Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2902-1 Final 1 1 2024-08-14T07:25:23Z current 2024-08-14T07:25:23Z 2024-08-14T07:25:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-39494: ima: Fix use-after-free on a dentry's dname.name (bsc#1227716). - CVE-2024-41069: ASoC: topology: Fix route memory corruption (bsc#1228644). - CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808) - CVE-2024-42145: IB/core: Implement a limit on UMAD receive List (bsc#1228743). - CVE-2024-40994: ptp: fix integer overflow in max_vclocks_store (bsc#1227829). - CVE-2024-41012: filelock: Remove locks reliably when fcntl/close race is detected (bsc#1228247). - CVE-2024-42093: net/dpaa2: Avoid explicit cpumask var allocation on stack (bsc#1228680). - CVE-2024-40989: KVM: arm64: Disassociate vcpus from redistributor region on teardown (bsc#1227823). - CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228561). - CVE-2024-40956: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (bsc#1227810). - CVE-2024-41090: tap: add missing verification for short frame (bsc#1228328). - CVE-2024-41011: drm/amdkfd: do not allow mapping the MMIO HDP page with large pages (bsc#1228114). - CVE-2024-39463: 9p: add missing locking around taking dentry fid list (bsc#1227090). - CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init() (bsc#1226574). - CVE-2024-40937: gve: Clear napi->skb before dev_kfree_skb_any() (bsc#1227836). - CVE-2024-35901: net: mana: Fix Rx DMA datasize and skb_over_panic (bsc#1224495). - CVE-2024-42230: powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869). - CVE-2024-36974: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP (bsc#1226519). - CVE-2024-38555: net/mlx5: Discard command completions in internal error (bsc#1226607). The following non-security bugs were fixed: - NFS: Do not re-read the entire page cache to find the next cookie (bsc#1226662). - NFS: Reduce use of uncached readdir (bsc#1226662). - NFSv4.x: by default serialize open/close operations (bsc#1226226 bsc#1223863). - X.509: Fix the parser of extended key usage for length (bsc#1218820). - btrfs: sysfs: update fs features directory asynchronously (bsc#1226168). - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801). - jfs: xattr: fix buffer overflow for invalid xattr (bsc#1227383). - kABI: rtas: Workaround false positive due to lost definition (bsc#1227487). - kernel-binary: vdso: Own module_dir - net/dcb: check for detached device before executing callbacks (bsc#1215587). - ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834). - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487). - powerpc/rtas: clean up includes (bsc#1227487). - workqueue: Improve scalability of workqueue watchdog touch (bsc#1193454). - workqueue: wq_watchdog_touch is always called with valid CPU (bsc#1193454). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2902,SUSE-SLE-Micro-5.3-2024-2902,SUSE-SLE-Micro-5.4-2024-2902 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ Link for SUSE-SU-2024:2902-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036443.html E-Mail link for SUSE-SU-2024:2902-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1156395 SUSE Bug 1156395 https://bugzilla.suse.com/1190336 SUSE Bug 1190336 https://bugzilla.suse.com/1191958 SUSE Bug 1191958 https://bugzilla.suse.com/1193454 SUSE Bug 1193454 https://bugzilla.suse.com/1193554 SUSE Bug 1193554 https://bugzilla.suse.com/1193787 SUSE Bug 1193787 https://bugzilla.suse.com/1193883 SUSE Bug 1193883 https://bugzilla.suse.com/1194324 SUSE Bug 1194324 https://bugzilla.suse.com/1194826 SUSE Bug 1194826 https://bugzilla.suse.com/1194869 SUSE Bug 1194869 https://bugzilla.suse.com/1195065 SUSE Bug 1195065 https://bugzilla.suse.com/1195254 SUSE Bug 1195254 https://bugzilla.suse.com/1195341 SUSE Bug 1195341 https://bugzilla.suse.com/1195349 SUSE Bug 1195349 https://bugzilla.suse.com/1195357 SUSE Bug 1195357 https://bugzilla.suse.com/1195668 SUSE Bug 1195668 https://bugzilla.suse.com/1195927 SUSE Bug 1195927 https://bugzilla.suse.com/1195957 SUSE Bug 1195957 https://bugzilla.suse.com/1196018 SUSE Bug 1196018 https://bugzilla.suse.com/1196746 SUSE Bug 1196746 https://bugzilla.suse.com/1196823 SUSE Bug 1196823 https://bugzilla.suse.com/1197146 SUSE Bug 1197146 https://bugzilla.suse.com/1197246 SUSE Bug 1197246 https://bugzilla.suse.com/1197762 SUSE Bug 1197762 https://bugzilla.suse.com/1197915 SUSE Bug 1197915 https://bugzilla.suse.com/1198014 SUSE Bug 1198014 https://bugzilla.suse.com/1199295 SUSE Bug 1199295 https://bugzilla.suse.com/1202346 SUSE Bug 1202346 https://bugzilla.suse.com/1202686 SUSE Bug 1202686 https://bugzilla.suse.com/1202767 SUSE Bug 1202767 https://bugzilla.suse.com/1202780 SUSE Bug 1202780 https://bugzilla.suse.com/1209636 SUSE Bug 1209636 https://bugzilla.suse.com/1213123 SUSE Bug 1213123 https://bugzilla.suse.com/1215587 SUSE Bug 1215587 https://bugzilla.suse.com/1216834 SUSE Bug 1216834 https://bugzilla.suse.com/1218820 SUSE Bug 1218820 https://bugzilla.suse.com/1220185 SUSE Bug 1220185 https://bugzilla.suse.com/1220186 SUSE Bug 1220186 https://bugzilla.suse.com/1222728 SUSE Bug 1222728 https://bugzilla.suse.com/1222809 SUSE Bug 1222809 https://bugzilla.suse.com/1222810 SUSE Bug 1222810 https://bugzilla.suse.com/1223635 SUSE Bug 1223635 https://bugzilla.suse.com/1223863 SUSE Bug 1223863 https://bugzilla.suse.com/1224495 SUSE Bug 1224495 https://bugzilla.suse.com/1224671 SUSE Bug 1224671 https://bugzilla.suse.com/1225573 SUSE Bug 1225573 https://bugzilla.suse.com/1226168 SUSE Bug 1226168 https://bugzilla.suse.com/1226226 SUSE Bug 1226226 https://bugzilla.suse.com/1226519 SUSE Bug 1226519 https://bugzilla.suse.com/1226537 SUSE Bug 1226537 https://bugzilla.suse.com/1226539 SUSE Bug 1226539 https://bugzilla.suse.com/1226550 SUSE Bug 1226550 https://bugzilla.suse.com/1226553 SUSE Bug 1226553 https://bugzilla.suse.com/1226554 SUSE Bug 1226554 https://bugzilla.suse.com/1226556 SUSE Bug 1226556 https://bugzilla.suse.com/1226557 SUSE Bug 1226557 https://bugzilla.suse.com/1226558 SUSE Bug 1226558 https://bugzilla.suse.com/1226559 SUSE Bug 1226559 https://bugzilla.suse.com/1226561 SUSE Bug 1226561 https://bugzilla.suse.com/1226562 SUSE Bug 1226562 https://bugzilla.suse.com/1226563 SUSE Bug 1226563 https://bugzilla.suse.com/1226564 SUSE Bug 1226564 https://bugzilla.suse.com/1226567 SUSE Bug 1226567 https://bugzilla.suse.com/1226569 SUSE Bug 1226569 https://bugzilla.suse.com/1226572 SUSE Bug 1226572 https://bugzilla.suse.com/1226574 SUSE Bug 1226574 https://bugzilla.suse.com/1226575 SUSE Bug 1226575 https://bugzilla.suse.com/1226576 SUSE Bug 1226576 https://bugzilla.suse.com/1226577 SUSE Bug 1226577 https://bugzilla.suse.com/1226580 SUSE Bug 1226580 https://bugzilla.suse.com/1226583 SUSE Bug 1226583 https://bugzilla.suse.com/1226585 SUSE Bug 1226585 https://bugzilla.suse.com/1226587 SUSE Bug 1226587 https://bugzilla.suse.com/1226601 SUSE Bug 1226601 https://bugzilla.suse.com/1226602 SUSE Bug 1226602 https://bugzilla.suse.com/1226603 SUSE Bug 1226603 https://bugzilla.suse.com/1226607 SUSE Bug 1226607 https://bugzilla.suse.com/1226614 SUSE Bug 1226614 https://bugzilla.suse.com/1226617 SUSE Bug 1226617 https://bugzilla.suse.com/1226618 SUSE Bug 1226618 https://bugzilla.suse.com/1226619 SUSE Bug 1226619 https://bugzilla.suse.com/1226621 SUSE Bug 1226621 https://bugzilla.suse.com/1226624 SUSE Bug 1226624 https://bugzilla.suse.com/1226626 SUSE Bug 1226626 https://bugzilla.suse.com/1226628 SUSE Bug 1226628 https://bugzilla.suse.com/1226629 SUSE Bug 1226629 https://bugzilla.suse.com/1226643 SUSE Bug 1226643 https://bugzilla.suse.com/1226644 SUSE Bug 1226644 https://bugzilla.suse.com/1226645 SUSE Bug 1226645 https://bugzilla.suse.com/1226650 SUSE Bug 1226650 https://bugzilla.suse.com/1226653 SUSE Bug 1226653 https://bugzilla.suse.com/1226662 SUSE Bug 1226662 https://bugzilla.suse.com/1226669 SUSE Bug 1226669 https://bugzilla.suse.com/1226670 SUSE Bug 1226670 https://bugzilla.suse.com/1226672 SUSE Bug 1226672 https://bugzilla.suse.com/1226673 SUSE Bug 1226673 https://bugzilla.suse.com/1226674 SUSE Bug 1226674 https://bugzilla.suse.com/1226675 SUSE Bug 1226675 https://bugzilla.suse.com/1226679 SUSE Bug 1226679 https://bugzilla.suse.com/1226683 SUSE Bug 1226683 https://bugzilla.suse.com/1226685 SUSE Bug 1226685 https://bugzilla.suse.com/1226686 SUSE Bug 1226686 https://bugzilla.suse.com/1226690 SUSE Bug 1226690 https://bugzilla.suse.com/1226691 SUSE Bug 1226691 https://bugzilla.suse.com/1226692 SUSE Bug 1226692 https://bugzilla.suse.com/1226696 SUSE Bug 1226696 https://bugzilla.suse.com/1226697 SUSE Bug 1226697 https://bugzilla.suse.com/1226698 SUSE Bug 1226698 https://bugzilla.suse.com/1226699 SUSE Bug 1226699 https://bugzilla.suse.com/1226701 SUSE Bug 1226701 https://bugzilla.suse.com/1226702 SUSE Bug 1226702 https://bugzilla.suse.com/1226703 SUSE Bug 1226703 https://bugzilla.suse.com/1226705 SUSE Bug 1226705 https://bugzilla.suse.com/1226708 SUSE Bug 1226708 https://bugzilla.suse.com/1226709 SUSE Bug 1226709 https://bugzilla.suse.com/1226710 SUSE Bug 1226710 https://bugzilla.suse.com/1226711 SUSE Bug 1226711 https://bugzilla.suse.com/1226712 SUSE Bug 1226712 https://bugzilla.suse.com/1226713 SUSE Bug 1226713 https://bugzilla.suse.com/1226715 SUSE Bug 1226715 https://bugzilla.suse.com/1226716 SUSE Bug 1226716 https://bugzilla.suse.com/1226719 SUSE Bug 1226719 https://bugzilla.suse.com/1226720 SUSE Bug 1226720 https://bugzilla.suse.com/1226721 SUSE Bug 1226721 https://bugzilla.suse.com/1226732 SUSE Bug 1226732 https://bugzilla.suse.com/1226762 SUSE Bug 1226762 https://bugzilla.suse.com/1227090 SUSE Bug 1227090 https://bugzilla.suse.com/1227383 SUSE Bug 1227383 https://bugzilla.suse.com/1227487 SUSE Bug 1227487 https://bugzilla.suse.com/1227549 SUSE Bug 1227549 https://bugzilla.suse.com/1227716 SUSE Bug 1227716 https://bugzilla.suse.com/1227750 SUSE Bug 1227750 https://bugzilla.suse.com/1227764 SUSE Bug 1227764 https://bugzilla.suse.com/1227808 SUSE Bug 1227808 https://bugzilla.suse.com/1227810 SUSE Bug 1227810 https://bugzilla.suse.com/1227823 SUSE Bug 1227823 https://bugzilla.suse.com/1227829 SUSE Bug 1227829 https://bugzilla.suse.com/1227836 SUSE Bug 1227836 https://bugzilla.suse.com/1227917 SUSE Bug 1227917 https://bugzilla.suse.com/1227920 SUSE Bug 1227920 https://bugzilla.suse.com/1227921 SUSE Bug 1227921 https://bugzilla.suse.com/1227922 SUSE Bug 1227922 https://bugzilla.suse.com/1227923 SUSE Bug 1227923 https://bugzilla.suse.com/1227924 SUSE Bug 1227924 https://bugzilla.suse.com/1227925 SUSE Bug 1227925 https://bugzilla.suse.com/1227928 SUSE Bug 1227928 https://bugzilla.suse.com/1227931 SUSE Bug 1227931 https://bugzilla.suse.com/1227932 SUSE Bug 1227932 https://bugzilla.suse.com/1227933 SUSE Bug 1227933 https://bugzilla.suse.com/1227935 SUSE Bug 1227935 https://bugzilla.suse.com/1227938 SUSE Bug 1227938 https://bugzilla.suse.com/1227941 SUSE Bug 1227941 https://bugzilla.suse.com/1227942 SUSE Bug 1227942 https://bugzilla.suse.com/1227944 SUSE Bug 1227944 https://bugzilla.suse.com/1227945 SUSE Bug 1227945 https://bugzilla.suse.com/1227948 SUSE Bug 1227948 https://bugzilla.suse.com/1227949 SUSE Bug 1227949 https://bugzilla.suse.com/1227952 SUSE Bug 1227952 https://bugzilla.suse.com/1227953 SUSE Bug 1227953 https://bugzilla.suse.com/1227954 SUSE Bug 1227954 https://bugzilla.suse.com/1227956 SUSE Bug 1227956 https://bugzilla.suse.com/1227963 SUSE Bug 1227963 https://bugzilla.suse.com/1227964 SUSE Bug 1227964 https://bugzilla.suse.com/1227965 SUSE Bug 1227965 https://bugzilla.suse.com/1227968 SUSE Bug 1227968 https://bugzilla.suse.com/1227969 SUSE Bug 1227969 https://bugzilla.suse.com/1227970 SUSE Bug 1227970 https://bugzilla.suse.com/1227971 SUSE Bug 1227971 https://bugzilla.suse.com/1227972 SUSE Bug 1227972 https://bugzilla.suse.com/1227975 SUSE Bug 1227975 https://bugzilla.suse.com/1227976 SUSE Bug 1227976 https://bugzilla.suse.com/1227981 SUSE Bug 1227981 https://bugzilla.suse.com/1227982 SUSE Bug 1227982 https://bugzilla.suse.com/1227985 SUSE Bug 1227985 https://bugzilla.suse.com/1227986 SUSE Bug 1227986 https://bugzilla.suse.com/1227987 SUSE Bug 1227987 https://bugzilla.suse.com/1227988 SUSE Bug 1227988 https://bugzilla.suse.com/1227989 SUSE Bug 1227989 https://bugzilla.suse.com/1227990 SUSE Bug 1227990 https://bugzilla.suse.com/1227991 SUSE Bug 1227991 https://bugzilla.suse.com/1227993 SUSE Bug 1227993 https://bugzilla.suse.com/1227995 SUSE Bug 1227995 https://bugzilla.suse.com/1227996 SUSE Bug 1227996 https://bugzilla.suse.com/1227997 SUSE Bug 1227997 https://bugzilla.suse.com/1228000 SUSE Bug 1228000 https://bugzilla.suse.com/1228002 SUSE Bug 1228002 https://bugzilla.suse.com/1228004 SUSE Bug 1228004 https://bugzilla.suse.com/1228005 SUSE Bug 1228005 https://bugzilla.suse.com/1228006 SUSE Bug 1228006 https://bugzilla.suse.com/1228007 SUSE Bug 1228007 https://bugzilla.suse.com/1228008 SUSE Bug 1228008 https://bugzilla.suse.com/1228009 SUSE Bug 1228009 https://bugzilla.suse.com/1228010 SUSE Bug 1228010 https://bugzilla.suse.com/1228013 SUSE Bug 1228013 https://bugzilla.suse.com/1228014 SUSE Bug 1228014 https://bugzilla.suse.com/1228015 SUSE Bug 1228015 https://bugzilla.suse.com/1228019 SUSE Bug 1228019 https://bugzilla.suse.com/1228025 SUSE Bug 1228025 https://bugzilla.suse.com/1228028 SUSE Bug 1228028 https://bugzilla.suse.com/1228035 SUSE Bug 1228035 https://bugzilla.suse.com/1228037 SUSE Bug 1228037 https://bugzilla.suse.com/1228038 SUSE Bug 1228038 https://bugzilla.suse.com/1228039 SUSE Bug 1228039 https://bugzilla.suse.com/1228040 SUSE Bug 1228040 https://bugzilla.suse.com/1228045 SUSE Bug 1228045 https://bugzilla.suse.com/1228054 SUSE Bug 1228054 https://bugzilla.suse.com/1228055 SUSE Bug 1228055 https://bugzilla.suse.com/1228056 SUSE Bug 1228056 https://bugzilla.suse.com/1228060 SUSE Bug 1228060 https://bugzilla.suse.com/1228061 SUSE Bug 1228061 https://bugzilla.suse.com/1228062 SUSE Bug 1228062 https://bugzilla.suse.com/1228063 SUSE Bug 1228063 https://bugzilla.suse.com/1228064 SUSE Bug 1228064 https://bugzilla.suse.com/1228066 SUSE Bug 1228066 https://bugzilla.suse.com/1228114 SUSE Bug 1228114 https://bugzilla.suse.com/1228247 SUSE Bug 1228247 https://bugzilla.suse.com/1228328 SUSE Bug 1228328 https://bugzilla.suse.com/1228561 SUSE Bug 1228561 https://bugzilla.suse.com/1228644 SUSE Bug 1228644 https://bugzilla.suse.com/1228680 SUSE Bug 1228680 https://bugzilla.suse.com/1228743 SUSE Bug 1228743 https://bugzilla.suse.com/1228801 SUSE Bug 1228801 https://www.suse.com/security/cve/CVE-2021-4439/ SUSE CVE CVE-2021-4439 page https://www.suse.com/security/cve/CVE-2021-47534/ SUSE CVE CVE-2021-47534 page https://www.suse.com/security/cve/CVE-2021-47576/ SUSE CVE CVE-2021-47576 page https://www.suse.com/security/cve/CVE-2021-47578/ SUSE CVE CVE-2021-47578 page https://www.suse.com/security/cve/CVE-2021-47580/ SUSE CVE CVE-2021-47580 page https://www.suse.com/security/cve/CVE-2021-47582/ SUSE CVE CVE-2021-47582 page https://www.suse.com/security/cve/CVE-2021-47583/ SUSE CVE CVE-2021-47583 page https://www.suse.com/security/cve/CVE-2021-47584/ SUSE CVE CVE-2021-47584 page https://www.suse.com/security/cve/CVE-2021-47585/ SUSE CVE CVE-2021-47585 page https://www.suse.com/security/cve/CVE-2021-47586/ SUSE CVE CVE-2021-47586 page https://www.suse.com/security/cve/CVE-2021-47587/ SUSE CVE CVE-2021-47587 page https://www.suse.com/security/cve/CVE-2021-47589/ SUSE CVE CVE-2021-47589 page https://www.suse.com/security/cve/CVE-2021-47592/ SUSE CVE CVE-2021-47592 page https://www.suse.com/security/cve/CVE-2021-47596/ SUSE CVE CVE-2021-47596 page https://www.suse.com/security/cve/CVE-2021-47597/ SUSE CVE CVE-2021-47597 page https://www.suse.com/security/cve/CVE-2021-47598/ SUSE CVE CVE-2021-47598 page https://www.suse.com/security/cve/CVE-2021-47600/ SUSE CVE CVE-2021-47600 page https://www.suse.com/security/cve/CVE-2021-47601/ SUSE CVE CVE-2021-47601 page https://www.suse.com/security/cve/CVE-2021-47602/ SUSE CVE CVE-2021-47602 page https://www.suse.com/security/cve/CVE-2021-47603/ SUSE CVE CVE-2021-47603 page https://www.suse.com/security/cve/CVE-2021-47607/ SUSE CVE CVE-2021-47607 page https://www.suse.com/security/cve/CVE-2021-47608/ SUSE CVE CVE-2021-47608 page https://www.suse.com/security/cve/CVE-2021-47609/ SUSE CVE CVE-2021-47609 page https://www.suse.com/security/cve/CVE-2021-47611/ SUSE CVE CVE-2021-47611 page https://www.suse.com/security/cve/CVE-2021-47612/ SUSE CVE CVE-2021-47612 page https://www.suse.com/security/cve/CVE-2021-47614/ SUSE CVE CVE-2021-47614 page https://www.suse.com/security/cve/CVE-2021-47615/ SUSE CVE CVE-2021-47615 page https://www.suse.com/security/cve/CVE-2021-47616/ SUSE CVE CVE-2021-47616 page https://www.suse.com/security/cve/CVE-2021-47617/ SUSE CVE CVE-2021-47617 page https://www.suse.com/security/cve/CVE-2021-47618/ SUSE CVE CVE-2021-47618 page https://www.suse.com/security/cve/CVE-2021-47619/ SUSE CVE CVE-2021-47619 page https://www.suse.com/security/cve/CVE-2021-47620/ SUSE CVE CVE-2021-47620 page https://www.suse.com/security/cve/CVE-2021-47622/ SUSE CVE CVE-2021-47622 page https://www.suse.com/security/cve/CVE-2021-47624/ SUSE CVE CVE-2021-47624 page https://www.suse.com/security/cve/CVE-2022-48711/ SUSE CVE CVE-2022-48711 page https://www.suse.com/security/cve/CVE-2022-48712/ SUSE CVE