ELSA-2025-20152

Опубликовано: 10 мар. 2025

Источник: oracle-oval

Платформа: Oracle Linux 8

Платформа: Oracle Linux 9

Описание

ELSA-2025-20152: Unbreakable Enterprise kernel security update (IMPORTANT)

[5.15.0-306.177.4]

Revert 'usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null' (Greg Kroah-Hartman)
drm/v3d: Assign job pointer to NULL before signaling the fence (Maira Canal)
scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs (Ranjan Kumar) [Orabug: 37472354] {CVE-2024-57804}

[5.15.0-306.177.3]

uek-rpm: Update network stress testing options for embedded2 (Joe Dobosenski) [Orabug: 37530219]
mm, madvise: fix potential workingset node list_lru leaks (Kairui Song) [Orabug: 37464586]
crypto: qat/qat_4xxx - fix off by one in uof_get_name() (Dan Carpenter) [Orabug: 37427536] {CVE-2024-53162}
vdpa/mlx5: Fix error path during device add (Dragos Tatulea) [Orabug: 37296163]
vp_vdpa: fix id_table array not null terminated error (Xiaoguang Wang) [Orabug: 37296163] {CVE-2024-53110}
vdpa/mlx5: Postpone MR deletion (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Introduce init/destroy for MR resources (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Rename mr_mtx -> lock (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Extract mr members in own resource struct (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Rename function (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Delete direct MKEYs in parallel (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Create direct MKEYs in parallel (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Parallelize VQ suspend/resume for CVQ MQ command (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Small improvement for change_num_qps() (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Keep notifiers during suspend but ignore (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Parallelize device resume (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Parallelize device suspend (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Use async API for vq modify commands (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Use async API for vq query command (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Introduce async fw command wrapper (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Introduce error logging function (Dragos Tatulea) [Orabug: 37296163]
net/mlx5: Support throttled commands from async API (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Add the support of set mac address (Cindy Lu) [Orabug: 37296163]
vdpa_sim_net: Add the support of set mac address (Cindy Lu) [Orabug: 37296163]
vdpa: support set mac address from vdpa tool (Cindy Lu) [Orabug: 37296163]
vdpa/mlx5: Fix invalid mr resource destroy (Dragos Tatulea) [Orabug: 37296163] {CVE-2024-47687}
vdpa/mlx5: Don't enable non-active VQs in .set_vq_ready() (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Don't reset VQs more than necessary (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Re-create HW VQs under certain conditions (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Pre-create hardware VQs at vdpa .dev_add time (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Use suspend/resume during VQP change (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Forward error in suspend/resume device (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Consolidate all VQ modify to Ready to use resume_vq() (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Add error code for suspend/resume VQ (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Accept Init -> Ready VQ transition in resume_vq() (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Allow creation of blank VQs (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Set mkey modified flags on all VQs (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Start off rqt_size with max VQPs (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Set an initial size on the VQ (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Add support for modifying the VQ features field (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Add support for modifying the virtio_version VQ field (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Rename init_mvqs (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Clear and reinitialize software VQ data on reset (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Initialize and reset device with one queue pair (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Remove duplicate suspend code (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Iterate over active VQs during suspend/resume (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Drop redundant check in teardown_virtqueues() (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Drop redundant code (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Make setup/teardown_vq_resources() symmetrical (Dragos Tatulea) [Orabug: 37296163]
vdpa/mlx5: Clarify meaning thorough function rename (Dragos Tatulea) [Orabug: 37296163]
vhost-vdpa: Remove usage of the deprecated ida_simple_xx() API (Christophe JAILLET) [Orabug: 37296163]
vp_vdpa: don't allocate unused msix vectors (Yuxue Liu) [Orabug: 37296163]
vdpa: Convert sprintf/snprintf to sysfs_emit (Li Zhijian) [Orabug: 37296163]
vp_vdpa: Fix return value check vp_vdpa_request_irq (Yuxue Liu) [Orabug: 37296163]
vhost-vdpa: change ioctl # for VDPA_GET_VRING_SIZE (Michael S. Tsirkin) [Orabug: 37296163]
virtio_vdpa: create vqs with the actual size (Zhu Lingshan) [Orabug: 37296163]
vdpa_sim: implement vdpa_config_ops.get_vq_size for vDPA simulator (Zhu Lingshan) [Orabug: 37296163]
vp_vdpa: implement vdpa_config_ops.get_vq_size (Zhu Lingshan) [Orabug: 37296163]
vDPA: introduce get_vq_size to vdpa_config_ops (Zhu Lingshan) [Orabug: 37296163]
vhost-vdpa: uapi to support reporting per vq size (Zhu Lingshan) [Orabug: 37296163]
vdpa: skip suspend/resume ops if not DRIVER_OK (Steve Sistare) [Orabug: 37296163]
vdpa_sim: reset must not run (Steve Sistare) [Orabug: 37296163]
vdpa: Block vq property changes in DRIVER_OK (Dragos Tatulea) [Orabug: 37296163]
vdpa: Track device suspended state (Dragos Tatulea) [Orabug: 37296163]
vdpa: Remove usage of the deprecated ida_simple_xx() API (Christophe JAILLET) [Orabug: 37296163]
SUNRPC: do not retry on EKEYEXPIRED when user TGT ticket expired (Dai Ngo) [Orabug: 34162493]

