SUSE-SU-2024:2973-1

Опубликовано: 20 авг. 2024

Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP6 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

CVE-2023-0160: Fixed deadlock flaw in BPF that could allow a local user to potentially crash the system (bsc#1209657).
CVE-2023-38417: wifi: iwlwifi: bump FW API to 90 for BZ/SC devices (bsc#1225600).
CVE-2023-47210: wifi: iwlwifi: bump FW API to 90 for BZ/SC devices (bsc#1225601).
CVE-2023-52435: net: prevent mss overflow in skb_segment() (bsc#1220138).
CVE-2023-52458: Fixed check that partition length needs to be aligned with block size (bsc#1220428).
CVE-2023-52503: Fixed tee/amdtee use-after-free vulnerability in amdtee_close_session (bsc#1220915).
CVE-2023-52618: Fixed string overflow in block/rnbd-srv (bsc#1221615).
CVE-2023-52622: ext4: avoid online resizing failures due to oversized flex bg (bsc#1222080).
CVE-2023-52631: Fixed an NULL dereference bug (bsc#1222264 CVE-2023-52631).
CVE-2023-52640: Fixed out-of-bounds in ntfs_listxattr (bsc#1222301).
CVE-2023-52641: Fixed NULL ptr dereference checking at the end of attr_allocate_frame() (bsc#1222303)
CVE-2023-52645: Fixed pmdomain/mediatek race conditions with genpd (bsc#1223033).
CVE-2023-52652: Fixed NTB for possible name leak in ntb_register_device() (bsc#1223686).
CVE-2023-52656: Dropped any code related to SCM_RIGHTS (bsc#1224187).
CVE-2023-52672: pipe: wakeup wr_wait after setting max_usage (bsc#1224614).
CVE-2023-52674: Add clamp() in scarlett2_mixer_ctl_put() (bsc#1224727).
CVE-2023-52659: Fixed to pfn_to_kaddr() not treated as a 64-bit type (bsc#1224442)
CVE-2023-52680: Fixed missing error checks to *_ctl_get() (bsc#1224608).
CVE-2023-52692: Fixed missing error check to scarlett2_usb_set_config() (bsc#1224628).
CVE-2023-52698: Fixed memory leak in netlbl_calipso_add_pass() (CVE-2023-52698 bsc#1224621)
CVE-2023-52699: sysv: don't call sb_bread() with pointers_lock held (bsc#1224659).
CVE-2023-52735: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself (bsc#1225475).
CVE-2023-52751: smb: client: fix use-after-free in smb2_query_info_compound() (bsc#1225489).
CVE-2023-52757: Fixed potential deadlock when releasing mids (bsc#1225548).
CVE-2023-52771: Fixed delete_endpoint() vs parent unregistration race (bsc#1225007).
CVE-2023-52772: Fixed use-after-free in unix_stream_read_actor() (bsc#1224989).
CVE-2023-52775: net/smc: avoid data corruption caused by decline (bsc#1225088).
CVE-2023-52786: ext4: fix racy may inline data check in dio write (bsc#1224939).
CVE-2023-52787: blk-mq: make sure active queue usage is held for bio_integrity_prep() (bsc#1225105).
CVE-2023-52837: nbd: fix uaf in nbd_open (bsc#1224935).
CVE-2023-52843: llc: verify mac len before reading mac header (bsc#1224951).
CVE-2023-52845: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING (bsc#1225585).
CVE-2023-52855: usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency (bsc#1225583).
CVE-2023-52860: Fixed null pointer dereference in hisi_hns3 (bsc#1224936).
CVE-2023-52875: Add check for mtk_alloc_clk_data (bsc#1225096).
CVE-2023-52881: tcp: do not accept ACK of bytes we never sent (bsc#1225611).
CVE-2023-6238: Fixed kcalloc() arguments order (bsc#1217384).
CVE-2024-21823: Fixed safety flag to struct ends (bsc#1223625).
CVE-2024-23848: Fixed media/cec for possible use-after-free in cec_queue_msg_fh (bsc#1219104).
CVE-2024-25739: Fixed possible crash in create_empty_lvol() in drivers/mtd/ubi/vtbl.c (bsc#1219834).
CVE-2024-26601: Fixed ext4 buddy bitmap corruption via fast commit replay (bsc#1220342).
CVE-2024-26614: Fixed the initialization of accept_queue's spinlocks (bsc#1221293).
CVE-2024-26615: net/smc: fix illegal rmb_desc access in SMC-D connection dump (bsc#1220942).
CVE-2024-26623: pds_core: Prevent race issues involving the adminq (bsc#1221057).
CVE-2024-26625: Call sock_orphan() at release time (bsc#1221086)
CVE-2024-26632: Fixed iterating over an empty bio with bio_for_each_folio_all (bsc#1221635).
CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (bsc#1221647).
CVE-2024-26635: llc: Drop support for ETH_P_TR_802_2 (bsc#1221656).
CVE-2024-26636: llc: make llc_ui_sendmsg() more robust against bonding changes (bsc#1221659).
CVE-2024-26638: Fixed uninitialize struct msghdr completely (bsc#1221649 CVE-2024-26638).
CVE-2024-26641: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() (bsc#1221654).
CVE-2024-26642: Fixed the set of anonymous timeout flag in netfilter nf_tables (bsc#1221830).
CVE-2024-26643: Fixed mark set as dead when unbinding anonymous set with timeout (bsc#1221829).
CVE-2024-26663: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() (bsc#1222326).
CVE-2024-26665: tunnels: fix out of bounds access when building IPv6 PMTU error (bsc#1222328).
CVE-2024-26671: Fixed blk-mq IO hang from sbitmap wakeup race (bsc#1222357).
CVE-2024-26673: Fixed netfilter/nft_ct layer 3 and 4 protocol sanitization (bsc#1222368).
CVE-2024-26674: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups (bsc#1222378).
CVE-2024-26679: Fixed read sk->sk_family once in inet_recv_error() (bsc#1222385).
CVE-2024-26684: Fixed net/stmmac/xgmac handling of DPP safety error for DMA channels (bsc#1222445).
CVE-2024-26691: KVM: arm64: Fix circular locking dependency (bsc#1222463).
CVE-2024-26704: Fixed a double-free of blocks due to wrong extents moved_len in ext4 (bsc#1222422).
CVE-2024-26726: Fixed invalid drop extent_map for free space inode on write error (bsc#1222532)
CVE-2024-26731: Fixed NULL pointer dereference in sk_psock_verdict_data_ready() (bsc#1222371).
CVE-2024-26733: Fixed an overflow in arp_req_get() in arp (bsc#1222585).
CVE-2024-26734: devlink: fix possible use-after-free and memory leaks in devlink_init() (bsc#1222438).
CVE-2024-26737: Fixed selftests/bpf racing between bpf_timer_cancel_and_free and bpf_timer_cancel (bsc#1222557).
CVE-2024-26740: Fixed use the backlog for mirred ingress (bsc#1222563).
CVE-2024-26760: scsi: target: pscsi: Fix bio_put() for error case (bsc#1222596).
CVE-2024-26772: Fixed ext4 to avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (bsc#1222613).
CVE-2024-26773: Fixed ext4 block allocation from corrupted group in ext4_mb_try_best_found() (bsc#1222618).
CVE-2024-26774: Fixed dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt (bsc#1222622).
CVE-2024-26775: Fixed potential deadlock at set_capacity (bsc#1222627).
CVE-2024-26783: Fixed mm/vmscan bug when calling wakeup_kswapd() with a wrong zone index (bsc#1222615).
CVE-2024-26785: iommufd: Fix protection fault in iommufd_test_syz_conv_iova (bsc#1222779).
CVE-2024-26791: Fixed properly validate device names in btrfs (bsc#1222793)
CVE-2024-26805: Fixed a kernel-infoleak-after-free in __skb_datagram_iter in netlink (bsc#1222630).
CVE-2024-26807: Fixed spi/cadence-qspi NULL pointer reference in runtime PM hooks (bsc#1222801).
CVE-2024-26813: vfio/platform: Create persistent IRQ handlers (bsc#1222809).
CVE-2024-26814: vfio/fsl-mc: Block calling interrupt handler without trigger (bsc#1222810).
CVE-2024-26815: Fixed improper TCA_TAPRIO_TC_ENTRY_INDEX check (bsc#1222635).
CVE-2024-26816: Fixed relocations in .notes section when building with CONFIG_XEN_PV=y (bsc#1222624).
CVE-2024-26822: Set correct id, uid and cruid for multiuser automounts (bsc#1223011).
CVE-2024-26826: mptcp: fix data re-injection from stale subflow (bsc#1223010).
CVE-2024-26832: Fixed missing folio cleanup in writeback race path (bsc#1223007).
CVE-2024-26836: Fixed platform/x86/think-lmi password opcode ordering for workstations (bsc#1222968).