CVE-2022-48712 page https://www.suse.com/security/cve/CVE-2022-48713/ SUSE CVE CVE-2022-48713 page https://www.suse.com/security/cve/CVE-2022-48715/ SUSE CVE CVE-2022-48715 page https://www.suse.com/security/cve/CVE-2022-48717/ SUSE CVE CVE-2022-48717 page https://www.suse.com/security/cve/CVE-2022-48720/ SUSE CVE CVE-2022-48720 page https://www.suse.com/security/cve/CVE-2022-48721/ SUSE CVE CVE-2022-48721 page https://www.suse.com/security/cve/CVE-2022-48722/ SUSE CVE CVE-2022-48722 page https://www.suse.com/security/cve/CVE-2022-48723/ SUSE CVE CVE-2022-48723 page https://www.suse.com/security/cve/CVE-2022-48724/ SUSE CVE CVE-2022-48724 page https://www.suse.com/security/cve/CVE-2022-48725/ SUSE CVE CVE-2022-48725 page https://www.suse.com/security/cve/CVE-2022-48726/ SUSE CVE CVE-2022-48726 page https://www.suse.com/security/cve/CVE-2022-48727/ SUSE CVE CVE-2022-48727 page https://www.suse.com/security/cve/CVE-2022-48728/ SUSE CVE CVE-2022-48728 page https://www.suse.com/security/cve/CVE-2022-48729/ SUSE CVE CVE-2022-48729 page https://www.suse.com/security/cve/CVE-2022-48730/ SUSE CVE CVE-2022-48730 page https://www.suse.com/security/cve/CVE-2022-48732/ SUSE CVE CVE-2022-48732 page https://www.suse.com/security/cve/CVE-2022-48734/ SUSE CVE CVE-2022-48734 page https://www.suse.com/security/cve/CVE-2022-48735/ SUSE CVE CVE-2022-48735 page https://www.suse.com/security/cve/CVE-2022-48736/ SUSE CVE CVE-2022-48736 page https://www.suse.com/security/cve/CVE-2022-48737/ SUSE CVE CVE-2022-48737 page https://www.suse.com/security/cve/CVE-2022-48738/ SUSE CVE CVE-2022-48738 page https://www.suse.com/security/cve/CVE-2022-48739/ SUSE CVE CVE-2022-48739 page https://www.suse.com/security/cve/CVE-2022-48740/ SUSE CVE CVE-2022-48740 page https://www.suse.com/security/cve/CVE-2022-48743/ SUSE CVE CVE-2022-48743 page https://www.suse.com/security/cve/CVE-2022-48744/ SUSE CVE CVE-2022-48744 page https://www.suse.com/security/cve/CVE-2022-48745/ SUSE CVE CVE-2022-48745 page https://www.suse.com/security/cve/CVE-2022-48746/ SUSE CVE CVE-2022-48746 page https://www.suse.com/security/cve/CVE-2022-48747/ SUSE CVE CVE-2022-48747 page https://www.suse.com/security/cve/CVE-2022-48749/ SUSE CVE CVE-2022-48749 page https://www.suse.com/security/cve/CVE-2022-48751/ SUSE CVE CVE-2022-48751 page https://www.suse.com/security/cve/CVE-2022-48752/ SUSE CVE CVE-2022-48752 page https://www.suse.com/security/cve/CVE-2022-48754/ SUSE CVE CVE-2022-48754 page https://www.suse.com/security/cve/CVE-2022-48756/ SUSE CVE CVE-2022-48756 page https://www.suse.com/security/cve/CVE-2022-48758/ SUSE CVE CVE-2022-48758 page https://www.suse.com/security/cve/CVE-2022-48759/ SUSE CVE CVE-2022-48759 page https://www.suse.com/security/cve/CVE-2022-48760/ SUSE CVE CVE-2022-48760 page https://www.suse.com/security/cve/CVE-2022-48761/ SUSE CVE CVE-2022-48761 page https://www.suse.com/security/cve/CVE-2022-48763/ SUSE CVE CVE-2022-48763 page https://www.suse.com/security/cve/CVE-2022-48765/ SUSE CVE CVE-2022-48765 page https://www.suse.com/security/cve/CVE-2022-48767/ SUSE CVE CVE-2022-48767 page https://www.suse.com/security/cve/CVE-2022-48768/ SUSE CVE CVE-2022-48768 page https://www.suse.com/security/cve/CVE-2022-48769/ SUSE CVE CVE-2022-48769 page https://www.suse.com/security/cve/CVE-2022-48771/ SUSE CVE CVE-2022-48771 page https://www.suse.com/security/cve/CVE-2022-48773/ SUSE CVE CVE-2022-48773 page https://www.suse.com/security/cve/CVE-2022-48774/ SUSE CVE CVE-2022-48774 page https://www.suse.com/security/cve/CVE-2022-48775/ SUSE CVE CVE-2022-48775 page https://www.suse.com/security/cve/CVE-2022-48776/ SUSE CVE CVE-2022-48776 page https://www.suse.com/security/cve/CVE-2022-48777/ SUSE CVE CVE-2022-48777 page https://www.suse.com/security/cve/CVE-2022-48778/ SUSE CVE CVE-2022-48778 page https://www.suse.com/security/cve/CVE-2022-48780/ SUSE CVE CVE-2022-48780 page https://www.suse.com/security/cve/CVE-2022-48783/ SUSE CVE CVE-2022-48783 page https://www.suse.com/security/cve/CVE-2022-48784/ SUSE CVE CVE-2022-48784 page https://www.suse.com/security/cve/CVE-2022-48786/ SUSE CVE CVE-2022-48786 page https://www.suse.com/security/cve/CVE-2022-48787/ SUSE CVE CVE-2022-48787 page https://www.suse.com/security/cve/CVE-2022-48788/ SUSE CVE CVE-2022-48788 page https://www.suse.com/security/cve/CVE-2022-48789/ SUSE CVE CVE-2022-48789 page https://www.suse.com/security/cve/CVE-2022-48790/ SUSE CVE CVE-2022-48790 page https://www.suse.com/security/cve/CVE-2022-48791/ SUSE CVE CVE-2022-48791 page https://www.suse.com/security/cve/CVE-2022-48792/ SUSE CVE CVE-2022-48792 page https://www.suse.com/security/cve/CVE-2022-48793/ SUSE CVE CVE-2022-48793 page https://www.suse.com/security/cve/CVE-2022-48794/ SUSE CVE CVE-2022-48794 page https://www.suse.com/security/cve/CVE-2022-48796/ SUSE CVE CVE-2022-48796 page https://www.suse.com/security/cve/CVE-2022-48797/ SUSE CVE CVE-2022-48797 page https://www.suse.com/security/cve/CVE-2022-48798/ SUSE CVE CVE-2022-48798 page https://www.suse.com/security/cve/CVE-2022-48799/ SUSE CVE CVE-2022-48799 page https://www.suse.com/security/cve/CVE-2022-48800/ SUSE CVE CVE-2022-48800 page https://www.suse.com/security/cve/CVE-2022-48801/ SUSE CVE CVE-2022-48801 page https://www.suse.com/security/cve/CVE-2022-48802/ SUSE CVE CVE-2022-48802 page https://www.suse.com/security/cve/CVE-2022-48803/ SUSE CVE CVE-2022-48803 page https://www.suse.com/security/cve/CVE-2022-48804/ SUSE CVE CVE-2022-48804 page https://www.suse.com/security/cve/CVE-2022-48805/ SUSE CVE CVE-2022-48805 page https://www.suse.com/security/cve/CVE-2022-48806/ SUSE CVE CVE-2022-48806 page https://www.suse.com/security/cve/CVE-2022-48807/ SUSE CVE CVE-2022-48807 page https://www.suse.com/security/cve/CVE-2022-48811/ SUSE CVE CVE-2022-48811 page https://www.suse.com/security/cve/CVE-2022-48812/ SUSE CVE CVE-2022-48812 page https://www.suse.com/security/cve/CVE-2022-48813/ SUSE CVE CVE-2022-48813 page https://www.suse.com/security/cve/CVE-2022-48814/ SUSE CVE CVE-2022-48814 page https://www.suse.com/security/cve/CVE-2022-48815/ SUSE CVE CVE-2022-48815 page https://www.suse.com/security/cve/CVE-2022-48816/ SUSE CVE CVE-2022-48816 page https://www.suse.com/security/cve/CVE-2022-48817/ SUSE CVE CVE-2022-48817 page https://www.suse.com/security/cve/CVE-2022-48818/ SUSE CVE CVE-2022-48818 page https://www.suse.com/security/cve/CVE-2022-48820/ SUSE CVE CVE-2022-48820 page https://www.suse.com/security/cve/CVE-2022-48821/ SUSE CVE CVE-2022-48821 page https://www.suse.com/security/cve/CVE-2022-48822/ SUSE CVE CVE-2022-48822 page https://www.suse.com/security/cve/CVE-2022-48823/ SUSE CVE CVE-2022-48823 page https://www.suse.com/security/cve/CVE-2022-48824/ SUSE CVE CVE-2022-48824 page https://www.suse.com/security/cve/CVE-2022-48825/ SUSE CVE CVE-2022-48825 page https://www.suse.com/security/cve/CVE-2022-48826/ SUSE CVE CVE-2022-48826 page https://www.suse.com/security/cve/CVE-2022-48827/ SUSE CVE CVE-2022-48827 page https://www.suse.com/security/cve/CVE-2022-48828/ SUSE CVE CVE-2022-48828 page https://www.suse.com/security/cve/CVE-2022-48829/ SUSE CVE CVE-2022-48829 page https://www.suse.com/security/cve/CVE-2022-48830/ SUSE CVE CVE-2022-48830 page https://www.suse.com/security/cve/CVE-2022-48831/ SUSE CVE CVE-2022-48831 page https://www.suse.com/security/cve/CVE-2022-48834/ SUSE CVE CVE-2022-48834 page https://www.suse.com/security/cve/CVE-2022-48835/ SUSE CVE CVE-2022-48835 page https://www.suse.com/security/cve/CVE-2022-48836/ SUSE CVE CVE-2022-48836 page https://www.suse.com/security/cve/CVE-2022-48837/ SUSE CVE CVE-2022-48837 page https://www.suse.com/security/cve/CVE-2022-48838/ SUSE CVE CVE-2022-48838 page https://www.suse.com/security/cve/CVE-2022-48839/ SUSE CVE CVE-2022-48839 page https://www.suse.com/security/cve/CVE-2022-48840/ SUSE CVE CVE-2022-48840 page https://www.suse.com/security/cve/CVE-2022-48841/ SUSE CVE CVE-2022-48841 page https://www.suse.com/security/cve/CVE-2022-48842/ SUSE CVE CVE-2022-48842 page https://www.suse.com/security/cve/CVE-2022-48843/ SUSE CVE CVE-2022-48843 page https://www.suse.com/security/cve/CVE-2022-48847/ SUSE CVE CVE-2022-48847 page https://www.suse.com/security/cve/CVE-2022-48849/ SUSE CVE CVE-2022-48849 page https://www.suse.com/security/cve/CVE-2022-48851/ SUSE CVE CVE-2022-48851 page https://www.suse.com/security/cve/CVE-2022-48853/ SUSE CVE CVE-2022-48853 page https://www.suse.com/security/cve/CVE-2022-48856/ SUSE CVE CVE-2022-48856 page https://www.suse.com/security/cve/CVE-2022-48857/ SUSE CVE CVE-2022-48857 page https://www.suse.com/security/cve/CVE-2022-48858/ SUSE CVE CVE-2022-48858 page https://www.suse.com/security/cve/CVE-2022-48859/ SUSE CVE CVE-2022-48859 page https://www.suse.com/security/cve/CVE-2022-48860/ SUSE CVE CVE-2022-48860 page https://www.suse.com/security/cve/CVE-2022-48861/ SUSE CVE CVE-2022-48861 page https://www.suse.com/security/cve/CVE-2022-48862/ SUSE CVE CVE-2022-48862 page https://www.suse.com/security/cve/CVE-2022-48863/ SUSE CVE CVE-2022-48863 page https://www.suse.com/security/cve/CVE-2022-48866/ SUSE CVE CVE-2022-48866 page https://www.suse.com/security/cve/CVE-2023-52762/ SUSE CVE CVE-2023-52762 page https://www.suse.com/security/cve/CVE-2023-52766/ SUSE CVE CVE-2023-52766 page https://www.suse.com/security/cve/CVE-2023-52800/ SUSE CVE CVE-2023-52800 page https://www.suse.com/security/cve/CVE-2023-52885/ SUSE CVE CVE-2023-52885 page https://www.suse.com/security/cve/CVE-2023-52886/ SUSE CVE CVE-2023-52886 page https://www.suse.com/security/cve/CVE-2024-26583/ SUSE CVE CVE-2024-26583 page https://www.suse.com/security/cve/CVE-2024-26584/ SUSE CVE CVE-2024-26584 page https://www.suse.com/security/cve/CVE-2024-26800/ SUSE CVE CVE-2024-26800 page https://www.suse.com/security/cve/CVE-2024-26813/ SUSE CVE CVE-2024-26813 page https://www.suse.com/security/cve/CVE-2024-26814/ SUSE CVE CVE-2024-26814 page https://www.suse.com/security/cve/CVE-2024-26976/ SUSE CVE CVE-2024-26976 page https://www.suse.com/security/cve/CVE-2024-35878/ SUSE CVE CVE-2024-35878 page https://www.suse.com/security/cve/CVE-2024-35901/ SUSE CVE CVE-2024-35901 page https://www.suse.com/security/cve/CVE-2024-36974/ SUSE CVE CVE-2024-36974 page https://www.suse.com/security/cve/CVE-2024-38555/ SUSE CVE CVE-2024-38555 page https://www.suse.com/security/cve/CVE-2024-39463/ SUSE CVE CVE-2024-39463 page https://www.suse.com/security/cve/CVE-2024-39494/ SUSE CVE CVE-2024-39494 page https://www.suse.com/security/cve/CVE-2024-40902/ SUSE CVE CVE-2024-40902 page https://www.suse.com/security/cve/CVE-2024-40937/ SUSE CVE CVE-2024-40937 page https://www.suse.com/security/cve/CVE-2024-40954/ SUSE CVE CVE-2024-40954 page https://www.suse.com/security/cve/CVE-2024-40956/ SUSE CVE CVE-2024-40956 page https://www.suse.com/security/cve/CVE-2024-40989/ SUSE CVE CVE-2024-40989 page https://www.suse.com/security/cve/CVE-2024-40994/ SUSE CVE CVE-2024-40994 page https://www.suse.com/security/cve/CVE-2024-41011/ SUSE CVE CVE-2024-41011 page https://www.suse.com/security/cve/CVE-2024-41012/ SUSE CVE CVE-2024-41012 page https://www.suse.com/security/cve/CVE-2024-41059/ SUSE CVE CVE-2024-41059 page https://www.suse.com/security/cve/CVE-2024-41069/ SUSE CVE CVE-2024-41069 page https://www.suse.com/security/cve/CVE-2024-41090/ SUSE CVE CVE-2024-41090 page https://www.suse.com/security/cve/CVE-2024-42093/ SUSE CVE CVE-2024-42093 page https://www.suse.com/security/cve/CVE-2024-42145/ SUSE CVE CVE-2024-42145 page https://www.suse.com/security/cve/CVE-2024-42230/ SUSE CVE CVE-2024-42230 page SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 cluster-md-kmp-rt-5.14.21-150400.15.88.1 dlm-kmp-rt-5.14.21-150400.15.88.1 gfs2-kmp-rt-5.14.21-150400.15.88.1 kernel-devel-rt-5.14.21-150400.15.88.1 kernel-rt-5.14.21-150400.15.88.1 kernel-rt-devel-5.14.21-150400.15.88.1 kernel-rt-extra-5.14.21-150400.15.88.1 kernel-rt-livepatch-5.14.21-150400.15.88.1 kernel-rt-livepatch-devel-5.14.21-150400.15.88.1 kernel-rt-optional-5.14.21-150400.15.88.1 kernel-rt_debug-5.14.21-150400.15.88.1 kernel-rt_debug-devel-5.14.21-150400.15.88.1 kernel-rt_debug-livepatch-devel-5.14.21-150400.15.88.1 kernel-source-rt-5.14.21-150400.15.88.1 kernel-syms-rt-5.14.21-150400.15.88.1 kselftests-kmp-rt-5.14.21-150400.15.88.1 ocfs2-kmp-rt-5.14.21-150400.15.88.1 reiserfs-kmp-rt-5.14.21-150400.15.88.1 kernel-rt-5.14.21-150400.15.88.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-source-rt-5.14.21-150400.15.88.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-rt-5.14.21-150400.15.88.1 as a component of SUSE Linux Enterprise Micro 5.4 kernel-source-rt-5.14.21-150400.15.88.1 as a component of SUSE Linux Enterprise Micro 5.4 In the Linux kernel, the following vulnerability has been resolved: isdn: cpai: check ctr->cnr to avoid array index out of bound The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted 5.15.0-rc2+ #8 [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 46.870107][ T6479] Call Trace: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479] CVE-2021-4439 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-4439.html CVE-2021-4439 https://bugzilla.suse.com/1226670 SUSE Bug 1226670 In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a global state for the HVS, with each FIFO storing the current CRTC commit so that we can properly synchronize commits. However, the refcounting was off and we thus ended up leaking the drm_crtc_commit structure every commit. Add a drm_crtc_commit_put to prevent the leakage. CVE-2021-47534 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47534.html CVE-2021-47534 https://bugzilla.suse.com/1230903 SUSE Bug 1230903 In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113 CVE-2021-47576 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47576.html CVE-2021-47576 https://bugzilla.suse.com/1226537 SUSE Bug 1226537 In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Don't call kcalloc() if size arg is zero If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of that, for a following NULL pointer check to work on the returned pointer, kcalloc() must not be called with the size arg equal to zero. Return early without error before the kcalloc() call if size arg is zero. BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline] do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline] resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline] scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47578 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47578.html CVE-2021-47578 https://bugzilla.suse.com/1226539 SUSE Bug 1226539 In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline] resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47580 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47580.html CVE-2021-47580 https://bugzilla.suse.com/1226550 SUSE Bug 1226550 https://bugzilla.suse.com/1227611 SUSE Bug 1227611 In the Linux kernel, the following vulnerability has been resolved: USB: core: Make do_proc_control() and do_proc_bulk() killable The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke usb_start_wait_urb(), which contains an uninterruptible wait with a user-specified timeout value. If timeout value is very large and the device being accessed does not respond in a reasonable amount of time, the kernel will complain about "Task X blocked for more than N seconds", as found in testing by syzbot: INFO: task syz-executor.0:8700 blocked for more than 143 seconds. Not tainted 5.14.0-rc7-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681 [inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938 schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85 __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157 usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63 do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236 proc_bulk drivers/usb/core/devio.c:1273 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline] usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713 ... To fix this problem, this patch replaces usbfs's calls to usb_control_msg() and usb_bulk_msg() with special-purpose code that does essentially the same thing (as recommended in the comment for usb_start_wait_urb()), except that it always uses a killable wait and it uses GFP_KERNEL rather than GFP_NOIO. CVE-2021-47582 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47582.html CVE-2021-47582 https://bugzilla.suse.com/1226559 SUSE Bug 1226559 In the Linux kernel, the following vulnerability has been resolved: media: mxl111sf: change mutex_init() location Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized mutex. The problem was in wrong mutex_init() location. Previous mutex_init(&state->msg_lock) call was in ->init() function, but dvb_usbv2_init() has this order of calls: dvb_usbv2_init() dvb_usbv2_adapter_init() dvb_usbv2_adapter_frontend_init() props->frontend_attach() props->init() Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach() internally we need to initialize state->msg_lock before frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_* devices, which will simply initiaize mutex. CVE-2021-47583 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47583.html CVE-2021-47583 https://bugzilla.suse.com/1226563 SUSE Bug 1226563 In the Linux kernel, the following vulnerability has been resolved: iocost: Fix divide-by-zero on donation from low hweight cgroup The donation calculation logic assumes that the donor has non-zero after-donation hweight, so the lowest active hweight a donating cgroup can have is 2 so that it can donate 1 while keeping the other 1 for itself. Earlier, we only donated from cgroups with sizable surpluses so this condition was always true. However, with the precise donation algorithm implemented, f1de2439ec43 ("blk-iocost: revamp donation amount determination") made the donation amount calculation exact enabling even low hweight cgroups to donate. This means that in rare occasions, a cgroup with active hweight of 1 can enter donation calculation triggering the following warning and then a divide-by-zero oops. WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867] ... RIP: 0010:transfer_surpluses.cold+0x0/0x53 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0 4 ... Call Trace: <IRQ> ioc_timer_fn+0x1043/0x1390 call_timer_fn+0xa1/0x2c0 __run_timers.part.0+0x1ec/0x2e0 run_timer_softirq+0x35/0x70 ... iocg: invalid donation weights in /a/b: active=1 donating=1 after=0 Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding these extreme low hweight donations shouldn't affect work conservation in any meaningful way. CVE-2021-47584 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47584.html CVE-2021-47584 https://bugzilla.suse.com/1226564 SUSE Bug 1226564 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak in __add_inode_ref() Line 1169 (#3) allocates a memory chunk for victim_name by kmalloc(), but when the function returns in line 1184 (#4) victim_name allocated by line 1169 (#3) is not freed, which will lead to a memory leak. There is a similar snippet of code in this function as allocating a memory chunk for victim_name in line 1104 (#1) as well as releasing the memory in line 1116 (#2). We should kfree() victim_name when the return value of backref_in_log() is less than zero and before the function returns in line 1184 (#4). 