_head+0x4a/0x60 [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core] [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma] [ 566.394174] ? lock_release+0x22c/0x3f0 [ 566.394187] ? srso_return_thunk+0x5/0x5f Page size and shift info is set only for the user space SRQs. Set page size and page shift for kernel space SRQs also. CVE-2025-21885 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP hang on parent deregistration Fix the destroy_unused_implicit_child_mr() to prevent hanging during parent deregistration as of below [1]. Upon entering destroy_unused_implicit_child_mr(), the reference count for the implicit MR parent is incremented using: refcount_inc_not_zero(). A corresponding decrement must be performed if free_implicit_child_mr_work() is not called. The code has been updated to properly manage the reference count that was incremented. [1] INFO: task python3:2157 blocked for more than 120 seconds. Not tainted 6.12.0-rc7+ #1633 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 __mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib] ? __pfx_autoremove_wake_function+0x10/0x10 ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 ? kmem_cache_free+0x221/0x400 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f20f21f017b RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60 R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890 R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0 </TASK> CVE-2025-21886 moderate In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> CVE-2025-21887 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 </TASK> CVE-2025-21888 moderate In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: WARNING: suspicious RCU usage kernel/events/core.c:8168 RCU-list traversed in non-reader section!! Call Trace: lockdep_rcu_suspicious ? perf_event_addr_filters_apply perf_iterate_ctx perf_event_exec begin_new_exec ? load_elf_phdrs load_elf_binary ? lock_acquire ? find_held_lock ? bprm_execve bprm_execve do_execveat_common.isra.0 __x64_sys_execve do_syscall_64 entry_SYSCALL_64_after_hwframe This protection was previously present but was removed in commit bd2756811766 ("perf: Rewrite core context handling"). Add back the necessary rcu_read_lock()/rcu_read_unlock() pair around perf_iterate_ctx() call in perf_event_exec(). [ mingo: Use scoped_guard() as suggested by Peter ] CVE-2025-21889 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697 [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748) [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261687] ? report_bug (lib/bug.c:?) [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285) [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309) [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf [ 69.261712] __napi_poll (net/core/dev.c:7194) [ 69.261716] net_rx_action (net/core/dev.c:7265) [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293) [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288) [ 69.261726] handle_softirqs (kernel/softirq.c:561) CVE-2025-21890 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline] CVE-2025-21891 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per the IB specification. This race condition can result in lost CQEs and tasks becoming stuck. To resolve this, the patch sends a final WR which serves only as a barrier before moving the QP state to RESET. Once a CQE is received for that final WR, it guarantees that no outstanding WRs remain, making it safe to transition the QP to RESET and subsequently back to RTS, restoring proper functionality. Note: For the barrier WR, we simply reuse the failed and ready WR. Since the QP is in an error state, it will only receive IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't care about its status. [1] INFO: task rdma_resource_l:1922 blocked for more than 120 seconds. Tainted: G W 6.12.0-rc7+ #1626 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369 flags:0x00004004 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 schedule_timeout+0x280/0x300 ? mark_held_locks+0x48/0x80 ? lockdep_hardirqs_on_prepare+0xe5/0x1a0 wait_for_completion+0x75/0x130 mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib] ? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib] mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib] __mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? __lock_acquire+0x64e/0x2080 ? mark_held_locks+0x48/0x80 ? find_held_lock+0x2d/0xa0 ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? __fget_files+0xc3/0x1b0 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f99c918b17b RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX: 00007f99c918b17b RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09: 000000000000bd7e R10: 00007f99c94c1c70 R11: 0000000000000246 R12: 00007ffc766d0530 R13: 000000000000001c R14: 0000000040246a80 R15: 0000000000000000 </TASK> CVE-2025-21892 moderate In the Linux kernel, the following vulnerability has been resolved: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash if VFs are used to test one-step timestamp, the crash log as follows. [ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0 [ 129.287769] Call trace: [ 129.290219] enetc_port_mac_wr+0x30/0xec (P) [ 129.294504] enetc_start_xmit+0xda4/0xe74 [ 129.298525] enetc_xmit+0x70/0xec [ 129.301848] dev_hard_start_xmit+0x98/0x118 CVE-2025-21894 moderate In the Linux kernel, the