CVE-2024-26844: Fixed WARNING in _copy_from_iter (bsc#1223015).
CVE-2024-26845: scsi: target: core: Add TMF to tmr_list handling (bsc#1223018).
CVE-2024-26860: Fixed a memory leak when rechecking the data (bsc#1223077).
CVE-2024-26862: Fixed packet annotate data-races around ignore_outgoing (bsc#1223111).
CVE-2024-26863: hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021).
CVE-2024-26878: Fixed quota for potential NULL pointer dereference (bsc#1223060).
CVE-2024-26882: Fixed net/ip_tunnel to make sure to pull inner header in ip_tunnel_rcv() (bsc#1223034).
CVE-2024-26883: Fixed bpf stackmap overflow check on 32-bit arches (bsc#1223035).
CVE-2024-26884: Fixed bpf hashtab overflow check on 32-bit arches (bsc#1223189).
CVE-2024-26885: Fixed bpf DEVMAP_HASH overflow check on 32-bit arches (bsc#1223190).
CVE-2024-26899: Fixed deadlock between bd_link_disk_holder and partition scan (bsc#1223045).
CVE-2024-26901: Fixed do_sys_name_to_handle() to use kzalloc() to prevent kernel-infoleak (bsc#1223198).
CVE-2024-26906: Fixed invalid vsyscall page read for copy_from_kernel_nofault() (bsc#1223202).
CVE-2024-26909: Fixed drm bridge use-after-free (bsc#1223143).
CVE-2024-26921: Preserve kabi for sk_buff (bsc#1223138).
CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223384).
CVE-2024-26925: Release mutex after nft_gc_seq_end from abort path (bsc#1223390).
CVE-2024-26928: Fixed potential UAF in cifs_debug_files_proc_show() (bsc#1223532).
CVE-2024-26944: btrfs: zoned: fix lock ordering in btrfs_zone_activate() (bsc#1223731).
CVE-2024-26945: Fixed nr_cpus < nr_iaa case (bsc#1223732).
CVE-2024-26946: Fixed copy_from_kernel_nofault() to read from unsafe address (bsc#1223669).
CVE-2024-26948: Fixed drm/amd/display by adding dc_state NULL check in dc_state_release (bsc#1223664).
CVE-2024-26958: Fixed UAF in direct writes (bsc#1223653).
CVE-2024-26960: Fixed mm/swap race between free_swap_and_cache() and swapoff() (bsc#1223655).
CVE-2024-26982: Fixed Squashfs inode number check not to be an invalid value of zero (bsc#1223634).
CVE-2024-26991: Fixed overflow lpage_info when checking attributes (bsc#1223695).
CVE-2024-26993: Fixed fs/sysfs reference leak in sysfs_break_active_protection() (bsc#1223693).
CVE-2024-27012: netfilter: nf_tables: restore set elements when delete set fails (bsc#1223804).
CVE-2024-27013: Fixed tun limit printing rate when illegal packet received by tun device (bsc#1223745).
CVE-2024-27014: Fixed net/mlx5e to prevent deadlock while disabling aRFS (bsc#1223735).
CVE-2024-27015: netfilter: flowtable: incorrect pppoe tuple (bsc#1223806).
CVE-2024-27016: netfilter: flowtable: validate pppoe header (bsc#1223807).
CVE-2024-27019: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (bsc#1223813)
CVE-2024-27020: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (bsc#1223815)
CVE-2024-27022: Fixed linking file vma until vma is fully initialized (bsc#1223774).
CVE-2024-27025: nbd: null check for nla_nest_start (bsc#1223778)
CVE-2024-27056: Fixed wifi/iwlwifi/mvm to ensure offloading TID queue exists (bsc#1223822).
CVE-2024-27064: netfilter: nf_tables: Fix a memory leak in nf_tables_updchain (bsc#1223740).
CVE-2024-27065: netfilter: nf_tables: do not compare internal table flags on updates (bsc#1223836).
CVE-2024-27395: Fixed Use-After-Free in ovs_ct_exit (bsc#1224098).
CVE-2024-27396: Fixed Use-After-Free in gtp_dellink (bsc#1224096).
CVE-2024-27401: Fixed user_length taken into account when fetching packet contents (bsc#1224181).
CVE-2024-27402: phonet/pep: fix racy skb_queue_empty() use (bsc#1224414).
CVE-2024-27404: mptcp: fix data races on remote_id (bsc#1224422)
CVE-2024-27408: Fixed race condition in dmaengine w-edma/eDMA (bsc#1224430).
CVE-2024-27414: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back (bsc#1224439).
CVE-2024-27417: Fixed potential 'struct net' leak in inet6_rtm_getaddr() (bsc#1224721)
CVE-2024-27418: Fixed memory leak in mctp_local_output (bsc#1224720)
CVE-2024-27419: Fixed data-races around sysctl_net_busy_read (bsc#1224759)
CVE-2024-27431: Fixed Zero-initialise xdp_rxq_info struct before running XDP program (bsc#1224718).
CVE-2024-35247: fpga: region: add owner module and take its refcount (bsc#1226948).
CVE-2024-35805: dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743).
CVE-2024-35807: ext4: fix corruption during on-line resize (bsc#1224735).
CVE-2024-35827: io_uring/net: fix overflow check in io_recvmsg_mshot_prep() (bsc#1224606).
CVE-2024-35831: io_uring: Fix release of pinned pages when __io_uaddr_map fails (bsc#1224698).
CVE-2024-35843: iommu/vt-d: Use device rbtree in iopf reporting path (bsc#1224751).
CVE-2024-35848: eeprom: at24: fix memory corruption race condition (bsc#1224612).
CVE-2024-35852: Fixed memory leak when canceling rehash work (bsc#1224502).
CVE-2024-35853: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash (bsc#1224604).
CVE-2024-35854: Fixed possible use-after-free during rehash (bsc#1224636).
CVE-2024-35857: icmp: prevent possible NULL dereferences from icmp_build_probe() (bsc#1224619).
CVE-2024-35860: Struct bpf_link and bpf_link_ops kABI workaround (bsc#1224531).
CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766).
CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1224764).
CVE-2024-35863: Fixed potential UAF in is_valid_oplock_break() (bsc#1224763).
CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1224765).
CVE-2024-35865: Fixed potential UAF in smb2_is_valid_oplock_break() (bsc#1224668).
CVE-2024-35866: Fixed potential UAF in cifs_dump_full_key() (bsc#1224667).
CVE-2024-35867: Fixed potential UAF in cifs_stats_proc_show() (bsc#1224664).
CVE-2024-35868: Fixed potential UAF in cifs_stats_proc_write() (bsc#1224678).
CVE-2024-35872: Fixed GUP-fast succeeding on secretmem folios (bsc#1224530).
CVE-2024-35877: Fixed VM_PAT handling in COW mappings (bsc#1224525).
CVE-2024-35880: io_uring/kbuf: hold io_buffer_list reference over mmap (bsc#1224523).
CVE-2024-35884: udp: do not accept non-tunnel GSO skbs landing in a tunnel (bsc#1224520).
CVE-2024-35886: ipv6: Fix infinite recursion in fib6_dump_done() (bsc#1224670).
CVE-2024-35890: gro: fix ownership transfer (bsc#1224516).
CVE-2024-35892: net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() (bsc#1224515).
CVE-2024-35893: net/sched: act_skbmod: prevent kernel-infoleak (bsc#1224512)
CVE-2024-35895: Fixed lock inversion deadlock in map delete elem (bsc#1224511).
CVE-2024-35898: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (bsc#1224498).
CVE-2024-35899: netfilter: nf_tables: flush pending destroy work before exit_net release (bsc#1224499)
CVE-2024-35900: netfilter: nf_tables: reject new basechain after table flag update (bsc#1224497).
CVE-2024-35903: Fixed IP after emitting call depth accounting (bsc#1224493).
CVE-2024-35908: tls: get psock ref after taking rxlock to avoid leak (bsc#1224490)
CVE-2024-35917: Fixed Fix bpf_plt pointer arithmetic (bsc#1224481).
CVE-2024-35921: Fixed oops when HEVC init fails (bsc#1224477).
CVE-2024-35925: block: prevent division by zero in blk_rq_stat_sum() (bsc#1224661).
CVE-2024-35926: crypto: iaa - Fix async_disable descriptor leak (bsc#1224655).
CVE-2024-35931: Fixed PCI error slot reset during RAS recovery (bsc#1224652).
CVE-2024-35934: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() (bsc#1224641)
CVE-2024-35942: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain (bsc#1224589).
CVE-2024-35943: Fixed a null pointer dereference in omap_prm_domain_init (bsc#1224649).
CVE-2024-35944: Fixed memcpy() run-time warning in dg_dispatch_as_host() (bsc#1224648).
CVE-2024-35964: Fixed not validating setsockopt user input (bsc#1224581).