[5.15.0-306.177.2]

LTS version: v5.15.177 (Vijayendra Suman)
Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals (Ron Economos)
xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals (Arnd Bergmann)
net: fix data-races around sk->sk_forward_alloc (Wang Liang) [Orabug: 37388795] {CVE-2024-53124}
scsi: sg: Fix slab-use-after-free read in sg_release() (Suraj Sonawane) [Orabug: 37434117] {CVE-2024-56631}
x86/xen: fix SLS mitigation in xen_hypercall_iret() (Juergen Gross)
nfsd: add list_head nf_gc to struct nfsd_file (Youzhong Yang)
ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() (Eric Dumazet) [Orabug: 37200706] {CVE-2024-47707}
vsock/virtio: discard packets if the transport changes (Stefano Garzarella)
blk-cgroup: Fix UAF in blkcg_unpin_online() (Tejun Heo) [Orabug: 37434276] {CVE-2024-56672}
iio: adc: rockchip_saradc: fix information leak in triggered buffer (Javier Carrasco)
iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on (Jean-Baptiste Maneyrol)
iio: imu: inv_icm42600: fix spi burst write not supported (Jean-Baptiste Maneyrol)
drm/i915/fb: Relax clear color alignment to 64 bytes (Ville Syrjala)
irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly (Yogesh Lal)
gpiolib: cdev: Fix use after free in lineinfo_changed_notify (Zhongqiu Han) [Orabug: 36683269] {CVE-2024-36899}
fs/proc: fix softlockup in __read_vmcore (part 2) (Rik van Riel)
filemap: avoid truncating 64-bit offset to 32 bits (Marco Nelissen)
vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] (Stefano Garzarella)
vsock: reset socket state when de-assigning the transport (Stefano Garzarella)
vsock/virtio: cancel close work in the destructor (Stefano Garzarella)
net: ethernet: xgbe: re-add aneg to supported features in PHY quirks (Heiner Kallweit)
nvmet: propagate npwg topology (Luis Chamberlain)
poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() (Oleg Nesterov)
ACPI: resource: acpi_dev_irq_override(): Check DMI match last (Hans de Goede)
kheaders: Ignore silly-rename files (David Howells)
fs: fix missing declaration of init_files (Zhang Kunbo)
hfs: Sanity check the root record (Leo Stone)
mac802154: check local interfaces before deleting sdata list (Lizhi Xu)
i2c: rcar: fix NACK handling when being a target (Wolfram Sang)
i2c: mux: demux-pinctrl: check initial mux selection, too (Wolfram Sang)
drm/v3d: Ensure job pointer is set to NULL after job completion (Maira Canal)
net/mlx5: Fix RDMA TX steering prio (Patrisious Haddad)
net: xilinx: axienet: Fix IRQ coalescing packet count overflow (Sean Anderson)
nfp: bpf: prevent integer overflow in nfp_bpf_event_output() (Dan Carpenter)
pktgen: Avoid out-of-bounds access in get_imix_entries (Artem Chernyshev)
bpf: Fix bpf_sk_select_reuseport() memory leak (Michal Luczaj)
net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() (Sudheer Kumar Doredla)
phy: usb: Fix clock imbalance for suspend/resume (Justin Chen)
phy: usb: Use slow clock for wake enabled suspend (Justin Chen)
mptcp: fix TCP options overflow. (Paolo Abeni)
mptcp: drop port parameter of mptcp_pm_add_addr_signal (Geliang Tang)
ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv (Dennis Lam)
ocfs2: correct return value of ocfs2_local_free_info() (Joseph Qi)
phy: usb: Toggle the PHY power during init (Justin Chen)
phy: usb: Add 'wake on' functionality for newer Synopsis XHCI controllers (Al Cooper)
of: address: Preserve the flags portion on 1:1 dma-ranges mapping (Andrea della Porta)
of: address: Store number of bus flag cells rather than bool (Rob Herring)
of: address: Remove duplicated functions (Herve Codina)
of: address: Fix address translation when address-size is greater than 2 (Herve Codina)
of/address: Add support for 3 address cell bus (Rob Herring)
of: unittest: Add bus address range parsing tests (Rob Herring)
arm64: dts: rockchip: add hevc power domain clock to rk3328 (Peter Geis)
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (Yu Kuai)
iio: adc: ad7124: Disable all channels at probe time (Uwe Kleine-Konig)
iio: inkern: call iio_device_put() only on mapped devices (Joe Hattori)