1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans, 1058 struct btrfs_root *root, 1059 struct btrfs_path *path, 1060 struct btrfs_root *log_root, 1061 struct btrfs_inode *dir, 1062 struct btrfs_inode *inode, 1063 u64 inode_objectid, u64 parent_objectid, 1064 u64 ref_index, char *name, int namelen, 1065 int *search_done) 1066 { 1104 victim_name = kmalloc(victim_name_len, GFP_NOFS); // #1: kmalloc (victim_name-1) 1105 if (!victim_name) 1106 return -ENOMEM; 1112 ret = backref_in_log(log_root, &search_key, 1113 parent_objectid, victim_name, 1114 victim_name_len); 1115 if (ret < 0) { 1116 kfree(victim_name); // #2: kfree (victim_name-1) 1117 return ret; 1118 } else if (!ret) { 1169 victim_name = kmalloc(victim_name_len, GFP_NOFS); // #3: kmalloc (victim_name-2) 1170 if (!victim_name) 1171 return -ENOMEM; 1180 ret = backref_in_log(log_root, &search_key, 1181 parent_objectid, victim_name, 1182 victim_name_len); 1183 if (ret < 0) { 1184 return ret; // #4: missing kfree (victim_name-2) 1185 } else if (!ret) { 1241 return 0; 1242 } CVE-2021-47585 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47585.html CVE-2021-47585 https://bugzilla.suse.com/1226556 SUSE Bug 1226556 In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup KASAN reports an out-of-bounds read in rk_gmac_setup on the line: while (ops->regs[i]) { This happens for most platforms since the regs flexible array member is empty, so the memory after the ops structure is being read here. It seems that mostly this happens to contain zero anyway, so we get lucky and everything still works. To avoid adding redundant data to nearly all the ops structures, add a new flag to indicate whether the regs field is valid and avoid this loop when it is not. CVE-2021-47586 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47586.html CVE-2021-47586 https://bugzilla.suse.com/1226561 SUSE Bug 1226561 In the Linux kernel, the following vulnerability has been resolved: net: systemport: Add global locking for descriptor lifecycle The descriptor list is a shared resource across all of the transmit queues, and the locking mechanism used today only protects concurrency across a given transmit queue between the transmit and reclaiming. This creates an opportunity for the SYSTEMPORT hardware to work on corrupted descriptors if we have multiple producers at once which is the case when using multiple transmit queues. This was particularly noticeable when using multiple flows/transmit queues and it showed up in interesting ways in that UDP packets would get a correct UDP header checksum being calculated over an incorrect packet length. Similarly TCP packets would get an equally correct checksum computed by the hardware over an incorrect packet length. The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges when the driver produces a new descriptor anytime it writes to the WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to re-organize its descriptors and it is possible that concurrent TX queues eventually break this internal allocation scheme to the point where the length/status part of the descriptor gets used for an incorrect data buffer. The fix is to impose a global serialization for all TX queues in the short section where we are writing to the WRITE_PORT_{HI,LO} registers which solves the corruption even with multiple concurrent TX queues being used. CVE-2021-47587 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47587.html CVE-2021-47587 https://bugzilla.suse.com/1226567 SUSE Bug 1226567 In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0 CVE-2021-47589 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47589.html CVE-2021-47589 https://bugzilla.suse.com/1226557 SUSE Bug 1226557 In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue. CVE-2021-47592 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47592.html CVE-2021-47592 https://bugzilla.suse.com/1226572 SUSE Bug 1226572 In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Currently, the hns3_remove function firstly uninstall client instance, and then uninstall acceletion engine device. The netdevice is freed in client instance uninstall process, but acceletion engine device uninstall process still use it to trace runtime information. This causes a use after free problem. So fixes it by check the instance register state to avoid use after free. CVE-2021-47596 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47596.html CVE-2021-47596 https://bugzilla.suse.com/1226558 SUSE Bug 1226558 In the Linux kernel, the following vulnerability has been resolved: inet_diag: fix kernel-infoleak for UDP sockets KMSAN reported a kernel-infoleak [1], that can exploited by unpriv users. After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill(). [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:156 [inline] _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline] netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [inline] sock_recvmsg net/socket.c:962 [inline] sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [inline] new_sync_read fs/read_write.c:400 [inline] vfs_read+0x1631/0x1980 fs/read_write.c:481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [inline] __se_sys_read fs/read_write.c:627 [inline] __x64_sys_read+0xdb/0x120 fs/read_write.c:627 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 312 are uninitialized Memory access of size 312 starts at ffff88812ab54000 Data copied to user address 0000000020001440 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 CVE-2021-47597 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47597.html CVE-2021-47597 https://bugzilla.suse.com/1226553 SUSE Bug 1226553 In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK> CVE-2021-47598 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47598.html CVE-2021-47598 https://bugzilla.suse.com/1226574 SUSE Bug 1226574 https://bugzilla.suse.com/1227471 SUSE Bug 1227471 In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). CVE-2021-47600 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47600.html CVE-2021-47600 https://bugzilla.suse.com/1226575 SUSE Bug 1226575 https://bugzilla.suse.com/1227472 SUSE Bug 1227472 In the Linux kernel, the following vulnerability has been resolved: tee: amdtee: fix an IS_ERR() vs NULL bug The __get_free_pages() function does not return error pointers it returns NULL so fix this condition to avoid a NULL dereference. CVE-2021-47601 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47601.html CVE-2021-47601 https://bugzilla.suse.com/1226576 SUSE Bug 1226576 In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets. CVE-2021-47602 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47602.html CVE-2021-47602 https://bugzilla.suse.com/1226554 SUSE Bug 1226554 In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state the kernel's kauditd_thread() could get blocked attempting to send audit records to the userspace audit daemon. With the kernel thread blocked it is possible that the audit queue could grow unbounded as certain audit record generating events must be exempt from the queue limits else the system enter a deadlock state. This patch resolves this problem by lowering the kernel thread's socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks the kauditd_send_queue() function to better manage the various audit queues when connection problems occur between the kernel and the audit daemon. With this patch, the backlog may temporarily grow beyond the defined limits when the audit daemon is stopped and the system is under heavy audit pressure, but kauditd_thread() will continue to make progress and drain the queues as it would for other connection problems. For example, with the audit daemon put into a stopped state and the system configured to audit every syscall it was still possible to shutdown the system without a kernel panic, deadlock, etc.; granted, the system was slow to shutdown but that is to be expected given the extreme pressure of recording every syscall. The timeout value of HZ/10 was chosen primarily through experimentation and this developer's "gut feeling". There is likely no one perfect value, but as this scenario is limited in scope (root privileges would be needed to send SIGSTOP to the audit daemon), it is likely not worth exposing this as a tunable at present. This can always be done at a later date if it proves necessary. CVE-2021-47603 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47603.html CVE-2021-47603 https://bugzilla.suse.com/1226577 SUSE Bug 1226577 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg The implementation of BPF_CMPXCHG on a high level has the following parameters: .-[old-val] .-[new-val] BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG) `-[mem-loc] `-[old-val] Given a BPF insn can only have two registers (dst, src), the R0 is fixed and used as an auxilliary register for input (old value) as well as output (returning old value from memory location). While the verifier performs a number of safety checks, it misses to reject unprivileged programs where R0 contains a pointer as old value. Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the guessed address into the map slot as a scalar, and using the map value pointer as R0 while SRC_REG has a canary value to detect a matching address. Fix it by checking R0 for pointers, and reject if that's the case for unprivileged programs. CVE-2021-47607 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47607.html CVE-2021-47607 https://bugzilla.suse.com/1226580 SUSE Bug 1226580 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic fetch The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported out of the program (since scalar != pointer) by dumping it into a map value. The original implementation of XADD was preventing this situation by using a double call to check_mem_access() one with BPF_READ and a subsequent one with BPF_WRITE, in both cases passing -1 as a placeholder value instead of register as per XADD semantics since it didn't contain a value fetch. The BPF_READ also included a check in check_stack_read_fixed_off() which rejects the program if the stack slot is of __is_pointer_value() if dst_regno < 0. The latter is to distinguish whether we're dealing with a regular stack spill/ fill or some arithmetical operation which is disallowed on non-scalars, see also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged users") for more context on check_mem_access() and its handling of placeholder value -1. One minimally intrusive option to fix the leak is for the BPF_FETCH case to initially check the BPF_READ case via check_mem_access() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers. CVE-2021-47608 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47608.html CVE-2021-47608 https://bugzilla.suse.com/1226569 SUSE Bug 1226569 In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. CVE-2021-47609 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47609.html CVE-2021-47609 https://bugzilla.suse.com/1226562 SUSE Bug 1226562 In the Linux kernel, the following vulnerability has been resolved: mac80211: validate extended element ID is present Before attempting to parse an extended element, verify that the extended element ID is present. CVE-2021-47611 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47611.html CVE-2021-47611 https://bugzilla.suse.com/1226583 SUSE Bug 1226583 In the Linux kernel, the following vulnerability has been resolved: nfc: fix segfault in nfc_genl_dump_devices_done When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80 CVE-2021-47612 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47612.html CVE-2021-47612 https://bugzilla.suse.com/1226585 SUSE Bug 1226585 In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix a user-after-free in add_pble_prm When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE info list. Add the chunk entry to the PBLE info list only after successful setting of the SD in irdma_hmc_sd_one. CVE-2021-47614 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47614.html CVE-2021-47614 https://bugzilla.suse.com/1226601 SUSE Bug 1226601 ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47615 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47615.html CVE-2021-47615 https://bugzilla.suse.com/1226602 SUSE Bug 1226602 In the Linux kernel, the following vulnerability has been resolved: RDMA: Fix use-after-free in rxe_queue_cleanup On error handling path in rxe_qp_from_init() qp->sq.queue is freed and then rxe_create_qp() will drop last reference to this object. qp clean up function will try to free this queue one time and it causes UAF bug. Fix it by zeroing queue pointer after freeing queue in rxe_qp_from_init(). CVE-2021-47616 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47616.html CVE-2021-47616 https://bugzilla.suse.com/1226603 SUSE Bug 1226603 In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Fix infinite loop in IRQ handler upon power fault The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. CVE-2021-47617 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47617.html CVE-2021-47617 https://bugzilla.suse.com/1226614 SUSE Bug 1226614 In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) CVE-2021-47618 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47618.html CVE-2021-47618 https://bugzilla.suse.com/1226644 SUSE Bug 1226644 In the Linux kernel, the following vulnerability has been resolved: i40e: Fix queues reservation for XDP When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI. CVE-2021-47619 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47619.html CVE-2021-47619 https://bugzilla.suse.com/1226645 SUSE Bug 1226645 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: refactor malicious adv data check Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced. CVE-2021-47620 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47620.html CVE-2021-47620 https://bugzilla.suse.com/1226669 SUSE Bug 1226669 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: Fix a deadlock in the error handler The following deadlock has been observed on a test setup: - All tags allocated - The SCSI error handler calls ufshcd_eh_host_reset_handler() - ufshcd_eh_host_reset_handler() queues work that calls ufshcd_err_handler() - ufshcd_err_handler() locks up as follows: Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt Call trace: __switch_to+0x298/0x5d8 __schedule+0x6cc/0xa94 schedule+0x12c/0x298 blk_mq_get_tag+0x210/0x480 __blk_mq_alloc_request+0x1c8/0x284 blk_get_request+0x74/0x134 ufshcd_exec_dev_cmd+0x68/0x640 ufshcd_verify_dev_init+0x68/0x35c ufshcd_probe_hba+0x12c/0x1cb8 ufshcd_host_reset_and_restore+0x88/0x254 ufshcd_reset_and_restore+0xd0/0x354 ufshcd_err_handler+0x408/0xc58 process_one_work+0x24c/0x66c worker_thread+0x3e8/0xa4c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved request. CVE-2021-47622 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47622.html CVE-2021-47622 https://bugzilla.suse.com/1227917 SUSE Bug 1227917 In the Linux kernel, the following vulnerability has been resolved: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change The refcount leak issues take place in an error handling path. When the 3rd argument buf doesn't match with "offline", "online" or "remove", the function simply returns -EINVAL and forgets to decrease the reference count of a rpc_xprt object and a rpc_xprt_switch object increased by rpc_sysfs_xprt_kobj_get_xprt() and rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of both unused objects. Fix this issue by jumping to the error handling path labelled with out_put when buf matches none of "offline", "online" or "remove". CVE-2021-47624 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2021-47624.html CVE-2021-47624 https://bugzilla.suse.com/1227920 SUSE Bug 1227920 In the Linux kernel, the following vulnerability has been resolved: tipc: improve size validations for received domain records The function tipc_mon_rcv() allows a node to receive and process domain_record structs from peer nodes to track their views of the network topology. This patch verifies that the number of members in a received domain record does not exceed the limit defined by MAX_MON_DOMAIN, something that may otherwise lead to a stack overflow. tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where we are reading a 32 bit message data length field into a uint16. To avert any risk of bit overflow, we add an extra sanity check for this in that function. We cannot see that happen with the current code, but future designers being unaware of this risk, may introduce it by allowing delivery of very large (> 64k) sk buffers from the bearer layer. This potential problem was identified by Eric Dumazet. This fixes CVE-2022-0435 CVE-2022-48711 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48711.html CVE-2022-48711 https://bugzilla.suse.com/1226672 SUSE Bug 1226672 https://bugzilla.suse.com/1227473 SUSE Bug 1227473 In the Linux kernel, the following vulnerability has been resolved: ext4: fix error handling in ext4_fc_record_modified_inode() Current code does not fully takes care of krealloc() error case, which could lead to silent memory corruption or a kernel bug. This patch fixes that. Also it cleans up some duplicated error handling logic from various functions in fast_commit.c file. CVE-2022-48712 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48712.html CVE-2022-48712 https://bugzilla.suse.com/1226673 SUSE Bug 1226673 In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fix crash with stop filters in single-range mode Add a check for !buf->single before calling pt_buffer_region_size in a place where a missing check can cause a kernel crash. Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt: Opportunistically use single range output mode"), which added a support for PT single-range output mode. Since that commit if a PT stop filter range is hit while tracing, the kernel will crash because of a null pointer dereference in pt_handle_status due to calling pt_buffer_region_size without a ToPA configured. The commit which introduced single-range mode guarded almost all uses of the ToPA buffer variables with checks of the buf->single variable, but missed the case where tracing was stopped by the PT hardware, which happens when execution hits a configured stop filter. Tested that hitting a stop filter while PT recording successfully records a trace with this patch but crashes without this patch. CVE-2022-48713 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48713.html CVE-2022-48713 https://bugzilla.suse.com/1227549 SUSE Bug 1227549 In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Running tests with a debug kernel shows that bnx2fc_recv_frame() is modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot a debug kernel and run the bnx2fc driver with the hardware enabled. [ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ [ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B [ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 1391.699183] Call Trace: [ 1391.699188] dump_stack_lvl+0x57/0x7d [ 1391.699198] check_preemption_disabled+0xc8/0xd0 [ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 [ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] [ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] [ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] [ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] [ 1391.699258] kthread+0x364/0x420 [ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 [ 1391.699268] ? set_kthread_struct+0x100/0x100 [ 1391.699273] ret_from_fork+0x22/0x30 Restore the old get_cpu/put_cpu code with some modifications to reduce the size of the critical section. CVE-2022-48715 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48715.html CVE-2022-48715 https://bugzilla.suse.com/1226621 SUSE Bug 1226621 In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of bounds access. The concern is that these might come from the user via: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put() CVE-2022-48717 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48717.html CVE-2022-48717 https://bugzilla.suse.com/1226679 SUSE Bug 1226679 In the Linux kernel, the following vulnerability has been resolved: net: macsec: Fix offload support for NETDEV_UNREGISTER event Current macsec netdev notify handler handles NETDEV_UNREGISTER event by releasing relevant SW resources only, this causes resources leak in case of macsec HW offload, as the underlay driver was not notified to clean it's macsec offload resources. Fix by calling the underlay driver to clean it's relevant resources by moving offload handling from macsec_dellink() to macsec_common_dellink() when handling NETDEV_UNREGISTER event. CVE-2022-48720 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48720.html CVE-2022-48720 https://bugzilla.suse.com/1226683 SUSE Bug 1226683 In the Linux kernel, the following vulnerability has been resolved: net/smc: Forward wakeup to smc socket waitqueue after fallback When we replace TCP with SMC and a fallback occurs, there may be some socket waitqueue entries remaining in smc socket->wq, such as eppoll_entries inserted by userspace applications. After the fallback, data flows over TCP/IP and only clcsocket->wq will be woken up. Applications can't be notified by the entries which were inserted in smc socket->wq before fallback. So we need a mechanism to wake up smc socket->wq at the same time if some entries remaining in it. The current workaround is to transfer the entries from smc socket->wq to clcsock->wq during the fallback. But this may cause a crash like this: general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107 RIP: 0010:__wake_up_common+0x65/0x170 Call Trace: <IRQ> __wake_up_common_lock+0x7a/0xc0 sock_def_readable+0x3c/0x70 tcp_data_queue+0x4a7/0xc40 tcp_rcv_established+0x32f/0x660 ? sk_filter_trim_cap+0xcb/0x2e0 tcp_v4_do_rcv+0x10b/0x260 tcp_v4_rcv+0xd2a/0xde0 ip_protocol_deliver_rcu+0x3b/0x1d0 ip_local_deliver_finish+0x54/0x60 ip_local_deliver+0x6a/0x110 ? tcp_v4_early_demux+0xa2/0x140 ? tcp_v4_early_demux+0x10d/0x140 ip_sublist_rcv_finish+0x49/0x60 ip_sublist_rcv+0x19d/0x230 ip_list_rcv+0x13e/0x170 __netif_receive_skb_list_core+0x1c2/0x240 netif_receive_skb_list_internal+0x1e6/0x320 napi_complete_done+0x11d/0x190 mlx5e_napi_poll+0x163/0x6b0 [mlx5_core] __napi_poll+0x3c/0x1b0 net_rx_action+0x27c/0x300 __do_softirq+0x114/0x2d2 irq_exit_rcu+0xb4/0xe0 common_interrupt+0xba/0xe0 </IRQ> <TASK> The crash is caused by privately transferring waitqueue entries from smc socket->wq to clcsock->wq. The owners of these entries, such as epoll, have no idea that the entries have been transferred to a different socket wait queue and still use original waitqueue spinlock (smc socket->wq.wait.lock) to make the entries operation exclusive, but it doesn't work. The operations to the entries, such as removing from the waitqueue (now is clcsock->wq after fallback), may cause a crash when clcsock waitqueue is being iterated over at the moment. This patch tries to fix this by no longer transferring wait queue entries privately, but introducing own implementations of clcsock's callback functions in fallback situation. The callback functions will forward the wakeup to smc socket->wq if clcsock->wq is actually woken up and smc socket->wq has remaining entries. CVE-2022-48721 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48721.html CVE-2022-48721 https://bugzilla.suse.com/1226685 SUSE Bug 1226685 In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. We then leak the skb structure. Free the skb structure upon error before returning. CVE-2022-48722 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48722.html CVE-2022-48722 https://bugzilla.suse.com/1226619 SUSE Bug 1226619 In the Linux kernel, the following vulnerability has been resolved: spi: uniphier: fix reference count leak in uniphier_spi_probe() The issue happens in several error paths in uniphier_spi_probe(). When either dma_get_slave_caps() or devm_spi_register_master() returns an error code, the function forgets to decrease the refcount of both `dma_rx` and `dma_tx` objects, which may lead to refcount leaks. Fix it by decrementing the reference count of specific objects in those error paths. CVE-2022-48723 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48723.html CVE-2022-48723 https://bugzilla.suse.com/1226617 SUSE Bug 1226617 In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated"). For tear down scenario, fn is only freed after fail to allocate ir_domain, though it also should be freed in case dmar_enable_qi returns error. Besides free fn, irq_domain and ir_msi_domain need to be removed as well if intel_setup_irq_remapping fails to enable queued invalidation. Improve the rewinding path by add out_free_ir_domain and out_free_fwnode lables per Baolu's suggestion. CVE-2022-48724 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48724.html CVE-2022-48724 https://bugzilla.suse.com/1226624 SUSE Bug 1226624 In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix refcounting leak in siw_create_qp() The atomic_inc() needs to be paired with an atomic_dec() on the error path. CVE-2022-48725 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48725.html CVE-2022-48725 https://bugzilla.suse.com/1226618 SUSE Bug 1226618 In the Linux kernel, the following vulnerability has been resolved: RDMA/ucma: Protect mc during concurrent multicast leaves Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked. BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Currently the xarray search can touch a concurrently freeing mc as the xa_for_each() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list. CVE-2022-48726 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48726.html CVE-2022-48726 https://bugzilla.suse.com/1226686 SUSE Bug 1226686 https://bugzilla.suse.com/1227552 SUSE Bug 1227552 In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Avoid consuming a stale esr value when SError occur When any exception other than an IRQ occurs, the CPU updates the ESR_EL2 register with the exception syndrome. An SError may also become pending, and will be synchronised by KVM. KVM notes the exception type, and whether an SError was synchronised in exit_code. When an exception other than an IRQ occurs, fixup_guest_exit() updates vcpu->arch.fault.esr_el2 from the hardware register. When an SError was synchronised, the vcpu esr value is used to determine if the exception was due to an HVC. If so, ELR_EL2 is moved back one instruction. This is so that KVM can process the SError first, and re-execute the HVC if the guest survives the SError. But if an IRQ synchronises an SError, the vcpu's esr value is stale. If the previous non-IRQ exception was an HVC, KVM will corrupt ELR_EL2, causing an unrelated guest instruction to be executed twice. Check ARM_EXCEPTION_CODE() before messing with ELR_EL2, IRQs don't update this register so don't need to check. CVE-2022-48727 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48727.html CVE-2022-48727 https://bugzilla.suse.com/1226690 SUSE Bug 1226690 In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix AIP early init panic An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events work_for_cpu_fn RIP: 0010:try_to_grab_pending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __cancel_work_timer+0x42/0x190 ? dev_printk_emit+0x4e/0x70 iowait_cancel_work+0x15/0x30 [hfi1] hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] ? dev_err+0x6c/0x90 hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] rdma_init_netdev+0x5a/0x80 [ib_core] ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] ipoib_intf_init+0x6c/0x350 [ib_ipoib] ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] ipoib_add_one+0xbe/0x300 [ib_ipoib] add_client_context+0x12c/0x1a0 [ib_core] enable_device_and_get+0xdc/0x1d0 [ib_core] ib_register_device+0x572/0x6b0 [ib_core] rvt_register_device+0x11b/0x220 [rdmavt] hfi1_register_ib_device+0x6b4/0x770 [hfi1] do_init_one.isra.20+0x3e3/0x680 [hfi1] local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL deref when hfi1_ipoib_netdev_dtor() is called in this error case. hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so fix by adjusting the error paths accordingly. Other changes: - hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev() since the netdev core code deletes calls free_netdev() - The switch to the accelerated entrances is moved to the success path. CVE-2022-48728 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48728.html CVE-2022-48728 https://bugzilla.suse.com/1226691 SUSE Bug 1226691 In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix panic with larger ipoib send_queue_size When the ipoib send_queue_size is increased from the default the following panic happens: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: <TASK> hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0 ? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30 ? inet6_validate_link_af+0x5e/0xf0 ? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300 ? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30 ? update_sd_lb_stats.constprop.144+0xd3/0x820 ? _raw_spin_unlock_irqrestore+0x25/0x37 ? __wake_up_common_lock+0x87/0xc0 ? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size. Fix by using the item size. CVE-2022-48729 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48729.html CVE-2022-48729 https://bugzilla.suse.com/1226710 SUSE Bug 1226710 In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. [sumits: added fixes and cc: stable tags] CVE-2022-48730 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48730.html CVE-2022-48730 https://bugzilla.suse.com/1226713 SUSE Bug 1226713 In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console. This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed. CVE-2022-48732 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48732.html CVE-2022-48732 https://bugzilla.suse.com/1226716 SUSE Bug 1226716 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. In this transaction start, task C waits for completion of the transaction that task A started and task B committed. This deadlock was found with fstests test case btrfs/115 and a zoned null_blk device. The test case enables and disables quota, and the block group reclaim was triggered during the quota disable by chance. The deadlock was also observed by running quota enable and disable in parallel with 'btrfs balance' command on regular null_blk devices. An example report of the deadlock: [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] <TASK> [372.521684] __schedule+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ? do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90 [372.676172] ? process_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] </TASK> [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not tainted 5.16.0-rc8 #7 [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 [372.787776] Call Trace: [372.801652] <TASK> [372.812961] __schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270 [372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ? finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7 ---truncated--- CVE-2022-48734 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48734.html CVE-2022-48734 https://bugzilla.suse.com/1226626 SUSE Bug 1226626 In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback. For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec. CVE-2022-48735 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48735.html CVE-2022-48735 https://bugzilla.suse.com/1226719 SUSE Bug 1226719 https://bugzilla.suse.com/1227438 SUSE Bug 1227438 ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48736 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48736.html CVE-2022-48736 https://bugzilla.suse.com/1226721 SUSE Bug 1226721 ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48737 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48737.html CVE-2022-48737 https://bugzilla.suse.com/1226762 SUSE Bug 1226762 In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. CVE-2022-48738 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48738.html CVE-2022-48738 https://bugzilla.suse.com/1226674 SUSE Bug 1226674 In the Linux kernel, the following vulnerability has been resolved: ASoC: hdmi-codec: Fix OOB memory accesses Correct size of iec_status array by changing it to the size of status array of the struct snd_aes_iec958. This fixes out-of-bounds slab read accesses made by memcpy() of the hdmi-codec driver. This problem is reported by KASAN. CVE-2022-48739 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48739.html CVE-2022-48739 https://bugzilla.suse.com/1226675 SUSE Bug 1226675 In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. [PM: fix line lengths in the description] CVE-2022-48740 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48740.html CVE-2022-48740 https://bugzilla.suse.com/1226699 SUSE Bug 1226699 In the Linux kernel, the following vulnerability has been resolved: net: amd-xgbe: Fix skb data length underflow There will be BUG_ON() triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length underflows are seen because of inconsistencies in the hardware descriptors. CVE-2022-48743 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48743.html CVE-2022-48743 https://bugzilla.suse.com/1226705 SUSE Bug 1226705 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid field-overflowing memcpy() In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler. We were doing: #define ETH_HLEN 14 #define VLAN_HLEN 4 ... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) ... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... struct mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->data; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes). struct mlx5e_tx_wqe { struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg data[]; /* 32 0 */ /* size: 32, cachelines: 1, members: 3 */ /* last cacheline: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ union { struct { __be16 sz; /* 12 2 */ u8 start[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 type; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insert; /* 12 4 */ __be32 trailer; /* 12 4 */ }; /* 12 4 */ /* size: 16, cachelines: 1, members: 9 */ /* last cacheline: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 addr; /* 8 8 */ /* size: 16, cachelines: 1, members: 3 */ /* last cacheline: 16 bytes */ }; So, split the memcpy() so the compiler can reason about the buffer sizes. "pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). CVE-2022-48744 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48744.html CVE-2022-48744 https://bugzilla.suse.com/1226696 SUSE Bug 1226696 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use del_timer_sync in fw reset flow of halting poll Substitute del_timer() with del_timer_sync() in fw reset polling deactivation flow, in order to prevent a race condition which occurs when del_timer() is called and timer is deactivated while another process is handling the timer interrupt. A situation that led to the following call trace: RIP: 0010:run_timer_softirq+0x137/0x420 <IRQ> recalibrate_cpu_khz+0x10/0x10 ktime_get+0x3e/0xa0 ? sched_clock_cpu+0xb/0xc0 __do_softirq+0xf5/0x2ea irq_exit_rcu+0xc1/0xf0 sysvec_apic_timer_interrupt+0x9e/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 </IRQ> CVE-2022-48745 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48745.html CVE-2022-48745 https://bugzilla.suse.com/1226702 SUSE Bug 1226702 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix handling of wrong devices during bond netevent Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent. Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes. BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bond_mii_monitor [bonding] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 call_netdevice_notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [bonding] process_one_work+0x1b9/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 CVE-2022-48746 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48746.html CVE-2022-48746 https://bugzilla.suse.com/1226703 SUSE Bug 1226703 In the Linux kernel, the following vulnerability has been resolved: block: Fix wrong offset in bio_truncate() bio_truncate() clears the buffer outside of last block of bdev, however current bio_truncate() is using the wrong offset of page. So it can return the uninitialized data. This happened when both of truncated/corrupted FS and userspace (via bdev) are trying to read the last of bdev. CVE-2022-48747 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48747.html CVE-2022-48747 https://bugzilla.suse.com/1226643 SUSE Bug 1226643 In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493866 ("Null pointer dereference") CVE-2022-48749 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48749.html CVE-2022-48749 https://bugzilla.suse.com/1226650 SUSE Bug 1226650 In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: <TASK> __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e </TASK> This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value. CVE-2022-48751 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48751.html CVE-2022-48751 https://bugzilla.suse.com/1226653 SUSE Bug 1226653 In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning: [ 172.851380] ------------[ cut here ]------------ [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 [ 172.851565] Call Trace: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending. CVE-2022-48752 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48752.html CVE-2022-48752 https://bugzilla.suse.com/1226709 SUSE Bug 1226709 In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). CVE-2022-48754 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48754.html CVE-2022-48754 https://bugzilla.suse.com/1226692 SUSE Bug 1226692 In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable The function performs a check on the "phy" input parameter, however, it is used before the check. Initialize the "dev" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493860 ("Null pointer dereference") CVE-2022-48756 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48756.html CVE-2022-48756 https://bugzilla.suse.com/1226698 SUSE Bug 1226698 In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]--- CVE-2022-48758 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48758.html CVE-2022-48758 https://bugzilla.suse.com/1226708 SUSE Bug 1226708 In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below. [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobject_delayed_cleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debug_print_object+0x13c/0x1b0 [ 93.744890] lr : debug_print_object+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debug_print_object+0x13c/0x1b0 [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [ 93.846987] debug_check_no_obj_freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.876948] process_one_work+0x578/0x92c [ 93.881086] worker_thread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del(). CVE-2022-48759 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48759.html CVE-2022-48759 https://bugzilla.suse.com/1226711 SUSE Bug 1226711 In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers. CVE-2022-48760 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48760.html CVE-2022-48760 https://bugzilla.suse.com/1226712 SUSE Bug 1226712 In the Linux kernel, the following vulnerability has been resolved: usb: xhci-plat: fix crash when suspend if remote wake enable Crashed at i.mx8qm platform when suspend if enable remote wakeup Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12 Hardware name: Freescale i.MX8QM MEK (DT) Workqueue: events_unbound async_run_entry_fn pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8 lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8 sp : ffff80001394bbf0 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001 x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620 Call trace: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 xhci_suspend+0x58/0x510 xhci_plat_suspend+0x50/0x78 platform_pm_suspend+0x2c/0x78 dpm_run_callback.isra.25+0x50/0xe8 __device_suspend+0x108/0x3c0 The basic flow: 1. run time suspend call xhci_suspend, xhci parent devices gate the clock. 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend 3. xhci_suspend call xhci_disable_hub_port_wake, which access register, but clock already gated by run time suspend. This problem was hidden by power domain driver, which call run time resume before it. But the below commit remove it and make this issue happen. commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()") This patch call run time resume before suspend to make sure clock is on before access register. Testeb-by: Abel Vesa <abel.vesa@nxp.com> CVE-2022-48761 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48761.html CVE-2022-48761 https://bugzilla.suse.com/1226701 SUSE Bug 1226701 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Forcibly leave nested virt when SMM state is toggled Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated. Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active. Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state. WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: <TASK> kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK> CVE-2022-48763 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48763.html CVE-2022-48763 https://bugzilla.suse.com/1226628 SUSE Bug 1226628 In the Linux kernel, the following vulnerability has been resolved: KVM: LAPIC: Also cancel preemption timer during SET_LAPIC The below warning is splatting during guest reboot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: <TASK> kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC. CVE-2022-48765 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48765.html CVE-2022-48765 https://bugzilla.suse.com/1226697 SUSE Bug 1226697 In the Linux kernel, the following vulnerability has been resolved: ceph: properly put ceph_string reference after async create attempt The reference acquired by try_prep_async_create is currently leaked. Ensure we put it. CVE-2022-48767 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48767.html CVE-2022-48767 https://bugzilla.suse.com/1226715 SUSE Bug 1226715 In the Linux kernel, the following vulnerability has been resolved: tracing/histogram: Fix a potential memory leak for kstrdup() kfree() is missing on an error path to free the memory allocated by kstrdup(): p = param = kstrdup(data->params[i], GFP_KERNEL); So it is better to free it via kfree(p). CVE-2022-48768 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48768.html CVE-2022-48768 https://bugzilla.suse.com/1226720 SUSE Bug 1226720 In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00. The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space. Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/ CVE-2022-48769 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48769.html CVE-2022-48769 https://bugzilla.suse.com/1226629 SUSE Bug 1226629 In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix stale file descriptors on failed usercopy A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Fix this by deferring the call to fd_install() until after the usercopy has succeeded. CVE-2022-48771 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48771.html CVE-2022-48771 https://bugzilla.suse.com/1226732 SUSE Bug 1226732 In the Linux kernel, the following vulnerability has been resolved: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create If there are failures then we must not leave the non-NULL pointers with the error value, otherwise `rpcrdma_ep_destroy` gets confused and tries free them, resulting in an Oops. CVE-2022-48773 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48773.html CVE-2022-48773 https://bugzilla.suse.com/1227921 SUSE Bug 1227921 In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: Fix the error handling path in pt_core_init() In order to free resources correctly in the error handling path of pt_core_init(), 2 goto's have to be switched. Otherwise, some resources will leak and we will try to release things that have not been allocated yet. Also move a dev_err() to a place where it is more meaningful. CVE-2022-48774 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48774.html CVE-2022-48774 https://bugzilla.suse.com/1227923 SUSE Bug 1227923 In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). CVE-2022-48775 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48775.html CVE-2022-48775 https://bugzilla.suse.com/1227924 SUSE Bug 1227924 In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix missing free for pparts in cleanup Mtdpart doesn't free pparts when a cleanup function is declared. Add missing free for pparts in cleanup function for smem to fix the leak. CVE-2022-48776 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48776.html CVE-2022-48776 https://bugzilla.suse.com/1227925 SUSE Bug 1227925 In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix kernel panic on skipped partition In the event of a skipped partition (case when the entry name is empty) the kernel panics in the cleanup function as the name entry is NULL. Rework the parser logic by first checking the real partition number and then allocate the space and set the data for the valid partitions. The logic was also fundamentally wrong as with a skipped partition, the parts number returned was incorrect by not decreasing it for the skipped partitions. CVE-2022-48777 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48777.html CVE-2022-48777 https://bugzilla.suse.com/1227922 SUSE Bug 1227922 In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: gpmi: don't leak PM reference in error path If gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be dropped. CVE-2022-48778 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48778.html CVE-2022-48778 https://bugzilla.suse.com/1227935 SUSE Bug 1227935 In the Linux kernel, the following vulnerability has been resolved: net/smc: Avoid overwriting the copies of clcsock callback functions The callback functions of clcsock will be saved and replaced during the fallback. But if the fallback happens more than once, then the copies of these callback functions will be overwritten incorrectly, resulting in a loop call issue: clcsk->sk_error_report |- smc_fback_error_report() <------------------------------| |- smc_fback_forward_wakeup() | (loop) |- clcsock_callback() (incorrectly overwritten) | |- smc->clcsk_error_report() ------------------| So this patch fixes the issue by saving these function pointers only once in the fallback and avoiding overwriting. CVE-2022-48780 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48780.html CVE-2022-48780 https://bugzilla.suse.com/1227995 SUSE Bug 1227995 In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: fix use after free in gswip_remove() of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be done before mdiobus_free(priv->ds->slave_mii_bus). CVE-2022-48783 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48783.html CVE-2022-48783 https://bugzilla.suse.com/1227949 SUSE Bug 1227949 In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix race in netlink owner interface destruction My previous fix here to fix the deadlock left a race where the exact same deadlock (see the original commit referenced below) can still happen if cfg80211_destroy_ifaces() already runs while nl80211_netlink_notify() is still marking some interfaces as nl_owner_dead. The race happens because we have two loops here - first we dev_close() all the netdevs, and then we destroy them. If we also have two netdevs (first one need only be a wdev though) then we can find one during the first iteration, close it, and go to the second iteration -- but then find two, and try to destroy also the one we didn't close yet. Fix this by only iterating once. CVE-2022-48784 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48784.html CVE-2022-48784 https://bugzilla.suse.com/1227938 SUSE Bug 1227938 In the Linux kernel, the following vulnerability has been resolved: vsock: remove vsock from connected table when connect is interrupted by a signal vsock_connect() expects that the socket could already be in the TCP_ESTABLISHED state when the connecting task wakes up with a signal pending. If this happens the socket will be in the connected table, and it is not removed when the socket state is reset. In this situation it's common for the process to retry connect(), and if the connection is successful the socket will be added to the connected table a second time, corrupting the list. Prevent this by calling vsock_remove_connected() if a signal is received while waiting for a connection. This is harmless if the socket is not in the connected table, and if it is in the table then removing it will prevent list corruption from a double add. Note for backporting: this patch requires d5afa82c977e ("vsock: correct removal of socket from the list"), which is in all current stable trees except 4.9.y. CVE-2022-48786 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48786.html CVE-2022-48786 https://bugzilla.suse.com/1227996 SUSE Bug 1227996 In the Linux kernel, the following vulnerability has been resolved: iwlwifi: fix use-after-free If no firmware was present at all (or, presumably, all of the firmware files failed to parse), we end up unbinding by calling device_release_driver(), which calls remove(), which then in iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However the new code I added will still erroneously access it after it was freed. Set 'failure=false' in this case to avoid the access, all data was already freed anyway. CVE-2022-48787 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48787.html CVE-2022-48787 https://bugzilla.suse.com/1227932 SUSE Bug 1227932 In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: fix possible use-after-free in transport error_recovery work While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. CVE-2022-48788 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48788.html CVE-2022-48788 https://bugzilla.suse.com/1227952 SUSE Bug 1227952 In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. CVE-2022-48789 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48789.html CVE-2022-48789 https://bugzilla.suse.com/1228000 SUSE Bug 1228000 In the Linux kernel, the following vulnerability has been resolved: nvme: fix a possible use-after-free in controller reset during load Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp. The race condition may happen in the following scenario: 1. driver executes its reset_ctrl_work 2. -> nvme_stop_ctrl - flushes ctrl async_event_work 3. ctrl sends AEN which is received by the host, which in turn schedules AEN handling 4. teardown admin queue (which releases the queue socket) 5. AEN processed, submits another AER, calling the driver to submit 6. driver attempts to send the cmd ==> use-after-free In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission. This addresses the above race in controller resets because the driver during teardown should: 1. change ctrl state to RESETTING 2. flush async_event_work (as well as other async work elements) So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER. CVE-2022-48790 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48790.html CVE-2022-48790 https://bugzilla.suse.com/1227941 SUSE Bug 1227941 In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared. CVE-2022-48791 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48791.html CVE-2022-48791 https://bugzilla.suse.com/1228002 SUSE Bug 1228002 https://bugzilla.suse.com/1228012 SUSE Bug 1228012 In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task in pm8001_ccb_task_free() call. When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call. Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering. CVE-2022-48792 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48792.html CVE-2022-48792 https://bugzilla.suse.com/1228013 SUSE Bug 1228013 https://bugzilla.suse.com/1228017 SUSE Bug 1228017 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: nSVM: fix potential NULL derefernce on nested migration Turns out that due to review feedback and/or rebases I accidentally moved the call to nested_svm_load_cr3 to be too early, before the NPT is enabled, which is very wrong to do. KVM can't even access guest memory at that point as nested NPT is needed for that, and of course it won't initialize the walk_mmu, which is main issue the patch was addressing. Fix this for real. CVE-2022-48793 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48793.html CVE-2022-48793 https://bugzilla.suse.com/1228019 SUSE Bug 1228019 In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introduce an intermediate 'was_tx' boolean just for this purpose. There is no Fixes tag applying here, many changes have been made on this area and the issue kind of always existed. CVE-2022-48794 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48794.html CVE-2022-48794 https://bugzilla.suse.com/1228025 SUSE Bug 1228025 In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function. CVE-2022-48796 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48796.html CVE-2022-48796 https://bugzilla.suse.com/1228028 SUSE Bug 1228028 In the Linux kernel, the following vulnerability has been resolved: mm: don't try to NUMA-migrate COW pages that have other uses Oded Gabbay reports that enabling NUMA balancing causes corruption with his Gaudi accelerator test load: "All the details are in the bug, but the bottom line is that somehow, this patch causes corruption when the numa balancing feature is enabled AND we don't use process affinity AND we use GUP to pin pages so our accelerator can DMA to/from system memory. Either disabling numa balancing, using process affinity to bind to specific numa-node or reverting this patch causes the bug to disappear" and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page() simplification"). Now, the NUMA balancing shouldn't actually be changing the writability of a page, and as such shouldn't matter for COW. But it appears it does. Suspicious. However, regardless of that, the condition for enabling NUMA faults in change_pte_range() is nonsensical. It uses "page_mapcount(page)" to decide if a COW page should be NUMA-protected or not, and that makes absolutely no sense. The number of mappings a page has is irrelevant: not only does GUP get a reference to a page as in Oded's case, but the other mappings migth be paged out and the only reference to them would be in the page count. Since we should never try to NUMA-balance a page that we can't move anyway due to other references, just fix the code to use 'page_count()'. Oded confirms that that fixes his issue. Now, this does imply that something in NUMA balancing ends up changing page protections (other than the obvious one of making the page inaccessible to get the NUMA faulting information). Otherwise the COW simplification wouldn't matter - since doing the GUP on the page would make sure it's writable. The cause of that permission change would be good to figure out too, since it clearly results in spurious COW events - but fixing the nonsensical test that just happened to work before is obviously the CorrectThing(tm) to do regardless. CVE-2022-48797 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48797.html CVE-2022-48797 https://bugzilla.suse.com/1228035 SUSE Bug 1228035 In the Linux kernel, the following vulnerability has been resolved: s390/cio: verify the driver availability for path_event call If no driver is attached to a device or the driver does not provide the path_event function, an FCES path-event on this device could end up in a kernel-panic. Verify the driver availability before the path_event function call. CVE-2022-48798 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48798.html CVE-2022-48798 https://bugzilla.suse.com/1227945 SUSE Bug 1227945 In the Linux kernel, the following vulnerability has been resolved: perf: Fix list corruption in perf_cgroup_switch() There's list corruption on cgrp_cpuctx_list. This happens on the following path: perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list) cpu_ctx_sched_in ctx_sched_in ctx_pinned_sched_in merge_sched_in perf_cgroup_event_disable: remove the event from the list Use list_for_each_entry_safe() to allow removing an entry during iteration. CVE-2022-48799 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48799.html CVE-2022-48799 https://bugzilla.suse.com/1227953 SUSE Bug 1227953 In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: remove deadlock due to throttling failing to make progress A soft lockup bug in kcompactd was reported in a private bugzilla with the following visible in dmesg; watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479] The machine had 256G of RAM with no swap and an earlier failed allocation indicated that node 0 where kcompactd was run was potentially unreclaimable; Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes Vlastimil Babka investigated a crash dump and found that a task migrating pages was trying to drain PCP lists; PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: "kworker/u128:3" Call Trace: __schedule schedule schedule_timeout wait_for_completion __flush_work __drain_all_pages __alloc_pages_slowpath.constprop.114 __alloc_pages alloc_migration_target migrate_pages migrate_to_node do_migrate_pages cpuset_migrate_mm_workfn process_one_work worker_thread kthread ret_from_fork This failure is specific to CONFIG_PREEMPT=n builds. The root of the problem is that kcompact0 is not rescheduling on a CPU while a task that has isolated a large number of the pages from the LRU is waiting on kcompact0 to reschedule so the pages can be released. While shrink_inactive_list() only loops once around too_many_isolated, reclaim can continue without rescheduling if sc->skipped_deactivate == 1 which could happen if there was no file LRU and the inactive anon list was not low. CVE-2022-48800 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48800.html CVE-2022-48800 https://bugzilla.suse.com/1227954 SUSE Bug 1227954 In the Linux kernel, the following vulnerability has been resolved: iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL If we fail to copy the just created file descriptor to userland, we try to clean up by putting back 'fd' and freeing 'ib'. The code uses put_unused_fd() for the former which is wrong, as the file descriptor was already published by fd_install() which gets called internally by anon_inode_getfd(). This makes the error handling code leaving a half cleaned up file descriptor table around and a partially destructed 'file' object, allowing userland to play use-after-free tricks on us, by abusing the still usable fd and making the code operate on a dangling 'file->private_data' pointer. Instead of leaving the kernel in a partially corrupted state, don't attempt to explicitly clean up and leave this to the process exit path that'll release any still valid fds, including the one created by the previous call to anon_inode_getfd(). Simply return -EFAULT to indicate the error. CVE-2022-48801 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48801.html CVE-2022-48801 https://bugzilla.suse.com/1227956 SUSE Bug 1227956 https://bugzilla.suse.com/1228023 SUSE Bug 1228023 In the Linux kernel, the following vulnerability has been resolved: fs/proc: task_mmu.c: don't read mapcount for migration entry The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()] Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org CVE-2022-48802 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48802.html CVE-2022-48802 https://bugzilla.suse.com/1227942 SUSE Bug 1227942 In the Linux kernel, the following vulnerability has been resolved: phy: ti: Fix missing sentinel for clk_div_table _get_table_maxdiv() tries to access "clk_div_table" array out of bound defined in phy-j721e-wiz.c. Add a sentinel entry to prevent the following global-out-of-bounds error reported by enabling KASAN. [ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148 [ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38 [ 9.565926] [ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360 [ 9.576242] Hardware name: Texas Instruments J721e EVM (DT) [ 9.581832] Workqueue: events_unbound deferred_probe_work_func [ 9.587708] Call trace: [ 9.590174] dump_backtrace+0x20c/0x218 [ 9.594038] show_stack+0x18/0x68 [ 9.597375] dump_stack_lvl+0x9c/0xd8 [ 9.601062] print_address_description.constprop.0+0x78/0x334 [ 9.606830] kasan_report+0x1f0/0x260 [ 9.610517] __asan_load4+0x9c/0xd8 [ 9.614030] _get_maxdiv+0xc0/0x148 [ 9.617540] divider_determine_rate+0x88/0x488 [ 9.622005] divider_round_rate_parent+0xc8/0x124 [ 9.626729] wiz_clk_div_round_rate+0x54/0x68 [ 9.631113] clk_core_determine_round_nolock+0x124/0x158 [ 9.636448] clk_core_round_rate_nolock+0x68/0x138 [ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8 [ 9.645987] clk_set_rate+0x50/0xa8 [ 9.649499] cdns_sierra_phy_init+0x88/0x248 [ 9.653794] phy_init+0x98/0x108 [ 9.657046] cdns_pcie_enable_phy+0xa0/0x170 [ 9.661340] cdns_pcie_init_phy+0x250/0x2b0 [ 9.665546] j721e_pcie_probe+0x4b8/0x798 [ 9.669579] platform_probe+0x8c/0x108 [ 9.673350] really_probe+0x114/0x630 [ 9.677037] __driver_probe_device+0x18c/0x220 [ 9.681505] driver_probe_device+0xac/0x150 [ 9.685712] __device_attach_driver+0xec/0x170 [ 9.690178] bus_for_each_drv+0xf0/0x158 [ 9.694124] __device_attach+0x184/0x210 [ 9.698070] device_initial_probe+0x14/0x20 [ 9.702277] bus_probe_device+0xec/0x100 [ 9.706223] deferred_probe_work_func+0x124/0x180 [ 9.710951] process_one_work+0x4b0/0xbc0 [ 9.714983] worker_thread+0x74/0x5d0 [ 9.718668] kthread+0x214/0x230 [ 9.721919] ret_from_fork+0x10/0x20 [ 9.725520] [ 9.727032] The buggy address belongs to the variable: [ 9.732183] clk_div_table+0x24/0x440 CVE-2022-48803 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48803.html CVE-2022-48803 https://bugzilla.suse.com/1227965 SUSE Bug 1227965 In the Linux kernel, the following vulnerability has been resolved: vt_ioctl: fix array_index_nospec in vt_setactivate array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. CVE-2022-48804 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48804.html CVE-2022-48804 https://bugzilla.suse.com/1227968 SUSE Bug 1227968 In the Linux kernel, the following vulnerability has been resolved: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. I have tested that this can be used by a malicious USB device to send a bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response that contains random kernel heap data. It's probably also possible to get OOB writes from this on a little-endian system somehow - maybe by triggering skb_cow() via IP options processing -, but I haven't tested that. CVE-2022-48805 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48805.html CVE-2022-48805 https://bugzilla.suse.com/1227969 SUSE Bug 1227969 In the Linux kernel, the following vulnerability has been resolved: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. CVE-2022-48806 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48806.html CVE-2022-48806 https://bugzilla.suse.com/1227948 SUSE Bug 1227948 In the Linux kernel, the following vulnerability has been resolved: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler Currently, the same handler is called for both a NETDEV_BONDING_INFO LAG unlink notification as for a NETDEV_UNREGISTER call. This is causing a problem though, since the netdev_notifier_info passed has a different structure depending on which event is passed. The problem manifests as a call trace from a BUG: KASAN stack-out-of-bounds error. Fix this by creating a handler specific to NETDEV_UNREGISTER that only is passed valid elements in the netdev_notifier_info struct for the NETDEV_UNREGISTER event. Also included is the removal of an unbalanced dev_put on the peer_netdev and related braces. CVE-2022-48807 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48807.html CVE-2022-48807 https://bugzilla.suse.com/1227970 SUSE Bug 1227970 https://bugzilla.suse.com/1228024 SUSE Bug 1228024 In the Linux kernel, the following vulnerability has been resolved: ibmvnic: don't release napi in __ibmvnic_open() If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers. If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset. This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface: [102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq [102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq [102056] ibmvnic 30000003 env3: Replenished 8 pools Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic] NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0 LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic] Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable) [c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic] [c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic] [c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570 [c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660 [c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0 [c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]--- CVE-2022-48811 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48811.html CVE-2022-48811 https://bugzilla.suse.com/1227928 SUSE Bug 1227928 In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The GSWIP switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the GSWIP switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The gswip driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48812 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48812.html CVE-2022-48812 https://bugzilla.suse.com/1227971 SUSE Bug 1227971 In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Felix VSC9959 switch is a PCI device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the felix switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The felix driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc_size() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48813 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48813.html CVE-2022-48813 https://bugzilla.suse.com/1227963 SUSE Bug 1227963 In the Linux kernel, the following vulnerability has been resolved: net: dsa: seville: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none). CVE-2022-48814 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48814.html CVE-2022-48814 https://bugzilla.suse.com/1227944 SUSE Bug 1227944 In the Linux kernel, the following vulnerability has been resolved: net: dsa: bcm_sf2: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Starfighter 2 is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the bcm_sf2 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The bcm_sf2 driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. CVE-2022-48815 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48815.html CVE-2022-48815 https://bugzilla.suse.com/1227933 SUSE Bug 1227933 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: lock against ->sock changing during sysfs read ->sock can be set to NULL asynchronously unless ->recv_mutex is held. So it is important to hold that mutex. Otherwise a sysfs read can trigger an oops. Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") appears to attempt to fix this problem, but it only narrows the race window. CVE-2022-48816 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48816.html CVE-2022-48816 https://bugzilla.suse.com/1228038 SUSE Bug 1228038 In the Linux kernel, the following vulnerability has been resolved: net: dsa: ar9331: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus. CVE-2022-48817 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48817.html CVE-2022-48817 https://bugzilla.suse.com/1227931 SUSE Bug 1227931 In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The mv88e6xxx is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the Marvell switch driver on shutdown. systemd-shutdown[1]: Powering off. mv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down fsl-mc dpbp.9: Removing from iommu group 7 fsl-mc dpbp.8: Removing from iommu group 7 ------------[ cut here ]------------ kernel BUG at drivers/net/phy/mdio_bus.c:677! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15 pc : mdiobus_free+0x44/0x50 lr : devm_mdiobus_free+0x10/0x20 Call trace: mdiobus_free+0x44/0x50 devm_mdiobus_free+0x10/0x20 devres_release_all+0xa0/0x100 __device_release_driver+0x190/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x4c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 kernel_power_off+0x34/0x6c __do_sys_reboot+0x15c/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The Marvell driver already has a good structure for mdiobus removal, so just plug in mdiobus_free and get rid of devres. CVE-2022-48818 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48818.html CVE-2022-48818 https://bugzilla.suse.com/1228039 SUSE Bug 1228039 In the Linux kernel, the following vulnerability has been resolved: phy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable() This error path needs to decrement "usbphyc->n_pll_cons.counter" before returning. CVE-2022-48820 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48820.html CVE-2022-48820 https://bugzilla.suse.com/1227972 SUSE Bug 1227972 In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: avoid double fput() on failed usercopy If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, leaving us with none. Calling dma_buf_put() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free. Simply avoid calling dma_buf_put() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid. CVE-2022-48821 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48821.html CVE-2022-48821 https://bugzilla.suse.com/1227976 SUSE Bug 1227976 https://bugzilla.suse.com/1228022 SUSE Bug 1228022 In the Linux kernel, the following vulnerability has been resolved: usb: f_fs: Fix use-after-free for epfile Consider a case where ffs_func_eps_disable is called from ffs_func_disable as part of composition switch and at the same time ffs_epfile_release get called from userspace. ffs_epfile_release will free up the read buffer and call ffs_data_closed which in turn destroys ffs->epfiles and mark it as NULL. While this was happening the driver has already initialized the local epfile in ffs_func_eps_disable which is now freed and waiting to acquire the spinlock. Once spinlock is acquired the driver proceeds with the stale value of epfile and tries to free the already freed read buffer causing use-after-free. Following is the illustration of the race: CPU1 CPU2 ffs_func_eps_disable epfiles (local copy) ffs_epfile_release ffs_data_closed if (last file closed) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock dereference epfiles Fix this races by taking epfiles local copy & assigning it under spinlock and if epfiles(local) is null then update it in ffs->epfiles then finally destroy it. Extending the scope further from the race, protecting the ep related structures, and concurrent accesses. CVE-2022-48822 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48822.html CVE-2022-48822 https://bugzilla.suse.com/1228040 SUSE Bug 1228040 https://bugzilla.suse.com/1228136 SUSE Bug 1228136 In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix refcount issue when LOGO is received during TMF Hung task call trace was seen during LOGO processing. [ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued... [ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0 [ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET [ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1. [ 974.309625] host1: rport 016900: Received LOGO request while in state Ready [ 974.309627] host1: rport 016900: Delete port [ 974.309642] host1: rport 016900: work event 3 [ 974.309644] host1: rport 016900: lld callback ev 3 [ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush. [ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success... [ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds. [ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1 [ 984.031166] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080 [ 984.031212] Call Trace: [ 984.031222] __schedule+0x2c4/0x700 [ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0 [ 984.031233] ? bit_wait_timeout+0x90/0x90 [ 984.031235] schedule+0x38/0xa0 [ 984.031238] io_schedule+0x12/0x40 [ 984.031240] bit_wait_io+0xd/0x50 [ 984.031243] __wait_on_bit+0x6c/0x80 [ 984.031248] ? free_buffer_head+0x21/0x50 [ 984.031251] out_of_line_wait_on_bit+0x91/0xb0 [ 984.031257] ? init_wait_var_entry+0x50/0x50 [ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2] [ 984.031280] kjournald2+0xbd/0x270 [jbd2] [ 984.031284] ? finish_wait+0x80/0x80 [ 984.031291] ? commit_timeout+0x10/0x10 [jbd2] [ 984.031294] kthread+0x116/0x130 [ 984.031300] ? kthread_flush_work_fn+0x10/0x10 [ 984.031305] ret_from_fork+0x1f/0x40 There was a ref count issue when LOGO is received during TMF. This leads to one of the I/Os hanging with the driver. Fix the ref count. CVE-2022-48823 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48823.html CVE-2022-48823 https://bugzilla.suse.com/1228045 SUSE Bug 1228045 In the Linux kernel, the following vulnerability has been resolved: scsi: myrs: Fix crash in error case In myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails with non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and crash the kernel. [ 1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A [ 1.105872] myrs 0000:00:03.0: Failed to initialize Controller [ 1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.110774] Call Trace: [ 1.110950] myrs_cleanup+0xe4/0x150 [myrs] [ 1.111135] myrs_probe.cold+0x91/0x56a [myrs] [ 1.111302] ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs] [ 1.111500] local_pci_probe+0x48/0x90 CVE-2022-48824 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48824.html CVE-2022-48824 https://bugzilla.suse.com/1227964 SUSE Bug 1227964 In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add stag_work to all the vports Call trace seen when creating NPIV ports, only 32 out of 64 show online. stag work was not initialized for vport, hence initialize the stag work. WARNING: CPU: 8 PID: 645 at kernel/workqueue.c:1635 __queue_delayed_work+0x68/0x80 CPU: 8 PID: 645 Comm: kworker/8:1 Kdump: loaded Tainted: G IOE --------- -- 4.18.0-348.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge MX740c/0177V9, BIOS 2.12.2 07/09/2021 Workqueue: events fc_lport_timeout [libfc] RIP: 0010:__queue_delayed_work+0x68/0x80 Code: 89 b2 88 00 00 00 44 89 82 90 00 00 00 48 01 c8 48 89 42 50 41 81 f8 00 20 00 00 75 1d e9 60 24 07 00 44 89 c7 e9 98 f6 ff ff <0f> 0b eb c5 0f 0b eb a1 0f 0b eb a7 0f 0b eb ac 44 89 c6 e9 40 23 RSP: 0018:ffffae514bc3be40 EFLAGS: 00010006 RAX: ffff8d25d6143750 RBX: 0000000000000202 RCX: 0000000000000002 RDX: ffff8d2e31383748 RSI: ffff8d25c000d600 RDI: ffff8d2e31383788 RBP: ffff8d2e31380de0 R08: 0000000000002000 R09: ffff8d2e31383750 R10: ffffffffc0c957e0 R11: ffff8d2624800000 R12: ffff8d2e31380a58 R13: ffff8d2d915eb000 R14: ffff8d25c499b5c0 R15: ffff8d2e31380e18 FS: 0000000000000000(0000) GS:ffff8d2d1fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fd0484b8b8 CR3: 00000008ffc10006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: queue_delayed_work_on+0x36/0x40 qedf_elsct_send+0x57/0x60 [qedf] fc_lport_enter_flogi+0x90/0xc0 [libfc] fc_lport_timeout+0xb7/0x140 [libfc] process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x35/0x40 ---[ end trace 008f00f722f2c2ff ]-- Initialize stag work for all the vports. CVE-2022-48825 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48825.html CVE-2022-48825 https://bugzilla.suse.com/1228056 SUSE Bug 1228056 In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix deadlock on DSI device attach error DSI device attach to DSI host will be done with host device's lock held. Un-registering host in "device attach" error path (ex: probe retry) will result in deadlock with below call trace and non operational DSI display. Startup Call trace: [ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8 [ 35.043048] mutex_lock_nested+0x7c/0xc8 [ 35.043060] device_del+0x4c/0x3e8 [ 35.043075] device_unregister+0x20/0x40 [ 35.043082] mipi_dsi_remove_device_fn+0x18/0x28 [ 35.043093] device_for_each_child+0x68/0xb0 [ 35.043105] mipi_dsi_host_unregister+0x40/0x90 [ 35.043115] vc4_dsi_host_attach+0xf0/0x120 [vc4] [ 35.043199] mipi_dsi_attach+0x30/0x48 [ 35.043209] tc358762_probe+0x128/0x164 [tc358762] [ 35.043225] mipi_dsi_drv_probe+0x28/0x38 [ 35.043234] really_probe+0xc0/0x318 [ 35.043244] __driver_probe_device+0x80/0xe8 [ 35.043254] driver_probe_device+0xb8/0x118 [ 35.043263] __device_attach_driver+0x98/0xe8 [ 35.043273] bus_for_each_drv+0x84/0xd8 [ 35.043281] __device_attach+0xf0/0x150 [ 35.043290] device_initial_probe+0x1c/0x28 [ 35.043300] bus_probe_device+0xa4/0xb0 [ 35.043308] deferred_probe_work_func+0xa0/0xe0 [ 35.043318] process_one_work+0x254/0x700 [ 35.043330] worker_thread+0x4c/0x448 [ 35.043339] kthread+0x19c/0x1a8 [ 35.043348] ret_from_fork+0x10/0x20 Shutdown Call trace: [ 365.565417] Call trace: [ 365.565423] __switch_to+0x148/0x200 [ 365.565452] __schedule+0x340/0x9c8 [ 365.565467] schedule+0x48/0x110 [ 365.565479] schedule_timeout+0x3b0/0x448 [ 365.565496] wait_for_completion+0xac/0x138 [ 365.565509] __flush_work+0x218/0x4e0 [ 365.565523] flush_work+0x1c/0x28 [ 365.565536] wait_for_device_probe+0x68/0x158 [ 365.565550] device_shutdown+0x24/0x348 [ 365.565561] kernel_restart_prepare+0x40/0x50 [ 365.565578] kernel_restart+0x20/0x70 [ 365.565591] __do_sys_reboot+0x10c/0x220 [ 365.565605] __arm64_sys_reboot+0x2c/0x38 [ 365.565619] invoke_syscall+0x4c/0x110 [ 365.565634] el0_svc_common.constprop.3+0xfc/0x120 [ 365.565648] do_el0_svc+0x2c/0x90 [ 365.565661] el0_svc+0x4c/0xf0 [ 365.565671] el0t_64_sync_handler+0x90/0xb8 [ 365.565682] el0t_64_sync+0x180/0x184 CVE-2022-48826 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48826.html CVE-2022-48826 https://bugzilla.suse.com/1227975 SUSE Bug 1227975 In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers. Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly. CVE-2022-48827 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48827.html CVE-2022-48827 https://bugzilla.suse.com/1228037 SUSE Bug 1228037 In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr(). CVE-2022-48828 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48828.html CVE-2022-48828 https://bugzilla.suse.com/1228054 SUSE Bug 1228054 In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large. CVE-2022-48829 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48829.html CVE-2022-48829 https://bugzilla.suse.com/1228055 SUSE Bug 1228055 In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation. CVE-2022-48830 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48830.html CVE-2022-48830 https://bugzilla.suse.com/1227982 SUSE Bug 1227982 In the Linux kernel, the following vulnerability has been resolved: ima: fix reference leak in asymmetric_verify() Don't leak a reference to the key if its algorithm is unknown. CVE-2022-48831 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48831.html CVE-2022-48831 https://bugzilla.suse.com/1227986 SUSE Bug 1227986 In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix. CVE-2022-48834 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48834.html CVE-2022-48834 https://bugzilla.suse.com/1228062 SUSE Bug 1228062 In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 [ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [ 150.203206] ? __schedule+0x1e9/0x610 [ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [ 150.217924] kthread+0x12e/0x150 [ 150.224041] ? kthread_worker_fn+0x130/0x130 [ 150.231206] ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop. CVE-2022-48835 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48835.html CVE-2022-48835 https://bugzilla.suse.com/1228060 SUSE Bug 1228060 In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 CVE-2022-48836 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48836.html CVE-2022-48836 https://bugzilla.suse.com/1227989 SUSE Bug 1227989 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. CVE-2022-48837 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48837.html CVE-2022-48837 https://bugzilla.suse.com/1227987 SUSE Bug 1227987 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver. CVE-2022-48838 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48838.html CVE-2022-48838 https://bugzilla.suse.com/1227988 SUSE Bug 1227988 In the Linux kernel, the following vulnerability has been resolved: net/packet: fix slab-out-of-bounds access in packet_recvmsg() syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations, tpacket_rcv() is queueing skbs with garbage in skb->cb[], triggering a too big copy [1] Presumably, users of af_packet using mmap() already gets correct metadata from the mapped buffer, we can simply make sure to clear 12 bytes that might be copied to user space later. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fdfd5954c29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 </TASK> addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 this frame has 1 object: [32, 160) 'addr' Memory state around the buggy address: ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 ^ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 ================================================================== CVE-2022-48839 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48839.html CVE-2022-48839 https://bugzilla.suse.com/1227985 SUSE Bug 1227985 In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca CVE-2022-48840 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48840.html CVE-2022-48840 https://bugzilla.suse.com/1227990 SUSE Bug 1227990 In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats() It is possible to do NULL pointer dereference in routine that updates Tx ring stats. Currently only stats and bytes are updated when ring pointer is valid, but later on ring is accessed to propagate gathered Tx stats onto VSI stats. Change the existing logic to move to next ring when ring is NULL. CVE-2022-48841 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48841.html CVE-2022-48841 https://bugzilla.suse.com/1227991 SUSE Bug 1227991 In the Linux kernel, the following vulnerability has been resolved: ice: Fix race condition during interface enslave Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device") changes a process of re-creation of aux device so ice_plug_aux_dev() is called from ice_service_task() context. This unfortunately opens a race window that can result in dead-lock when interface has left LAG and immediately enters LAG again. Reproducer: ``` #!/bin/sh ip link add lag0 type bond mode 1 miimon 100 ip link set lag0 for n in {1..10}; do echo Cycle: $n ip link set ens7f0 master lag0 sleep 1 ip link set ens7f0 nomaster done ``` This results in: [20976.208697] Workqueue: ice ice_service_task [ice] [20976.213422] Call Trace: [20976.215871] __schedule+0x2d1/0x830 [20976.219364] schedule+0x35/0xa0 [20976.222510] schedule_preempt_disabled+0xa/0x10 [20976.227043] __mutex_lock.isra.7+0x310/0x420 [20976.235071] enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core] [20976.251215] ib_enum_roce_netdev+0xa4/0xe0 [ib_core] [20976.256192] ib_cache_setup_one+0x33/0xa0 [ib_core] [20976.261079] ib_register_device+0x40d/0x580 [ib_core] [20976.266139] irdma_ib_register_device+0x129/0x250 [irdma] [20976.281409] irdma_probe+0x2c1/0x360 [irdma] [20976.285691] auxiliary_bus_probe+0x45/0x70 [20976.289790] really_probe+0x1f2/0x480 [20976.298509] driver_probe_device+0x49/0xc0 [20976.302609] bus_for_each_drv+0x79/0xc0 [20976.306448] __device_attach+0xdc/0x160 [20976.310286] bus_probe_device+0x9d/0xb0 [20976.314128] device_add+0x43c/0x890 [20976.321287] __auxiliary_device_add+0x43/0x60 [20976.325644] ice_plug_aux_dev+0xb2/0x100 [ice] [20976.330109] ice_service_task+0xd0c/0xed0 [ice] [20976.342591] process_one_work+0x1a7/0x360 [20976.350536] worker_thread+0x30/0x390 [20976.358128] kthread+0x10a/0x120 [20976.365547] ret_from_fork+0x1f/0x40 ... [20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084 [20976.446469] Call Trace: [20976.448921] __schedule+0x2d1/0x830 [20976.452414] schedule+0x35/0xa0 [20976.455559] schedule_preempt_disabled+0xa/0x10 [20976.460090] __mutex_lock.isra.7+0x310/0x420 [20976.464364] device_del+0x36/0x3c0 [20976.467772] ice_unplug_aux_dev+0x1a/0x40 [ice] [20976.472313] ice_lag_event_handler+0x2a2/0x520 [ice] [20976.477288] notifier_call_chain+0x47/0x70 [20976.481386] __netdev_upper_dev_link+0x18b/0x280 [20976.489845] bond_enslave+0xe05/0x1790 [bonding] [20976.494475] do_setlink+0x336/0xf50 [20976.502517] __rtnl_newlink+0x529/0x8b0 [20976.543441] rtnl_newlink+0x43/0x60 [20976.546934] rtnetlink_rcv_msg+0x2b1/0x360 [20976.559238] netlink_rcv_skb+0x4c/0x120 [20976.563079] netlink_unicast+0x196/0x230 [20976.567005] netlink_sendmsg+0x204/0x3d0 [20976.570930] sock_sendmsg+0x4c/0x50 [20976.574423] ____sys_sendmsg+0x1eb/0x250 [20976.586807] ___sys_sendmsg+0x7c/0xc0 [20976.606353] __sys_sendmsg+0x57/0xa0 [20976.609930] do_syscall_64+0x5b/0x1a0 [20976.613598] entry_SYSCALL_64_after_hwframe+0x65/0xca 1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev() is called from ice_service_task() context, aux device is created and associated device->lock is taken. 