CVE-2024-35969: Fixed race condition between ipv6_get_ifaddr and ipv6_del_addr (bsc#1224580).
CVE-2024-35976: Validate user input for XDP_{UMEM|COMPLETION}_FILL_RING (bsc#1224575).
CVE-2024-35979: raid1: fix use-after-free for original bio in raid1_write_request() (bsc#1224572).
CVE-2024-35991: Fixed kABI workaround for struct idxd_evl (bsc#1224553).
CVE-2024-35998: Fixed lock ordering potential deadlock in cifs_sync_mid_result (bsc#1224549).
CVE-2024-35999: Fixed missing lock when picking channel (bsc#1224550).
CVE-2024-36003: ice: fix LAG and VF lock dependency in ice_reset_vf() (bsc#1224544).
CVE-2024-36004: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (bsc#1224545)
CVE-2024-36005: netfilter: nf_tables: honor table dormant flag from netdev release event path (bsc#1224539).
CVE-2024-36006: Fixed incorrect list API usage (bsc#1224541).
CVE-2024-36007: Fixed warning during rehash (bsc#1224543).
CVE-2024-36008: ipv4: check for NULL idev in ip_route_use_hint() (bsc#1224540).
CVE-2024-36017: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation (bsc#1225681).
CVE-2024-36024: drm/amd/display: Disable idle reallow as part of command/gpint execution (bsc#1225702).
CVE-2024-36030: Fixed the double free in rvu_npc_freemem() (bsc#1225712)
CVE-2024-36281: net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules (bsc#1226799).
CVE-2024-36478: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' (bsc#1226841).
CVE-2024-36479: fpga: bridge: add owner module and take its refcount (bsc#1226949).
CVE-2024-36882: mm: use memalloc_nofs_save() in page_cache_ra_order() (bsc#1225723).
CVE-2024-36889: ata: libata-scsi: Fix offsets for the fixed format sense data (bsc#1225746).
CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225737).
CVE-2024-36900: net: hns3: fix kernel crash when devlink reload during initialization (bsc#1225726).
CVE-2024-36901: ipv6: prevent NULL dereference in ip6_output() (bsc#1225711)
CVE-2024-36902: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() (bsc#1225719).
CVE-2024-36903: ipv6: Fix potential uninit-value access in __ip6_make_skb() (bsc#1225741).
CVE-2024-36904: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (bsc#1225732).
CVE-2024-36909: Drivers: hv: vmbus: Do not free ring buffers that couldn't be re-encrypted (bsc#1225744).
CVE-2024-36910: uio_hv_generic: Do not free decrypted memory (bsc#1225717).
CVE-2024-36911: hv_netvsc: Do not free decrypted memory (bsc#1225745).
CVE-2024-36912: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl (bsc#1225752).
CVE-2024-36913: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails (bsc#1225753).
CVE-2024-36914: drm/amd/display: Skip on writeback when it's not applicable (bsc#1225757).
CVE-2024-36915: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies (bsc#1225758).
CVE-2024-36916: blk-iocost: avoid out of bounds shift (bsc#1225759).
CVE-2024-36917: block: fix overflow in blk_ioctl_discard() (bsc#1225770).
CVE-2024-36919: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload (bsc#1225767).
CVE-2024-36923: fs/9p: fix uninitialized values during inode evict (bsc#1225815).
CVE-2024-36934: bna: ensure the copied buf is NUL terminated (bsc#1225760).
CVE-2024-36935: ice: ensure the copied buf is NUL terminated (bsc#1225763).
CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect (bsc#1225834).
CVE-2024-36938: Fixed NULL pointer dereference in sk_psock_skb_ingress_enqueue (bsc#1225761).
CVE-2024-36945: net/smc: fix neighbour and rtable leak in smc_ib_find_route() (bsc#1225823).
CVE-2024-36946: phonet: fix rtm_phonet_notify() skb allocation (bsc#1225851).
CVE-2024-36957: octeontx2-af: avoid off-by-one read from userspace (bsc#1225762).
CVE-2024-36971: net: fix __dst_negative_advice() race (bsc#1226145).
CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514).
CVE-2024-37021: fpga: manager: add owner module and take its refcount (bsc#1226950).
CVE-2024-37078: nilfs2: fix potential kernel bug due to lack of writeback flag waiting (bsc#1227066).
CVE-2024-37353: virtio: fixed a double free in vp_del_vqs() (bsc#1226875).
CVE-2024-37354: btrfs: fix crash on racing fsync and size-extending write into prealloc (bsc#1227101).
CVE-2024-38553: net: fec: remove .ndo_poll_controller to avoid deadlock (bsc#1226744).
CVE-2024-38555: net/mlx5: Discard command completions in internal error (bsc#1226607).
CVE-2024-38556: net/mlx5: Add a timeout to acquire the command queue semaphore (bsc#1226774).
CVE-2024-38557: net/mlx5: Reload only IB representors upon lag disable/enable (bsc#1226781).
CVE-2024-38558: net: openvswitch: fix overwriting ct original tuple for ICMPv6 (bsc#1226783).
CVE-2024-38564: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (bsc#1226789).
CVE-2024-38566: bpf: Fix verifier assumptions about socket->sk (bsc#1226790).
CVE-2024-38568: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group (bsc#1226771).
CVE-2024-38569: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group (bsc#1226772).
CVE-2024-38570: gfs2: Fix potential glock use-after-free on unmount (bsc#1226775).
CVE-2024-38580: epoll: be better about file lifetimes (bsc#1226610).
CVE-2024-38586: r8169: Fix possible ring buffer corruption on fragmented Tx packets (bsc#1226750).
CVE-2024-38594: net: stmmac: move the EST lock to struct stmmac_priv (bsc#1226734).
CVE-2024-38597: eth: sungem: remove .ndo_poll_controller to avoid deadlocks (bsc#1226749).
CVE-2024-38598: md: fix resync softlockup when bitmap size is less than array size (bsc#1226757).
CVE-2024-38603: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() (bsc#1226842).
CVE-2024-38604: block: refine the EOF check in blkdev_iomap_begin (bsc#1226866).
CVE-2024-38608: net/mlx5e: Fix netif state handling (bsc#1226746).
CVE-2024-38610: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() (bsc#1226758).
CVE-2024-38627: stm class: Fix a double free in stm_register_device() (bsc#1226857).
CVE-2024-38636: f2fs: multidev: fix to recognize valid zero block address (bsc#1226879).
CVE-2024-38659: enic: Validate length of nl attributes in enic_set_vf_port (bsc#1226883).
CVE-2024-38661: s390/ap: Fix crash in AP internal function modify_bitmap() (bsc#1226996).
CVE-2024-39276: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() (bsc#1226993).
CVE-2024-39301: net/9p: fix uninit-value in p9_client_rpc() (bsc#1226994).
CVE-2024-39371: io_uring: check for non-NULL file pointer in io_file_can_poll() (bsc#1226990).
CVE-2024-39468: smb: client: fix deadlock in smb2_find_smb_tcon() (bsc#1227103.
CVE-2024-39472: xfs: fix log recovery buffer allocation for the legacy h_size fixup (bsc#1227432).
CVE-2024-39474: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL (bsc#1227434).
CVE-2024-39482: bcache: fix variable length array abuse in btree_iter (bsc#1227447).
CVE-2024-39487: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (bsc#1227573)
CVE-2024-39490: ipv6: sr: fix missing sk_buff release in seg6_input_core (bsc#1227626).
CVE-2024-39494: ima: Fix use-after-free on a dentry's dname.name (bsc#1227716).
CVE-2024-39496: btrfs: zoned: fix use-after-free due to race with dev replace (bsc#1227719).
CVE-2024-39498: drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 (bsc#1227723)
CVE-2024-39502: ionic: fix use after netif_napi_del() (bsc#1227755).
CVE-2024-39504: netfilter: nft_inner: validate mandatory meta and payload (bsc#1227757).
CVE-2024-39507: net: hns3: fix kernel crash problem in concurrent scenario (bsc#1227730).
CVE-2024-40901: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (bsc#1227762).
CVE-2024-40906: net/mlx5: Always stop health timer during driver removal (bsc#1227763).
CVE-2024-40908: bpf: Set run context for rawtp test_run callback (bsc#1227783).
CVE-2024-40919: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() (bsc#1227779).
CVE-2024-40923: vmxnet3: disable rx data ring on dma allocation failure (bsc#1227786).
CVE-2024-40925: block: fix request.queuelist usage in flush (bsc#1227789).
CVE-2024-40928: net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() (bsc#1227788).
CVE-2024-40931: mptcp: ensure snd_una is properly initialized on connect (bsc#1227780).
CVE-2024-40935: cachefiles: flush all requests after setting CACHEFILES_DEAD (bsc#1227797).
CVE-2024-40937: gve: Clear napi->skb before dev_kfree_skb_any() (bsc#1227836).