iio: adc: at91: call input_free_device() on allocated iio_dev (Joe Hattori)
iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() (Fabio Estevam)
iio: gyro: fxas21002c: Fix missing data update in trigger handler (Carlos Song)
iio: adc: ti-ads8688: fix information leak in triggered buffer (Javier Carrasco)
iio: imu: kmx61: fix information leak in triggered buffer (Javier Carrasco)
iio: light: vcnl4035: fix information leak in triggered buffer (Javier Carrasco)
iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer (Javier Carrasco)
iio: pressure: zpa2326: fix information leak in triggered buffer (Javier Carrasco)
usb: gadget: f_fs: Remove WARN_ON in functionfs_bind (Akash M)
usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints (Prashanth K)
usb: fix reference leak in usb_new_device() (Ma Ke)
USB: core: Disable LPM only for non-suspended ports (Kai-Heng Feng)
USB: usblp: return error when setting unsupported protocol (Jun Yan)
usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null (Lianqin Hu)
topology: Keep the cpumask unchanged when printing cpumap (Li Huafei)
usb: dwc3: gadget: fix writing NYET threshold (Andre Draszik)
USB: serial: cp210x: add Phoenix Contact UPS Device (Johan Hovold)
usb-storage: Add max sectors quirk for Nokia 208 (Lubomir Rintel)
staging: iio: ad9832: Correct phase range check (Zicheng Qu)
staging: iio: ad9834: Correct phase range check (Zicheng Qu)
USB: serial: option: add Neoway N723-EA support (Michal Hrusecky)
USB: serial: option: add MeiG Smart SRM815 (Chukun Pan)
md/raid5: fix atomicity violation in raid5_cache_count (Gui-Dong Han)
scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity (Kuan-Wei Chiu)
drm/amd/display: increase MAX_SURFACES to the value supported by hw (Melissa Wen)
ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] (Hans de Goede)
ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] (Hans de Goede)
riscv: Fix sleeping in invalid context in die() (Nam Cao)
drm/amd/display: Add check for granularity in dml ceil/floor helpers (Roman Li)
sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy (Matthieu Baerts (NGI0))
sctp: sysctl: udp_port: avoid using current->nsproxy (Matthieu Baerts (NGI0))
sctp: sysctl: auth_enable: avoid using current->nsproxy (Matthieu Baerts (NGI0))
sctp: sysctl: rto_min/max: avoid using current->nsproxy (Matthieu Baerts (NGI0))
sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy (Matthieu Baerts (NGI0))
dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY (Mikulas Patocka)
dm thin: make get_first_thin use rcu-safe list first function (Krister Johansen)
afs: Fix the maximum cell name length (David Howells)
ksmbd: fix a missing return value check bug (Wentao Liang)
drm/mediatek: Add support for 180-degree rotation in the display driver (Jason-JH.Lin)
netfilter: conntrack: clamp maximum hashtable size to INT_MAX (Pablo Neira Ayuso)
netfilter: nf_tables: imbalance in flowtable binding (Pablo Neira Ayuso)
tls: Fix tls_sw_sendmsg error handling (Benjamin Coddington)
cxgb4: Avoid removal of uninserted tid (Anumula Murali Mohan Reddy)
bnxt_en: Fix possible memory leak when hwrm_req_replace fails (Kalesh AP)
net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute (Eric Dumazet)
tcp/dccp: allow a connection when sk_max_ack_backlog is zero (Zhongqiu Duan)
tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (Jason Xing)
net: 802: LLC+SNAP OID:PID lookup on start of skb data (Antonio Pastor)
ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() (Keisuke Nishimura)
ASoC: mediatek: disable buffer pre-allocation (Chen-Yu Tsai)
exfat: fix the infinite loop in __exfat_free_cluster() (Yuezhang Mo)
exfat: fix the infinite loop in exfat_readdir() (Yuezhang Mo)
dm array: fix cursor index when skipping across block boundaries (Ming-Hung Tsai)
dm array: fix unreleased btree blocks on closing a faulty array cursor (Ming-Hung Tsai)
dm array: fix releasing a faulty array block twice in dm_array_cursor_end (Ming-Hung Tsai)
jbd2: flush filesystem device before updating tail sequence (Zhang Yi)
ceph: give up on paths longer than PATH_MAX (Max Kellermann)