2. Command 'ip link ... set master...' calls ice's notifier under RTNL lock and that notifier calls ice_unplug_aux_dev(). That function tries to take aux device->lock but this is already taken by ice_plug_aux_dev() in step 1 3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already taken in step 2 4. Dead-lock The patch fixes this issue by following changes: - Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev() call in ice_service_task() - The bit is checked in ice_clear_rdma_cap() and only if it is not set then ice_unplug_aux_dev() is called. If it is set (in other words plugging of aux device was requested and ice_plug_aux_dev() is potentially running) then the function only clears the ---truncated--- CVE-2022-48842 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48842.html CVE-2022-48842 https://bugzilla.suse.com/1228064 SUSE Bug 1228064 In the Linux kernel, the following vulnerability has been resolved: drm/vrr: Set VRR capable prop only if it is attached to connector VRR capable property is not attached by default to the connector It is attached only if VRR is supported. So if the driver tries to call drm core set prop function without it being attached that causes NULL dereference. CVE-2022-48843 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48843.html CVE-2022-48843 https://bugzilla.suse.com/1228066 SUSE Bug 1228066 In the Linux kernel, the following vulnerability has been resolved: watch_queue: Fix filter limit check In watch_queue_set_filter(), there are a couple of places where we check that the filter type value does not exceed what the type_filter bitmap can hold. One place calculates the number of bits by: if (tf[i].type >= sizeof(wfilter->type_filter) * 8) which is fine, but the second does: if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG) which is not. This can lead to a couple of out-of-bounds writes due to a too-large type: (1) __set_bit() on wfilter->type_filter (2) Writing more elements in wfilter->filters[] than we allocated. Fix this by just using the proper WATCH_TYPE__NR instead, which is the number of types we actually know about. The bug may cause an oops looking something like: BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740 Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 ... kasan_report.cold+0x7f/0x11b ... watch_queue_set_filter+0x659/0x740 ... __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 611: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 watch_queue_set_filter+0x23a/0x740 __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88800d2c66a0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0) CVE-2022-48847 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48847.html CVE-2022-48847 https://bugzilla.suse.com/1227993 SUSE Bug 1227993 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bypass tiling flag check in virtual display case (v2) vkms leverages common amdgpu framebuffer creation, and also as it does not support FB modifier, there is no need to check tiling flags when initing framebuffer when virtual display is enabled. This can fix below calltrace: amdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier WARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu] v2: check adev->enable_virtual_display instead as vkms can be enabled in bare metal as well. CVE-2022-48849 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48849.html CVE-2022-48849 https://bugzilla.suse.com/1228061 SUSE Bug 1228061 In the Linux kernel, the following vulnerability has been resolved: staging: gdm724x: fix use after free in gdm_lte_rx() The netif_rx_ni() function frees the skb so we can't dereference it to save the skb->len. CVE-2022-48851 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48851.html CVE-2022-48851 https://bugzilla.suse.com/1227997 SUSE Bug 1227997 In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce. CVE-2022-48853 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48853.html CVE-2022-48853 https://bugzilla.suse.com/1228015 SUSE Bug 1228015 In the Linux kernel, the following vulnerability has been resolved: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. CVE-2022-48856 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48856.html CVE-2022-48856 https://bugzilla.suse.com/1228004 SUSE Bug 1228004 In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 CVE-2022-48857 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48857.html CVE-2022-48857 https://bugzilla.suse.com/1228005 SUSE Bug 1228005 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix a race on command flush flow Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock. It fixes the following warning trace: refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 ... RIP: 0010:refcount_warn_saturate+0x80/0xe0 ... Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK> CVE-2022-48858 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48858.html CVE-2022-48858 https://bugzilla.suse.com/1228006 SUSE Bug 1228006 In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak. CVE-2022-48859 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48859.html CVE-2022-48859 https://bugzilla.suse.com/1228007 SUSE Bug 1228007 In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. CVE-2022-48860 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48860.html CVE-2022-48860 https://bugzilla.suse.com/1228008 SUSE Bug 1228008 In the Linux kernel, the following vulnerability has been resolved: vdpa: fix use-after-free on vp_vdpa_remove When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove, triggering use-after-free. Call Trace of unbinding driver free vp_vdpa : do_syscall_64 vfs_write kernfs_fop_write_iter device_release_driver_internal pci_device_remove vp_vdpa_remove vdpa_unregister_device kobject_release device_release kfree Call Trace of dereference vp_vdpa->mdev.pci_dev: vp_modern_remove pci_release_selected_regions pci_release_region pci_resource_len pci_resource_end (dev)->resource[(bar)].end CVE-2022-48861 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48861.html CVE-2022-48861 https://bugzilla.suse.com/1228009 SUSE Bug 1228009 In the Linux kernel, the following vulnerability has been resolved: vhost: fix hung thread due to erroneous iotlb entries In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when start is 0 and last is ULONG_MAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 To fix this, do two things: 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map a range with size 0. 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] by splitting it into two entries. CVE-2022-48862 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48862.html CVE-2022-48862 https://bugzilla.suse.com/1228010 SUSE Bug 1228010 In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. CVE-2022-48863 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48863.html CVE-2022-48863 https://bugzilla.suse.com/1228063 SUSE Bug 1228063 In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. The root case is in missing validation check of actual number of endpoints. Code should not blindly access usb_host_interface::endpoint array, since it may contain less endpoints than code expects. Fix it by adding missing validaion check and print an error if number of endpoints do not match expected number CVE-2022-48866 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2022-48866.html CVE-2022-48866 https://bugzilla.suse.com/1228014 SUSE Bug 1228014 https://bugzilla.suse.com/1228785 SUSE Bug 1228785 In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. CVE-2023-52762 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2023-52762.html CVE-2023-52762 https://bugzilla.suse.com/1225573 SUSE Bug 1225573 In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. CVE-2023-52766 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2023-52766.html CVE-2023-52766 https://bugzilla.suse.com/1230620 SUSE Bug 1230620 In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52800 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2023-52800.html CVE-2023-52800 https://bugzilla.suse.com/1230600 SUSE Bug 1230600 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. CVE-2023-52885 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2023-52885.html CVE-2023-52885 https://bugzilla.suse.com/1227750 SUSE Bug 1227750 https://bugzilla.suse.com/1227753 SUSE Bug 1227753 In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot. CVE-2023-52886 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2023-52886.html CVE-2023-52886 https://bugzilla.suse.com/1227981 SUSE Bug 1227981 In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires. CVE-2024-26583 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26583.html CVE-2024-26583 https://bugzilla.suse.com/1220185 SUSE Bug 1220185 In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. CVE-2024-26584 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26584.html CVE-2024-26584 https://bugzilla.suse.com/1220186 SUSE Bug 1220186 In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. CVE-2024-26800 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26800.html CVE-2024-26800 https://bugzilla.suse.com/1222728 SUSE Bug 1222728 In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index. CVE-2024-26813 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26813.html CVE-2024-26813 https://bugzilla.suse.com/1222809 SUSE Bug 1222809 In the Linux kernel, the following vulnerability has been resolved: vfio/fsl-mc: Block calling interrupt handler without trigger The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive. The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged. CVE-2024-26814 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26814.html CVE-2024-26814 https://bugzilla.suse.com/1222810 SUSE Bug 1222810 In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated--- CVE-2024-26976 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-26976.html CVE-2024-26976 https://bugzilla.suse.com/1223635 SUSE Bug 1223635 In the Linux kernel, the following vulnerability has been resolved: of: module: prevent NULL pointer dereference in vsnprintf() In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. CVE-2024-35878 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-35878.html CVE-2024-35878 https://bugzilla.suse.com/1224671 SUSE Bug 1224671 In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix Rx DMA datasize and skb_over_panic mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be multiple of 64. So a packet slightly bigger than mtu+14, say 1536, can be received and cause skb_over_panic. Sample dmesg: [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL> [ 5325.243689] ------------[ cut here ]------------ [ 5325.245748] kernel BUG at net/core/skbuff.c:192! [ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60 [ 5325.302941] Call Trace: [ 5325.304389] <IRQ> [ 5325.315794] ? skb_panic+0x4f/0x60 [ 5325.317457] ? asm_exc_invalid_op+0x1f/0x30 [ 5325.319490] ? skb_panic+0x4f/0x60 [ 5325.321161] skb_put+0x4e/0x50 [ 5325.322670] mana_poll+0x6fa/0xb50 [mana] [ 5325.324578] __napi_poll+0x33/0x1e0 [ 5325.326328] net_rx_action+0x12e/0x280 As discussed internally, this alignment is not necessary. To fix this bug, remove it from the code. So oversized packets will be marked as CQE_RX_TRUNCATED by NIC, and dropped. CVE-2024-35901 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-35901.html CVE-2024-35901 https://bugzilla.suse.com/1224495 SUSE Bug 1224495 In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. CVE-2024-36974 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-36974.html CVE-2024-36974 https://bugzilla.suse.com/1226519 SUSE Bug 1226519 https://bugzilla.suse.com/1227371 SUSE Bug 1227371 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace: <IRQ> ? __warn+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0xa0 common_interrupt+0x7b/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 CVE-2024-38555 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-38555.html CVE-2024-38555 https://bugzilla.suse.com/1226607 SUSE Bug 1226607 In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. CVE-2024-39463 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-39463.html CVE-2024-39463 https://bugzilla.suse.com/1227090 SUSE Bug 1227090 https://bugzilla.suse.com/1227091 SUSE Bug 1227091 In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. CVE-2024-39494 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-39494.html CVE-2024-39494 https://bugzilla.suse.com/1227716 SUSE Bug 1227716 https://bugzilla.suse.com/1227901 SUSE Bug 1227901 In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. CVE-2024-40902 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40902.html CVE-2024-40902 https://bugzilla.suse.com/1227764 SUSE Bug 1227764 In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. CVE-2024-40937 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40937.html CVE-2024-40937 https://bugzilla.suse.com/1227836 SUSE Bug 1227836 https://bugzilla.suse.com/1227903 SUSE Bug 1227903 In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). CVE-2024-40954 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40954.html CVE-2024-40954 https://bugzilla.suse.com/1227808 SUSE Bug 1227808 https://bugzilla.suse.com/1228786 SUSE Bug 1228786 In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. CVE-2024-40956 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40956.html CVE-2024-40956 https://bugzilla.suse.com/1227810 SUSE Bug 1227810 https://bugzilla.suse.com/1228585 SUSE Bug 1228585 In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. CVE-2024-40989 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40989.html CVE-2024-40989 https://bugzilla.suse.com/1227823 SUSE Bug 1227823 https://bugzilla.suse.com/1228589 SUSE Bug 1228589 In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. CVE-2024-40994 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-40994.html CVE-2024-40994 https://bugzilla.suse.com/1227829 SUSE Bug 1227829 https://bugzilla.suse.com/1228587 SUSE Bug 1228587 In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-41011.html CVE-2024-41011 https://bugzilla.suse.com/1228114 SUSE Bug 1228114 https://bugzilla.suse.com/1228115 SUSE Bug 1228115 In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). CVE-2024-41012 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-41012.html CVE-2024-41012 https://bugzilla.suse.com/1228247 SUSE Bug 1228247 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-41059.html CVE-2024-41059 https://bugzilla.suse.com/1228561 SUSE Bug 1228561 https://bugzilla.suse.com/1228573 SUSE Bug 1228573 In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. CVE-2024-41069 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-41069.html CVE-2024-41069 https://bugzilla.suse.com/1228644 SUSE Bug 1228644 https://bugzilla.suse.com/1228645 SUSE Bug 1228645 In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 CVE-2024-41090 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-41090.html CVE-2024-41090 https://bugzilla.suse.com/1228328 SUSE Bug 1228328 https://bugzilla.suse.com/1228714 SUSE Bug 1228714 In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it. CVE-2024-42093 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-42093.html CVE-2024-42093 https://bugzilla.suse.com/1228680 SUSE Bug 1228680 In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. CVE-2024-42145 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-42145.html CVE-2024-42145 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1228743 SUSE Bug 1228743 https://bugzilla.suse.com/1228744 SUSE Bug 1228744 In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all. CVE-2024-42230 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.88.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.88.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242902-1/ https://www.suse.com/security/cve/CVE-2024-42230.html CVE-2024-42230 https://bugzilla.suse.com/1228489 SUSE Bug 1228489