CVE-2024-40940: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail (bsc#1227800).
CVE-2024-40947: ima: Avoid blocking in RCU read-side critical section (bsc#1227803).
CVE-2024-40948: mm/page_table_check: fix crash on ZONE_DEVICE (bsc#1227801).
CVE-2024-40953: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() (bsc#1227806).
CVE-2024-40960: ipv6: prevent possible NULL dereference in rt6_probe() (bsc#1227813).
CVE-2024-40961: ipv6: prevent possible NULL deref in fib6_nh_init() (bsc#1227814).
CVE-2024-40966: kABI: tty: add the option to have a tty reject a new ldisc (bsc#1227886).
CVE-2024-40970: Avoid hw_desc array overrun in dw-axi-dmac (bsc#1227899).
CVE-2024-40972: ext4: fold quota accounting into ext4_xattr_inode_lookup_create() (bsc#1227910).
CVE-2024-40975: platform/x86: x86-android-tablets: Unregister devices in reverse order (bsc#1227926).
CVE-2024-40998: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (bsc#1227866).
CVE-2024-40999: net: ena: Add validation for completion descriptors consistency (bsc#1227913).
CVE-2024-41006: netrom: Fix a memory leak in nr_heartbeat_expiry() (bsc#1227862).
CVE-2024-41013: xfs: do not walk off the end of a directory data block (bsc#1228405).
CVE-2024-41014: xfs: add bounds checking to xlog_recover_process_data (bsc#1228408).
CVE-2024-41017: jfs: do not walk off the end of ealist (bsc#1228403).
CVE-2024-41090: tap: add missing verification for short frame (bsc#1228328).
CVE-2024-41091: tun: add missing verification for short frame (bsc#1228327).

The following non-security bugs were fixed:

9p: add missing locking around taking dentry fid list (git-fixes)
accel/ivpu: Fix deadlock in context_xa (git-fixes).
ACPI: bus: Indicate support for IRQ ResourceSource thru _OSC (git-fixes).
ACPI: bus: Indicate support for _TFP thru _OSC (git-fixes).
ACPI: bus: Indicate support for the Generic Event Device thru _OSC (git-fixes).
ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields() (git-fixes).
ACPICA: Revert 'ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.' (git-fixes).
ACPI: CPPC: Fix access width used for PCC registers (git-fixes).
ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro (git-fixes).
ACPI: CPPC: Use access_width over bit_width for system memory accesses (stable-fixes).
ACPI: disable -Wstringop-truncation (git-fixes).
ACPI: EC: Abort address space access upon error (stable-fixes).
ACPI: EC: Avoid returning AE_OK on errors in address space handler (stable-fixes).
ACPI: EC: Evaluate orphan _REG under EC device (git-fixes).
ACPI: EC: Install address space handler at the namespace root (stable-fixes).
ACPI: Fix Generic Initiator Affinity _OSC bit (git-fixes).
ACPI: LPSS: Advertise number of chip selects via property (git-fixes).
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency (git-fixes).
ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override (stable-fixes).
ACPI: resource: Do IRQ override on Lunnen Ground laptops (stable-fixes).
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx (stable-fixes).
ACPI: scan: Do not increase dep_unmet for already met dependencies (git-fixes).
ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 (bsc#1217750).
ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets (stable-fixes).
ACPI: x86: Force StorageD3Enable on more products (stable-fixes).
ACPI: x86: Move acpi_quirk_skip_serdev_enumeration() out of CONFIG_X86_ANDROID_TABLETS (stable-fixes).
Add console: Improve console_srcu_read_flags() comments device property: Add SOFTWARE_NODE() macro for defining software nodes device property: Add fwnode_name_eq() device property: Add fwnode_property_match_property_string() device property: Implement device_is_big_endian() device property: Implement device_is_compatible() nbcon: Provide functions for drivers to acquire console for non-printing. panic: Flush kernel log buffer at the end panic: Mark emergency section in oops panic: Mark emergency section in warn panic: add option to dump blocked tasks in panic_print panic: suppress gnu_printf warning printk: Add @flags argument for console_is_usable() printk: Add function to replay kernel log on consoles printk: Add kthread for all legacy consoles printk: Add non-BKL (nbcon) console basic infrastructure printk: Add notation to console_srcu locking printk: Atomic print in printk context on shutdown printk: Avoid console_lock dance if no legacy or boot consoles printk: Avoid false positive lockdep report for legacy printing printk: Check printk_deferred_enter()/_exit() usage printk: Check valid console index for preferred console printk: Constify name for add_preferred_console() printk: Coordinate direct printing in panic printk: Do not try to parse DEVNAME:0.0 console options printk: Flag register_console() if console is set on command line. printk: Let console_is_usable() handle nbcon printk: Make console_is_usable() available to nbcon printk: Make static printk buffers available to nbcon printk: Properly deal with nbcon consoles on seq init printk: Provide helper for message prepending printk: Provide threadprintk boot argument printk: Reduce pr_flush() pooling time printk: Remove the now superfluous sentinel elements from ctl_table array printk: Save console options for add_preferred_console_match() printk: Track nbcon consoles printk: Track registered boot consoles printk: fix illegal pbufs access for !CONFIG_PRINTK printk: flush consoles before checking progress printk: nbcon: Add acquire/release logic printk: nbcon: Add buffer management printk: nbcon: Add callbacks to synchronize with driver printk: nbcon: Add context to console_is_usable() printk: nbcon: Add detailed doc for write_atomic() printk: nbcon: Add emit function and callback function for atomic printing printk: nbcon: Add helper to assign priority based on CPU state printk: nbcon: Add ownership state functions printk: nbcon: Add printer thread wakeups printk: nbcon: Add sequence handling printk: nbcon: Add unsafe flushing on panic printk: nbcon: Allow drivers to mark unsafe regions and check state. printk: nbcon: Do not rely on proxy headers printk: nbcon: Implement emergency sections printk: nbcon: Introduce printing kthreads printk: nbcon: Provide function to flush using write_atomic() printk: nbcon: Provide function to reacquire ownership printk: nbcon: Remove return value for write_atomic() printk: nbcon: Show replay message on takeover printk: nbcon: Start printing threads printk: nbcon: Use driver synchronization while (un)registering printk: nbcon: Use nbcon consoles in console_flush_all() serial: convert uart sysrq handling to u8 serial: core: Add UPIO_UNKNOWN constant for unknown port type serial: core: Controller id cannot be negative serial: core: Fix serial core port id to not use port->line serial: core: Implement processing in port->lock wrapper serial: core: Introduce wrapper to set @uart_port->cons serial: core: Move struct uart_port::quirks closer to possible serial: core: Provide low-level functions to lock port serial: core: Update uart_poll_timeout() function to return unsigned long. serial: core: Use lock wrappers serial: core: do not kfree device managed data serial: core: fix -EPROBE_DEFER handling in init serial: make uart_insert_char() accept u8s serial: port: Introduce a common helper to read properties tty/sysrq: Replay kernel log messages on consoles via sysrq
Add reference to L3 bsc#1225765 in BPF control flow graph and precision backtrack fixes (bsc#1225756) The L3 bsc#1225765 was created seperately since our customer requires PTF.
admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET (git-fixes).
ahci: asm1064: asm1166: do not limit reported ports (git-fixes).
ahci: asm1064: correct count of reported ports (stable-fixes).
ALSA: aoa: avoid false-positive format truncation warning (git-fixes).
ALSA: core: Fix NULL module pointer assignment at card init (git-fixes).
ALSA: core: Remove debugfs at disconnection (git-fixes).
ALSA: dmaengine_pcm: terminate dmaengine before synchronize (stable-fixes).
ALSA: dmaengine: Synchronize dma channel after drop() (stable-fixes).
ALSA: emux: improve patch ioctl data validation (stable-fixes).
ALSA: firewire-lib: handle quirk to calculate payload quadlets as data block counter (stable-fixes).
ALSA: Fix deadlocks with kctl removals at disconnection (stable-fixes).
ALSA: hda: Add Intel BMG PCI ID and HDMI codec vid (stable-fixes).
ALSA: hda: clarify Copyright information (stable-fixes).
ALSA: hda/conexant: Mute speakers at suspend / shutdown (bsc#1228269).
ALSA: hda: cs35l41: Add support for ASUS ROG 2024 Laptops (stable-fixes).
ALSA: hda: cs35l41: Component should be unbound before deconstruction (git-fixes).
ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x Gen4 (git-fixes).
ALSA: hda: cs35l41: Ignore errors when configuring IRQs (stable-fixes).
ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() (git-fixes).
ALSA: hda: cs35l41: Remove redundant argument to cs35l41_request_firmware_file() (stable-fixes).
ALSA: hda: cs35l41: Remove Speaker ID for Lenovo Legion slim 7 16ARHA7 (git-fixes).
ALSA: hda: cs35l41: Set the max PCM Gain using tuning setting (stable-fixes).