[5.15.0-306.176.1]

mm/page_alloc: fix min_free_kbytes calculation regarding ZONE_MOVABLE (liuq) [Orabug: 37503579]
mm: Limit warning message in vmemmap_verify() to once (Ma Wupeng) [Orabug: 37503579]
assoc_array: fix the return value in assoc_array_insert_mid_shortcut() (Roman Smirnov) [Orabug: 37503579]
assoc_array: Avoid open coded arithmetic in allocator arguments (Len Baker) [Orabug: 37503579]
mm/page_alloc: use accumulated load when building node fallback list (Krupa Ramakrishnan) [Orabug: 37503525]
mm/page_alloc: print node fallback order (Bharata B Rao) [Orabug: 37503525]
PCI: Support BAR sizes up to 8TB (Dongdong Liu) [Orabug: 37503525]
uek-rpm: Enable USB_XHCI_PCI_RENESAS as a module for aarch64 platforms (Harshit Mogalapalli) [Orabug: 37552080]
cifs: use correct lock type in cifs_reconnect() (Paulo Alcantara) [Orabug: 37535421]
cifs: fix NULL ptr dereference in refresh_mounts() (Paulo Alcantara) [Orabug: 37535421]

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

bpftool

5.15.0-306.177.4.el8uek

kernel-uek

5.15.0-306.177.4.el8uek

kernel-uek-container

5.15.0-306.177.4.el8uek

kernel-uek-container-debug

5.15.0-306.177.4.el8uek

kernel-uek-core

5.15.0-306.177.4.el8uek

kernel-uek-debug

5.15.0-306.177.4.el8uek

kernel-uek-debug-core

5.15.0-306.177.4.el8uek

kernel-uek-debug-devel

5.15.0-306.177.4.el8uek

kernel-uek-debug-modules

5.15.0-306.177.4.el8uek

kernel-uek-debug-modules-extra

5.15.0-306.177.4.el8uek

kernel-uek-devel

5.15.0-306.177.4.el8uek

kernel-uek-doc

5.15.0-306.177.4.el8uek

kernel-uek-modules

5.15.0-306.177.4.el8uek

kernel-uek-modules-extra

5.15.0-306.177.4.el8uek

Oracle Linux x86_64

bpftool

5.15.0-306.177.4.el8uek

kernel-uek

5.15.0-306.177.4.el8uek

kernel-uek-container

5.15.0-306.177.4.el8uek

kernel-uek-container-debug

5.15.0-306.177.4.el8uek

kernel-uek-core

5.15.0-306.177.4.el8uek

kernel-uek-debug

5.15.0-306.177.4.el8uek

kernel-uek-debug-core

5.15.0-306.177.4.el8uek

kernel-uek-debug-devel

5.15.0-306.177.4.el8uek

kernel-uek-debug-modules

5.15.0-306.177.4.el8uek

kernel-uek-debug-modules-extra

5.15.0-306.177.4.el8uek

kernel-uek-devel

5.15.0-306.177.4.el8uek

kernel-uek-doc