following vulnerability has been resolved: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list Syskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same perf_event_pmu_context, but not in the same order. The problem is that the order of pmu_ctx_list for the parent is impacted by the time when an event/PMU is added. While the order for a child is impacted by the event order in the pinned_groups and flexible_groups. So the order of pmu_ctx_list in the parent and child may be different. To fix this problem, insert the perf_event_pmu_context to its proper place after iteration of the pmu_ctx_list. The follow testcase can trigger above warning: # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out & # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out test.c void main() { int count = 0; pid_t pid; printf("%d running\n", getpid()); sleep(30); printf("running\n"); pid = fork(); if (pid == -1) { printf("fork error\n"); return; } if (pid == 0) { while (1) { count++; } } else { while (1) { count++; } } } The testcase first opens an LBR event, so it will allocate task_ctx_data, and then open tracepoint and software events, so the parent context will have 3 different perf_event_pmu_contexts. On inheritance, child ctx will insert the perf_event_pmu_context in another order and the warning will trigger. [ mingo: Tidied up the changelog. ] CVE-2025-21895 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have. CVE-2025-21905 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: clean up ROC on failure If the firmware fails to start the session protection, then we do call iwl_mvm_roc_finished() here, but that won't do anything at all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set. Set IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. If it started successfully before, it's already set, so that doesn't matter, and if it didn't start it needs to be set to clean up. Not doing so will lead to a WARN_ON() later on a fresh remain- on-channel, since the link is already active when activated as it was never deactivated. CVE-2025-21906 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd. Otherwise NFS can deadlock waiting for kcompactd enduced writeback which recurses back to NFS (which triggers writeback to NFSD via NFS loopback mount on the same host, NFSD blocks waiting for XFS's call to __filemap_get_folio): 6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds. {--- [58] "kcompactd0" [<0>] folio_wait_bit+0xe8/0x200 [<0>] folio_wait_writeback+0x2b/0x80 [<0>] nfs_wb_folio+0x80/0x1b0 [nfs] [<0>] nfs_release_folio+0x68/0x130 [nfs] [<0>] split_huge_page_to_list_to_order+0x362/0x840 [<0>] migrate_pages_batch+0x43d/0xb90 [<0>] migrate_pages_sync+0x9a/0x240 [<0>] migrate_pages+0x93c/0x9f0 [<0>] compact_zone+0x8e2/0x1030 [<0>] compact_node+0xdb/0x120 [<0>] kcompactd+0x121/0x2e0 [<0>] kthread+0xcf/0x100 [<0>] ret_from_fork+0x31/0x40 [<0>] ret_from_fork_asm+0x1a/0x30 ---} [akpm@linux-foundation.org: fix build] CVE-2025-21908 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing that bit. Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with other flags. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21909 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2025-21910 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20 CVE-2025-21912 moderate In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe. CVE-2025-21913 moderate In the Linux kernel, the following vulnerability has been resolved: slimbus: messaging: Free transaction ID in delayed interrupt scenario In case of interrupt delay for any reason, slim_do_transfer() returns timeout error but the transaction ID (TID) is not freed. This results into invalid memory access inside qcom_slim_ngd_rx_msgq_cb() due to invalid TID. Fix the issue by freeing the TID in slim_do_transfer() before returning timeout error to avoid invalid memory access. Call trace: __memcpy_fromio+0x20/0x190 qcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl] vchan_complete+0x2a0/0x4a0 tasklet_action_common+0x274/0x700 tasklet_action+0x28/0x3c _stext+0x188/0x620 run_ksoftirqd+0x34/0x74 smpboot_thread_fn+0x1d8/0x464 kthread+0x178/0x238 ret_from_fork+0x10/0x20 Code: aa0003e8 91000429 f100044a 3940002b (3800150b) ---[ end trace 0fe00bec2b975c99 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt. CVE-2025-21914 moderate In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. CVE-2025-21915 moderate In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ... CVE-2025-21916 moderate In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable. CVE-2025-21917 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them. CVE-2025-21918 moderate In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000 CVE-2025-21922 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This can lead to scheduling deferred work to reattach the input device. Though the cleanup cancels the deferred work, this was done before the client_hdev itself is cleaned up, so it gets rescheduled. This patch fixes the ordering to make sure the deferred work is properly canceled. CVE-2025-21923 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed. CVE-2025-21924 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. CVE-2025-21927 moderate In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed. CVE-2025-21928 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't try to