ALSA: hda: cs35l41: Support HP Omen models without _DSD (stable-fixes).
ALSA: hda: cs35l41: Support Lenovo 13X laptop without _DSD (stable-fixes).
ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4 (stable-fixes).
ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5 (stable-fixes).
ALSA: hda: cs35l56: Add ACPI device match tables (git-fixes).
ALSA: hda: cs35l56: Component should be unbound before deconstruction (git-fixes).
ALSA: hda: cs35l56: Exit cache-only after cs35l56_wait_for_firmware_boot() (stable-fixes).
ALSA: hda: cs35l56: Fix lifecycle of codec pointer (stable-fixes).
ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance (git-fixes).
ALSA: hda: cs35l56: Set the init_done flag before component_add() (git-fixes).
ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup (git-fixes).
ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown (bsc#1228269).
ALSA: hda: hda_cs_dsp_ctl: Remove notification of driver write (stable-fixes).
ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option (git-fixes).
ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection (stable-fixes).
ALSA/hda: intel-dsp-config: reduce log verbosity (git-fixes).
ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node() (git-fixes).
ALSA: hda/realtek: Add more codec ID to no shutup pins list (stable-fixes).
ALSA: hda/realtek: add quirk for Clevo V5[46]0TU (stable-fixes).
ALSA: hda/realtek: Add quirk for HP SnowWhite laptops (stable-fixes).
ALSA: hda/realtek: Add quirk for HP Spectre x360 14 eu0000 (stable-fixes).
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 (stable-fixes).
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ARP8 (stable-fixes).
ALSA: hda/realtek: Add quirks for ASUS Laptops using CS35L56 (stable-fixes).
ALSA: hda/realtek: Add quirks for HP Omen models using CS35L41 (stable-fixes).
ALSA: hda/realtek: Add quirks for Huawei Matebook D14 NBLB-WAX9N (stable-fixes).
ALSA: hda/realtek: Add quirks for Lenovo 13X (stable-fixes).
ALSA: hda/realtek: Add quirks for some Clevo laptops (stable-fixes).
ALSA: hda/realtek: Add sound quirks for Lenovo Legion slim 7 16ARHA7 models (stable-fixes).
ALSA: hda/realtek: Add support for ASUS Zenbook 2024 HN7306W (stable-fixes).
ALSA: hda/realtek: Adjust G814JZR to use SPI init for amp (git-fixes).
ALSA: hda/realtek: cs35l41: Fixup remaining asus strix models (git-fixes).
ALSA: hda/realtek: cs35l41: Support ASUS ROG G634JYR (stable-fixes).
ALSA: hda/realtek: Drop doubly quirk entry for 103c:8a2e (git-fixes).
ALSA: hda/realtek - Enable audio jacks of Haier Boyue G42 with ALC269VC (stable-fixes).
ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 (stable-fixes).
ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM (git-fixes).
ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 (stable-fixes).
ALSA: hda/realtek: Enable Mute LED on HP 250 G7 (stable-fixes).
ALSA: hda/realtek: Fix build error without CONFIG_PM (stable-fixes).
ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion models (bsc#1223462).
ALSA: hda/realtek: Fix conflicting quirk for PCI SSID 17aa:3820 (git-fixes).
ALSA: hda/realtek - fixed headset Mic not show (stable-fixes).
ALSA: hda/realtek: Fixes for Asus GU605M and GA403U sound (stable-fixes).
ALSA: hda/realtek - Fix inactive headset mic jack (stable-fixes).
ALSA: hda/realtek: Fix internal speakers for Legion Y9000X 2022 IAH7 (stable-fixes).
ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU (stable-fixes).
ALSA: hda/realtek: fix mute/micmute LEDs do not work for EliteBook 645/665 G11 (stable-fixes).
ALSA: hda/realtek: fix mute/micmute LEDs do not work for ProBook 440/460 G11 (stable-fixes).
ALSA: hda/realtek: fix mute/micmute LEDs do not work for ProBook 445/465 G11 (stable-fixes).
ALSA: hda/realtek: fix the hp playback volume issue for LG machines (stable-fixes).
ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 (stable-fixes).
ALSA: hda/realtek: Fix volumn control of ThinkBook 16P Gen4 (git-fixes).
ALSA: hda/realtek: Limit mic boost on N14AP7 (stable-fixes).
ALSA: hda/realtek: Limit mic boost on VAIO PRO PX (stable-fixes).
ALSA: hda/realtek: Remove Framework Laptop 16 from quirks (git-fixes).
ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318 (stable-fixes).
ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4 (stable-fixes).
ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5 (stable-fixes).
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx (stable-fixes).
ALSA: hda/tas2781: add locks to kcontrols (git-fixes).
ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop (stable-fixes).
ALSA: hda/tas2781: Add new vendor_id and subsystem_id to support ThinkPad ICE-1 (stable-fixes).
ALSA: hda: tas2781: Component should be unbound before deconstruction (git-fixes).
ALSA: hda/tas2781: correct the register for pow calibrated data (git-fixes).
ALSA: hda/tas2781: remove digital gain kcontrol (git-fixes).
ALSA: line6: Zero-initialize message buffers (stable-fixes).
ALSA: PCM: Allow resume only for suspended streams (stable-fixes).
ALSA: pcm_dmaengine: Do not synchronize DMA channel when DMA is paused (git-fixes).
ALSA: scarlett2: Add Focusrite Clarett+ 2Pre and 4Pre support (stable-fixes).
ALSA: scarlett2: Add Focusrite Clarett 2Pre and 4Pre USB support (stable-fixes).
ALSA: scarlett2: Add missing error check to scarlett2_config_save() (git-fixes).
ALSA: scarlett2: Add support for Clarett 8Pre USB (stable-fixes).
ALSA: scarlett2: Default mixer driver to enabled (stable-fixes).
ALSA: scarlett2: Move USB IDs out from device_info struct (stable-fixes).
ALSA: seq: Do not clear bank selection at event -> UMP MIDI2 conversion (git-fixes).
ALSA: seq: Fix incorrect UMP type for system messages (git-fixes).
ALSA: seq: Fix missing bank setup between MIDI1/MIDI2 UMP conversion (git-fixes).
ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages (git-fixes).
ALSA: seq: Fix missing MSB in MIDI2 SPP conversion (git-fixes).
ALSA: seq: Fix yet another spot for system message conversion (git-fixes).
ALSA: seq: ump: Fix conversion from MIDI2 to MIDI1 UMP messages (git-fixes).
ALSA: seq: ump: Fix missing System Reset message handling (git-fixes).
ALSA: seq: ump: Fix swapped song position pointer data (git-fixes).
ALSA: seq: ump: Skip useless ports for static blocks (git-fixes).
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs (git-fixes).
ALSA: timer: Set lower bound of start tick time (stable-fixes).
ALSA: ump: Do not accept an invalid UMP protocol number (git-fixes).
ALSA: ump: Do not clear bank selection after sending a program change (git-fixes).
ALSA: ump: Force 1 Group for MIDI1 FBs (git-fixes).
ALSA: ump: Set default protocol when not given explicitly (git-fixes).
ALSA: usb-audio: Add a quirk for Sonix HD USB Camera (stable-fixes).
ALSA: usb-audio: Add sampling rates support for Mbox3 (stable-fixes).
ALSA: usb-audio: Fix for sampling rates support for Mbox3 (stable-fixes).
ALSA: usb-audio: Fix microphone sound on HD webcam (stable-fixes).
ALSA: usb-audio: Move HD Webcam quirk to the right place (git-fixes).
amd/amdkfd: sync all devices to wait all processes being evicted (stable-fixes).
amdkfd: use calloc instead of kzalloc to avoid integer overflow (stable-fixes).
arm64: Add the arm64.no32bit_el0 command line option (jsc#PED-3184).