5.15.0-306.177.4.el8uek

kernel-uek-modules

5.15.0-306.177.4.el8uek

kernel-uek-modules-extra

5.15.0-306.177.4.el8uek

Oracle Linux 9

Oracle Linux aarch64

bpftool

5.15.0-306.177.4.el9uek

kernel-uek

5.15.0-306.177.4.el9uek

kernel-uek-container

5.15.0-306.177.4.el9uek

kernel-uek-container-debug

5.15.0-306.177.4.el9uek

kernel-uek-core

5.15.0-306.177.4.el9uek

kernel-uek-debug

5.15.0-306.177.4.el9uek

kernel-uek-debug-core

5.15.0-306.177.4.el9uek

kernel-uek-debug-devel

5.15.0-306.177.4.el9uek

kernel-uek-debug-modules

5.15.0-306.177.4.el9uek

kernel-uek-debug-modules-extra

5.15.0-306.177.4.el9uek

kernel-uek-devel

5.15.0-306.177.4.el9uek

kernel-uek-doc

5.15.0-306.177.4.el9uek

kernel-uek-modules

5.15.0-306.177.4.el9uek

kernel-uek-modules-extra

5.15.0-306.177.4.el9uek

Oracle Linux x86_64

bpftool

5.15.0-306.177.4.el9uek

kernel-uek

5.15.0-306.177.4.el9uek

kernel-uek-container

5.15.0-306.177.4.el9uek

kernel-uek-container-debug

5.15.0-306.177.4.el9uek

kernel-uek-core

5.15.0-306.177.4.el9uek

kernel-uek-debug

5.15.0-306.177.4.el9uek

kernel-uek-debug-core

5.15.0-306.177.4.el9uek

kernel-uek-debug-devel

5.15.0-306.177.4.el9uek

kernel-uek-debug-modules

5.15.0-306.177.4.el9uek

kernel-uek-debug-modules-extra

5.15.0-306.177.4.el9uek

kernel-uek-devel

5.15.0-306.177.4.el9uek

kernel-uek-doc

5.15.0-306.177.4.el9uek

kernel-uek-modules

5.15.0-306.177.4.el9uek

kernel-uek-modules-extra

5.15.0-306.177.4.el9uek

Связанные CVE

Ссылки на источники

Связанные уязвимости

CVE-2024-47687

CVSS3: 5.5

ubuntu

8 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: vdpa/mlx5: Fix invalid mr resource destroy Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr resources which never got initialized in the first place. This patch adds the missing check in mlx5_vdpa_destroy_mr_resources() to block releasing non-initialized mr resources. Reference trace: mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned? BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 140216067 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb] Code: [...] RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246 RAX: ffffffffc1a...