talk to a dead firmware This fixes: bad state = 0 WARNING: CPU: 10 PID: 702 at drivers/net/wireless/inel/iwlwifi/iwl-trans.c:178 iwl_trans_send_cmd+0xba/0xe0 [iwlwifi] Call Trace: <TASK> ? __warn+0xca/0x1c0 ? iwl_trans_send_cmd+0xba/0xe0 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] iwl_fw_dbg_clear_monitor_buf+0xd7/0x110 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] _iwl_dbgfs_fw_dbg_clear_write+0xe2/0x120 [iwlmvm 0e8adb18cea92d2c341766bcc10b18699290068a] Ask whether the firmware is alive before sending a command. CVE-2025-21930 moderate In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. CVE-2025-21934 moderate In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net(). CVE-2025-21935 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() in mgmt_device_connected() to prevent null pointer dereference. CVE-2025-21936 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference. CVE-2025-21937 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Null pointer dereference issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not null before accessing. This prevents a null pointer dereference. Found by code review. (cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092) CVE-2025-21941 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems: #!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait Starting with the following warning, several kinds of warnings will appear and the system may become unstable: ------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: <TASK> ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- CVE-2025-21943 moderate In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21948 moderate In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes. CVE-2025-21950 moderate In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done. CVE-2025-21951 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: cleanup mana struct after debugfs_remove() When on a MANA VM hibernation is triggered, as part of hibernate_snapshot(), mana_gd_suspend() and mana_gd_resume() are called. If during this mana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of power_down(), mana_gd_shutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up mana_port_debugfs value and hits the following bug: [ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: error_code(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:down_write+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? show_regs+0x64/0x70 [ 191.374040] ? __die+0x24/0x70 [ 191.374468] ? page_fault_oops+0x290/0x5b0 [ 191.374875] ? do_user_addr_fault+0x448/0x800 [ 191.375357] ? exc_page_fault+0x7a/0x160 [ 191.375971] ? asm_exc_page_fault+0x27/0x30 [ 191.376416] ? down_write+0x19/0x50 [ 191.376832] ? down_write+0x12/0x50 [ 191.377232] simple_recursive_removal+0x4a/0x2a0 [ 191.377679] ? __pfx_remove_one+0x10/0x10 [ 191.378088] debugfs_remove+0x44/0x70 [ 191.378530] mana_detach+0x17c/0x4f0 [ 191.378950] ? __flush_work+0x1e2/0x3b0 [ 191.379362] ? __cond_resched+0x1a/0x50 [ 191.379787] mana_remove+0xf2/0x1a0 [ 191.380193] mana_gd_shutdown+0x3b/0x70 [ 191.380642] pci_device_shutdown+0x3a/0x80 [ 191.381063] device_shutdown+0x13e/0x230 [ 191.381480] kernel_power_off+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] state_store+0xcb/0xd0 [ 191.382734] kobj_attr_store+0x12/0x30 [ 191.383211] sysfs_kf_write+0x3e/0x50 [ 191.383640] kernfs_fop_write_iter+0x140/0x1d0 [ 191.384106] vfs_write+0x271/0x440 [ 191.384521] ksys_write+0x72/0xf0 [ 191.384924] __x64_sys_write+0x19/0x20 [ 191.385313] x64_sys_call+0x2b0/0x20b0 [ 191.385736] do_syscall_64+0x79/0x150 [ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240 [ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0 [ 191.387124] ? __pfx_lru_add+0x10/0x10 [ 191.387515] ? queued_spin_unlock+0x9/0x10 [ 191.387937] ? do_anonymous_page+0x33c/0xa00 [ 191.388374] ? __handle_mm_fault+0xcf3/0x1210 [ 191.388805] ? __count_memcg_events+0xbe/0x180 [ 191.389235] ? handle_mm_fault+0xae/0x300 [ 19 ---truncated--- CVE-2025-21953 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775) CVE-2025-21956 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info. CVE-2025-21957 moderate In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed is CHECKSUM_NONE or not. It means that ip_summed should be CHECKSUM_NONE at this moment. But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the XDP-MB-PASS path. So the by skb_checksum_none_assert() WARNS about it. This is duplicate work and updating ip_summed in the bnxt_xdp_build_skb() is not needed. Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00 ... Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21960 moderate In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21961 moderate In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init CVE-2025-21966 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) CVE-2025-21968 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2025-21969 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK> CVE-2025-21970 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. CVE-2025-21971 moderate In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue. CVE-2025-21972 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and return error pointer. CVE-2025-21975 moderate In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequently the kernel address space for the mapping is leaked. Fix this by adding iounmap() calls in the device removal path, and in the error path during device probing. CVE-2025-21978 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy. CVE-2025-21979 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allocated resources. This led to the memory leak with the following signature: [root@os-delivery ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xff3c1ca7252e6000 (size 8192): comm "kworker/0:0", pid 8, jiffies 4296833052 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340 [<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice] [<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice] [<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice] [<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice] [<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice] [<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0 [<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20 [<ffffffff98f0b6d9>] process_one_work+0x179/0x390 [<ffffffff98f0c1e9>] worker_thread+0x239/0x340 [<ffffffff98f14abc>] kthread+0xcc/0x100 [<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50 [<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30 ... CVE-2025-21981 moderate In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ] CVE-2025-21991 moderate In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff Add this device to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. CVE-2025-21992 moderate In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. CVE-2025-21993 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] CVE-2025-21995 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) CVE-2025-21996 moderate In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. CVE-2025-22001 moderate In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(dest, src, len); dest[len] = '\0'; strncpy() will read up to len bytes from src. On the other hand: strscpy(dest, src, len + 1); will read up to len + 1 bytes from src, that is to say, an out of bound read of one byte will occur on src if it is not NUL terminated. Note that the src[len] byte is never copied, but strscpy() still needs to read it to check whether a truncation occurred or not. This exact pattern happened in ucan. The root cause is that the source is not NUL terminated. Instead of doing a copy in a local buffer, directly NUL terminate it as soon as usb_control_msg() returns. With this, the local firmware_str[] variable can be removed. On top of this do a couple refactors: - ucan_ctl_payload->raw is only used for the firmware string, so rename it to ucan_ctl_payload->fw_str and change its type from u8 to char. - ucan_device_request_in() is only used to retrieve the firmware string, so rename it to ucan_get_fw_str() and refactor it to make it directly handle all the string termination logic. CVE-2025-22003 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. CVE-2025-22007 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. CVE-2025-22008 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). In the JTAG debugger I can see that dummy_regulator_probe() and anatop_regulator_probe() can be run by different kernel threads (kworker/u4:*). I haven't further investigated whether this can be changed or if there are other possibilities to force synchronization between these two probe routines. On the other hand I don't expect much boot time penalty by probing the 'dummy' regulator synchronously. CVE-2025-22009 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... Call trace: hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2] hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2] hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2] alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2] hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x118/0x290 watchdog: BUG: soft lockup - CPU#35 stuck for 23s! ... Call trace: hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2] mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2] hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2] alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2] hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x120/0x2bc Add a cond_resched() to fix soft lockup during these loops. In order not to affect the allocation performance of normal-size buffer, set the loop count of a 100GB MR as the threshold to call cond_resched(). CVE-2025-22010 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees. CVE-2025-22013 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d\n", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1] CVE-2025-22014 moderate An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 important SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 important In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password. CVE-2025-23013 moderate A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 moderate In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. CVE-2025-24528 moderate numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. CVE-2025-24855 important libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. CVE-2025-24928 moderate A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. CVE-2025-26465 moderate libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. CVE-2025-27113 moderate Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters. CVE-2025-27144 moderate