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY (git-fixes).
arm64: bpf: fix 32bit unconditional bswap (git-fixes).
arm64: dts: allwinner: h616: Fix I2C0 pins (git-fixes)
arm64: dts: allwinner: Pine H64: correctly remove reg_gmac_3v3 (git-fixes)
arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells (git-fixes)
arm64: dts: Fix dtc interrupt_provider warnings (git-fixes)
arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input (git-fixes)
arm64: dts: hi3798cv200: fix the size of GICR (git-fixes)
arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc (git-fixes)
arm64: dts: imx8qm-ss-dma: fix can lpcg indices (git-fixes)
arm64: dts: imx8-ss-conn: fix usb lpcg indices (git-fixes)
arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order (git-fixes)
arm64: dts: imx8-ss-dma: fix adc lpcg indices (git-fixes)
arm64: dts: imx8-ss-dma: fix can lpcg indices (git-fixes)
arm64: dts: imx8-ss-dma: fix spi lpcg indices (git-fixes)
arm64: dts: imx8-ss-lsio: fix pwm lpcg indices (git-fixes)
arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property (git-fixes)
arm64: dts: marvell: reorder crypto interrupts on Armada SoCs (git-fixes)
arm64: dts: microchip: sparx5: fix mdio reg (git-fixes)
arm64: dts: rockchip: Add enable-strobe-pulldown to emmc phy on ROCK (git-fixes)
arm64: dts: rockchip: Add mdio and ethernet-phy nodes to (git-fixes)
arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu (git-fixes)
arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s (git-fixes)
arm64: dts: rockchip: Add sdmmc related properties on (git-fixes)
arm64: dts: rockchip: Add sound-dai-cells for RK3368 (git-fixes)
arm64: dts: rockchip: Drop invalid mic-in-differential on (git-fixes)
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 (git-fixes)
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for (git-fixes)
arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 (git-fixes)
arm64: dts: rockchip: Fix mic-in-differential usage on (git-fixes)
arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc (git-fixes)
arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E (git-fixes)
arm64: dts: rockchip: fix rk3328 hdmi ports node (git-fixes)
arm64: dts: rockchip: fix rk3399 hdmi ports node (git-fixes)
arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s (git-fixes)
arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 (git-fixes)
arm64: dts: rockchip: Fix the value of dlg,jack-det-rate mismatch (git-fixes)
arm64: dts: rockchip: Increase VOP clk rate on RK3328 (git-fixes)
arm64: dts: rockchip: regulator for sd needs to be always on for (git-fixes)
arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro (git-fixes)
arm64: dts: rockchip: Rename LED related pinctrl nodes on (git-fixes)
arm64: dts: rockchip: set PHY address of MT7531 switch to 0x1f (git-fixes)
arm64/head: Disable MMU at EL2 before clearing HCR_EL2.E2H (git-fixes).
arm64: hibernate: Fix level3 translation fault in swsusp_save() (git-fixes).
arm64/io: add constant-argument check (bsc#1226502 git-fixes)
arm64/io: Provide a WC friendly __iowriteXX_copy() (bsc#1226502)
arm64: mm: Batch dsb and isb when populating pgtables (jsc#PED-8688).
arm64: mm: Do not remap pgtables for allocate vs populate (jsc#PED-8688).
arm64: mm: Do not remap pgtables per-cont(pte|pmd) block (jsc#PED-8688).
arm64/ptrace: Use saved floating point state type to determine SVE (git-fixes)
arm64/sve: Lower the maximum allocation for the SVE ptrace regset (git-fixes)
arm64: tegra: Correct Tegra132 I2C alias (git-fixes)
arm64: tegra: Set the correct PHY mode for MGBE (git-fixes)
ARM: 9381/1: kasan: clear stale stack poison (git-fixes).
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init (git-fixes).
ARM: imx_v6_v7_defconfig: Restore CONFIG_BACKLIGHT_CLASS_DEVICE (git-fixes).
ARM: OMAP2+: fix N810 MMC gpiod table (git-fixes).
ARM: OMAP2+: fix USB regression on Nokia N8x0 (git-fixes).
arm_pmu: acpi: Add a representative platform device for TRBE (bsc#1220587)
arm_pmu: acpi: Refactor arm_spe_acpi_register_device() (bsc#1220587)
ARM: prctl: reject PR_SET_MDWE on pre-ARMv6 (stable-fixes).
ARM: s5pv210: fix pm.c kernel-doc warning (git-fixes).
asm-generic: make sparse happy with odd-sized put_unaligned_*() (stable-fixes).
ASoC: acp: Support microphone from device Acer 315-24p (git-fixes).
ASoC: amd: acp: add a null check for chip_pdev structure (git-fixes).
ASoC: amd: acp: fix for acp_init function error handling (git-fixes).
ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe() (git-fixes).
ASoC: amd: Adjust error handling in case of absent codec device (git-fixes).
ASoC: amd: yc: Add Lenovo ThinkBook 21J0 into DMI quirk table (stable-fixes).
ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA (stable-fixes).
ASoC: amd: yc: Fix non-functional mic on ASUS M7600RE (stable-fixes).
ASoC: amd: yc: Fix non-functional mic on Lenovo 21J2 (stable-fixes).
ASoC: amd: yc: Revert 'Fix non-functional mic on Lenovo 21J2' (stable-fixes).
ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2 (bsc#1228269).
ASoC: codecs: wsa881x: set clk_stop_mode1 flag (git-fixes).
ASoC: cs35l56: Accept values greater than 0 as IRQ numbers (git-fixes).
ASoC: cs35l56: Fix unintended bus access while resetting amp (git-fixes).
ASoC: cs35l56: Prevent overwriting firmware ASP config (git-fixes).
ASoC: da7219-aad: fix usage of device_get_named_child_node() (git-fixes).
ASoC: fsl-asoc-card: set priv->pdev before using it (git-fixes).
ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value (git-fixes).
ASoC: Intel: avs: Fix ASRC module initialization (git-fixes).
ASoC: Intel: avs: Fix potential integer overflow (git-fixes).
ASoC: Intel: avs: Populate board selection with new I2S entries (stable-fixes).
ASoC: Intel: avs: Set name of control as in topology (git-fixes).
ASoC: Intel: avs: ssm4567: Do not ignore route checks (git-fixes).
ASoC: Intel: avs: Test result of avs_get_module_entry() (git-fixes).
ASoC: Intel: bytcr_rt5640: Apply Asus T100TA quirk to Asus T100TAM too (git-fixes).
ASoC: Intel: common: add ACPI matching tables for Arrow Lake (stable-fixes).
ASoC: Intel: common: DMI remap for rebranded Intel NUC M15 (LAPRC710) laptops (stable-fixes).
ASoC: Intel: Disable route checks for Skylake boards (git-fixes).
ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 (stable-fixes).
ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F (stable-fixes).
ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk (git-fixes).
ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable (git-fixes).
ASoC: kirkwood: Fix potential NULL dereference (git-fixes).
ASoC: max98088: Check for clk_prepare_enable() error (git-fixes).
ASoC: mediatek: Assign dummy when codec not specified for a DAI link (git-fixes).
ASoC: mediatek: mt8192: fix register configuration for tdm (git-fixes).
ASoC: meson: axg-card: make links nonatomic (git-fixes).
ASoC: meson: axg-fifo: use FIELD helpers (stable-fixes).
ASoC: meson: axg-fifo: use threaded irq to check periods (git-fixes).
ASoC: meson: axg-tdm-interface: manage formatters in trigger (git-fixes).
ASoC: meson: cards: select SND_DYNAMIC_MINORS (git-fixes).
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw (git-fixes).
ASoC: q6apm-lpass-dai: close graph on prepare errors (git-fixes).
ASoC: qcom: Adjust issues in case of DT error in asoc_qcom_lpass_cpu_platform_probe() (git-fixes).
ASoC: rockchip: i2s-tdm: Fix inaccurate sampling rates (git-fixes).
ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk (git-fixes).
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating (git-fixes).
ASoC: rt5645: Make LattePanda board DMI match more precise (stable-fixes).
ASoC: rt5682-sdw: fix locking sequence (git-fixes).
ASoC: rt711-sdca: fix locking sequence (git-fixes).
ASoC: rt711-sdw: add missing readable registers (stable-fixes).
ASoC: rt711-sdw: fix locking sequence (git-fixes).
ASoC: rt712-sdca-sdw: fix locking sequence (git-fixes).
ASoC: rt715: add vendor clear control register (git-fixes).
ASoC: rt715-sdca: volume step modification (git-fixes).
ASoC: rt722-sdca: add headset microphone vrefo setting (git-fixes).
ASoC: rt722-sdca: modify channel number to support 4 channels (git-fixes).
ASoC: rt722-sdca-sdw: add debounce time for type detection (stable-fixes).
ASoC: rt722-sdca-sdw: add silence detection register as volatile (stable-fixes).
ASoC: rt722-sdca-sdw: fix locking sequence (git-fixes).
ASoC: soc-core.c: Skip dummy codec when adding platforms (stable-fixes).
ASoC: sof: amd: fix for firmware reload failure in Vangogh platform (git-fixes).
ASoC: SOF: amd: Optimize quirk for Valve Galileo (stable-fixes).
ASoC: SOF: imx8m: Fix DSP control regmap retrieval (git-fixes).
ASoC: SOF: Intel: add default firmware library path for LNL (git-fixes).
ASoC: SOF: Intel: hda-dsp: Skip IMR boot on ACE platforms in case of S3 suspend (stable-fixes).
ASoC: SOF: Intel: hda: fix null deref on system suspend entry (git-fixes).
ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by MAX_BDL_ENTRIES (stable-fixes).
ASoC: SOF: Intel: lnl: Correct rom_status_reg (git-fixes).
ASoC: SOF: Intel: mtl: call dsp dump when boot retry fails (stable-fixes).
ASoC: SOF: Intel: mtl: Correct rom_status_reg (git-fixes).
ASoC: SOF: Intel: mtl: Disable interrupts when firmware boot failed (git-fixes).
ASoC: SOF: Intel: mtl: Implement firmware boot state check (git-fixes).
ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend (stable-fixes).
ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension (git-fixes).
ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare (git-fixes).
ASoC: SOF: ipc4-topology: Use correct queue_id for requesting input pin format (stable-fixes).
ASoC: SOF: pcm: Restrict DSP D0i3 during S0ix to IPC3 (stable-fixes).
ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback (stable-fixes).
ASoC: tas2552: Add TX path for capturing AUDIO-OUT data (git-fixes).
ASoc: tas2781: Enable RCA-based playback without DSP firmware download (git-fixes).
ASoC: tas2781: Fix a warning reported by robot kernel test (git-fixes).
ASoC: TAS2781: Fix tasdev_load_calibrated_data() (git-fixes).
ASoC: tas2781: Fix wrong loading calibrated data sequence (git-fixes).
ASoC: tas2781: mark dvc_tlv with __maybe_unused (git-fixes).
ASoC: tegra: Fix DSPK 16-bit playback (git-fixes).
ASoC: ti: Convert Pandora ASoC to GPIO descriptors (stable-fixes).
ASoC: ti: davinci-mcasp: Fix race condition during probe (git-fixes).
ASoC: ti: davinci-mcasp: Set min period size using FIFO config (stable-fixes).
ASoC: ti: omap-hdmi: Fix too long driver name (stable-fixes).
ASoC: tlv320adc3xxx: Do not strip remove function when driver is builtin (git-fixes).
ASoC: topology: Do not assign fields that are already set (stable-fixes).
ASoC: topology: Fix references to freed memory (stable-fixes).
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value (git-fixes).
ASoC: wm_adsp: Add missing MODULE_DESCRIPTION() (git-fixes).
ASoC: wm_adsp: Fix missing mutex_lock in wm_adsp_write_ctl() (git-fixes).
ata: ahci: Clean up sysfs file on error (git-fixes).
ata: libata-core: Allow command duration limits detection for ACS-4 drives (git-fixes).
ata: libata-core: Fix double free on error (git-fixes).
ata: libata-core: Fix null pointer dereference on error (git-fixes).
ata: pata_legacy: make legacy_exit() work again (git-fixes).
ata: sata_gemini: Check clk_enable() result (stable-fixes).
ata: sata_mv: Fix PCI device ID table declaration compilation warning (git-fixes).
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit (git-fixes).
ata,scsi: libata-core: Do not leak memory for ata_port struct members (git-fixes).
autofs: use wake_up() instead of wake_up_interruptible(() (bsc#1224166).
auxdisplay: ht16k33: Drop reference after LED registration (git-fixes).
ax25: Fix netdev refcount issue (git-fixes).
ax25: Fix refcount imbalance on inbound connections (git-fixes).
ax25: Fix reference count leak issue of net_device (git-fixes).
ax25: Fix reference count leak issues of ax25_dev (git-fixes).
ax25: fix use-after-free bugs caused by ax25_ds_del_timer (git-fixes).
batman-adv: Avoid infinite loop trying to resize local TT (git-fixes).
batman-adv: bypass empty buckets in batadv_purge_orig_ref() (stable-fixes).
batman-adv: Do not accept TT entries for out-of-spec VIDs (git-fixes).
bitops: add missing prototype check (git-fixes).
blk-cgroup: fix list corruption from reorder of WRITE ->lqueued (bsc#1225605).
blk-cgroup: fix list corruption from resetting io stat (bsc#1225605).
block: fix q->blkg_list corruption during disk rebind (bsc#1223591).
block: Move checking GENHD_FL_NO_PART to bdev_add_partition() (bsc#1226213).
Bluetooth: Add new quirk for broken read key length on ATS2851 (stable-fixes).
Bluetooth: add quirk for broken address properties (git-fixes).
Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl (stable-fixes).
Bluetooth: btintel: Fixe build regression (git-fixes).
Bluetooth: btintel: Fix null ptr deref in btintel_read_version (stable-fixes).
Bluetooth: btintel: Refactor btintel_set_ppag() (git-fixes).
Bluetooth: btnxpuart: Add handling for boot-signature timeout errors (git-fixes).
Bluetooth: btnxpuart: Enable Power Save feature on startup (stable-fixes).
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 (stable-fixes).
Bluetooth: btusb: Fix triggering coredump implementation for QCA (git-fixes).
Bluetooth: Fix memory leak in hci_req_sync_complete() (git-fixes).
Bluetooth: Fix TOCTOU in HCI debugfs implementation (git-fixes).
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() (stable-fixes).
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (git-fixes).
Bluetooth: hci_bcm4377: Fix msgid release (git-fixes).
Bluetooth: hci_bcm4377: Use correct unit for timeouts (git-fixes).
Bluetooth: hci_core: cancel all works upon hci_unregister_dev() (stable-fixes).
Bluetooth: hci_core: Cancel request on command timeout (stable-fixes).
bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX (git-fixes).
Bluetooth: hci_event: Fix sending HCI_OP_READ_ENC_KEY_SIZE (git-fixes).
Bluetooth: hci_event: Fix setting of unicast qos interval (git-fixes).
Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS (stable-fixes).
Bluetooth: hci_event: Set QoS encryption from BIGInfo report (git-fixes).
Bluetooth: hci_event: set the conn encrypted before conn establishes (stable-fixes).
Bluetooth: HCI: Fix potential null-ptr-deref (git-fixes).
Bluetooth: hci_sock: Fix not validating setsockopt user input (git-fixes).
Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync (git-fixes).
Bluetooth: hci_sync: Fix using the same interval and window for Coded PHY (git-fixes).
Bluetooth: hci_sync: Use QoS to determine which PHY to scan (stable-fixes).
Bluetooth: Ignore too large handle values in BIG (git-fixes).
Bluetooth: ISO: Align broadcast sync_timeout with connection timeout (stable-fixes).
Bluetooth: ISO: Check socket flag instead of hcon (git-fixes).
Bluetooth: ISO: Do not reject BT_ISO_QOS if parameters are unset (git-fixes).
Bluetooth: ISO: Fix BIS cleanup (stable-fixes).
Bluetooth: l2cap: Do not double set the HCI_CONN_MGMT_CONNECTED bit (git-fixes).
Bluetooth: L2CAP: Fix not validating setsockopt user input (git-fixes).
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout (git-fixes).
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ (git-fixes).
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() (git-fixes).
Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID (bsc#1221504).
Bluetooth: mgmt: Fix limited discoverable off timeout (stable-fixes).
Bluetooth: msft: fix slab-use-after-free in msft_do_close() (git-fixes).
Bluetooth: qca: add missing firmware sanity checks (git-fixes).
Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot (git-fixes).
Bluetooth: qca: fix device-address endianness (git-fixes).
Bluetooth: qca: Fix error code in qca_read_fw_build_info() (git-fixes).
Bluetooth: qca: fix firmware check error path (git-fixes).
Bluetooth: qca: fix info leak when fetching fw build id (git-fixes).
Bluetooth: qca: fix NULL-deref on non-serdev setup (git-fixes).
Bluetooth: qca: fix NULL-deref on non-serdev suspend (git-fixes).
Bluetooth: qca: fix NVM configuration parsing (git-fixes).
Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional() (git-fixes).
Bluetooth: Remove usage of the deprecated ida_simple_xx() API (stable-fixes).
Bluetooth: RFCOMM: Fix not validating setsockopt user input (git-fixes).
Bluetooth: SCO: Fix not validating setsockopt user input (git-fixes).
bnx2x: Fix firmware version string character counts (git-fixes).
bnxt_en: Fix error recovery for RoCE ulp client (git-fixes).
bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() (git-fixes).
bnxt_en: Reset PTP tx_avail after possible firmware reset (git-fixes).
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (git-fixes)
bootconfig: Fix the kerneldoc of _xbc_exit() (git-fixes).
bootconfig: use memblock_free_late to free xbc memory to buddy (git-fixes).
bootmem: use kmemleak_free_part_phys in free_bootmem_page (git-fixes).
bootmem: use kmemleak_free_part_phys in put_page_bootmem (git-fixes).
bpf, arm64: fix bug in BPF_LDX_MEMSX (git-fixes)
bpf, arm64: Fix incorrect runtime stats (git-fixes)
bpf: check bpf_func_state->callback_depth when pruning states (bsc#1225903).
bpf: correct loop detection for iterators convergence (bsc#1225903).
bpf: exact states comparison for iterator convergence checks (bsc#1225903).
bpf: extract __check_reg_arg() utility function (bsc#1225903).
bpf: extract same_callsites() as utility function (bsc#1225903).
bpf: extract setup_func_entry() utility function (bsc#1225903).
bpf: fix precision backtracking instruction iteration (bsc#1225756).
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END (git-fixes).
bpf: handle ldimm64 properly in check_cfg() (bsc#1225756).
bpf: keep track of max number of bpf_loop callback iterations (bsc#1225903).
bpf: move explored_state() closer to the beginning of verifier.c (bsc#1225903).
bpf: print full verifier states on infinite loop detection (bsc#1225903).
bpf: Remove xdp_do_flush_map() (bsc#1214683 (PREEMPT_RT prerequisite backports)).
bpf, scripts: Correct GPL license name (git-fixes).
bpf: verify callbacks as if they are called unknown number of times (bsc#1225903).
bpf: widening for callback iterators (bsc#1225903).
btrfs: add a helper to read the superblock metadata_uuid (git-fixes)
btrfs: add and use helper to check if block group is used (bsc#1220120).
btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (git-fixes)
btrfs: add new unused block groups to the list of unused block groups (bsc#1220120).
btrfs: allow to run delayed refs by bytes to be released instead of count (bsc#1220120).
btrfs: always clear PERTRANS metadata during commit (git-fixes)
btrfs: always print transaction aborted messages with an error level (git-fixes)
btrfs: always reserve space for delayed refs when starting transaction (bsc#1220120).
btrfs: assert correct lock is held at btrfs_select_ref_head() (bsc#1220120).
btrfs: assert delayed node locked when removing delayed item (git-fixes)
btrfs: avoid start and commit empty transaction when flushing qgroups (bsc#1220120).
btrfs: avoid start and commit empty transaction when starting qgroup rescan (bsc#1220120).
btrfs: avoid starting and committing empty transaction when flushing space (bsc#1220120).
btrfs: avoid starting new transaction when flushing delayed items and refs (bsc#1220120).
btrfs: check for BTRFS_FS_ERROR in pending ordered assert (git-fixes)
btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super (git-fixes)
btrfs: defrag: avoid unnecessary defrag caused by incorrect extent size (git-fixes)
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args (git-fixes)
btrfs: do not allow non subvolume root targets for snapshot (git-fixes)
btrfs: do not arbitrarily slow down delalloc if we're committing (git-fixes)
btrfs: do not delete unused block group if it may be used soon (bsc#1220120).
btrfs: do not refill whole delayed refs block reserve when starting transaction (bsc#1220120).
btrfs: do not start transaction when joining with TRANS_JOIN_NOSTART (git-fixes)
btrfs: do not steal space from global rsv after a transaction abort (bsc#1220120).
btrfs: do not warn if discard range is not aligned to sector (git-fixes)
btrfs: ensure fiemap does not race with writes when FIEMAP_FLAG_SYNC is given (bsc#1223285).
btrfs: error out when COWing block using a stale transaction (git-fixes)
btrfs: error out when reallocating block for defrag using a stale transaction (git-fixes)
btrfs: export: handle invalid inode or root reference in btrfs_get_parent() (git-fixes)
btrfs: fail priority metadata ticket with real fs error (bsc#1220120).
btrfs: file_remove_privs needs an exclusive lock in direct io write (git-fixes)
btrfs: fix 64bit compat send ioctl arguments not initializing version member (git-fixes)
btrfs: fix deadlock with fiemap and extent locking (bsc#1223285).
btrfs: fix information leak in btrfs_ioctl_logical_to_ino() (git-fixes)
btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send() (git-fixes)
btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes)
btrfs: fix off-by-one chunk length calculation at contains_pending_extent() (git-fixes)
btrfs: fix off-by-one when checking chunk map includes logical address (git-fixes)
btrfs: fix race between ordered extent completion and fiemap (bsc#1223285).
btrfs: fix race when detecting delalloc ranges during fiemap (bsc#1223285).
btrfs: fix race when refilling delayed refs block reserve (git-fixes)
btrfs: fix start transaction qgroup rsv double free (git-fixes)
btrfs: fix stripe length calculation for non-zoned data chunk allocation (bsc#1217489).
btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() (git-fixes) Dropped hunk in selftests (test_case_7), 92e1229b204d6.
btrfs: free qgroup rsv on io failure (git-fixes)
btrfs: free the allocated memory if btrfs_alloc_page_array() fails (git-fixes)
btrfs: get rid of label and goto at insert_delayed_ref() (bsc#1220120).
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (git-fixes)
btrfs: handle errors properly in update_inline_extent_backref() (git-fixes)
btrfs: initialize key where it's used when running delayed data ref (bsc#1220120).
btrfs: log message if extent item not found when running delayed extent op (bsc#1220120).
btrfs: make btrfs_cleanup_fs_roots() static (bsc#1220120).
btrfs: make btrfs_destroy_delayed_refs() return void (bsc#1220120).
btrfs: make btrfs_destroy_marked_extents() return void (bsc#1220120).
btrfs: make btrfs_destroy_pinned_extent() return void (bsc#1220120).
btrfs: make error messages more clear when getting a chunk map (git-fixes)
btrfs: make find_first_extent_bit() return a boolean (bsc#1220120).
btrfs: make find_free_dev_extent() static (bsc#1220120).
btrfs: make insert_delayed_ref() return a bool instead of an int (bsc#1220120).
btrfs: merge find_free_dev_extent() and find_free_dev_extent_start() (bsc#1220120).
btrfs: move btrfs_free_excluded_extents() into block-group.c (bsc#1220120).
btrfs: open code trivial btrfs_add_excluded_extent() (bsc#1220120).
btrfs: output extra debug info if we failed to find an inline backref (git-fixes)
btrfs: pass a space_info argument to btrfs_reserve_metadata_bytes() (bsc#1220120).
btrfs: prevent transaction block reserve underflow when starting transaction (git-fixes)
btrfs: print available space across all block groups when dumping space info (bsc#1220120).
btrfs: print available space for a block group when dumping a space info (bsc#1220120).
btrfs: print block group super and delalloc bytes when dumping space info (bsc#1220120).
btrfs: print target number of bytes when dumping free space (bsc#1220120).
btrfs: qgroup: always free reserved space for extent records (bsc#1216196).
btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans (git-fixes)
btrfs: record delayed inode root in transaction (git-fixes)
btrfs: reject encoded write if inode has nodatasum flag set (git-fixes)
btrfs: release path before inode lookup during the ino lookup ioctl (git-fixes)
btrfs: remove pointless initialization at btrfs_delayed_refs_rsv_release() (bsc#1220120).
btrfs: remove pointless in_tree field from struct btrfs_delayed_ref_node (bsc#1220120).
btrfs: remove pointless 'ref_root' variable from run_delayed_data_ref() (bsc#1220120).
btrfs: remove redundant BUG_ON() from __btrfs_inc_extent_ref() (bsc#1220120).
btrfs: remove refs_to_add argument from __btrfs_inc_extent_ref() (bsc#1220120).
btrfs: remove refs_to_drop argument from __btrfs_free_extent() (bsc#1220120).
btrfs: remove the refcount warning/check at btrfs_put_delayed_ref() (bsc#1220120).
btrfs: remove unnecessary logic when running new delayed references (bsc#1220120).
btrfs: remove unnecessary prototype declarations at disk-io.c (bsc#1220120).
btrfs: remove unused is_head field from struct btrfs_delayed_ref_node (bsc#1220120).
btrfs: rename add_new_free_space() to btrfs_add_new_free_space() (bsc#1220120).
btrfs: reorder some members of struct btrfs_delayed_ref_head (bsc#1220120).
btrfs: reserve space for delayed refs on a per ref basis (bsc#1220120).
btrfs: reset destination buffer when read_extent_buffer() gets invalid range (git-fixes)
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 (git-fixes)
btrfs: return -EUCLEAN if extent item is missing when searching inline backref (bsc#1220120).
btrfs: return real error when orphan cleanup fails due to a transaction abort (bsc#1220120).
btrfs: send: do not issue unnecessary zero writes for trailing hole (bsc#1222459).
btrfs: send: ensure send_fd is writable (git-fixes)
btrfs: send: handle path ref underflow in header iterate_inode_ref() (git-fixes)
btrfs: send: return EOPNOTSUPP on unknown flags (git-fixes)
btrfs: set page extent mapped after read_folio in relocate_one_page (git-fixes)
btrfs: simplify check for extent item overrun at lookup_inline_extent_backref() (bsc#1220120).
btrfs: stop doing excessive space reservation for csum deletion (bsc#1220120).
btrfs: store the error that turned the fs into error state (bsc#1220120).
btrfs: sysfs: validate scrub_speed_max value (git-fixes)
btrfs: tree-checker: fix inline ref size in error messages (git-fixes)
btrfs: update comment for btrfs_join_transaction_nostart() (bsc#1220120).
btrfs: update documentation for add_new_free_space() (bsc#1220120).
btrfs: use a bool to track qgroup record insertion when adding ref head (bsc#1220120).
btrfs: use a single switch statement when initializing delayed ref head (bsc#1220120).
btrfs: use a single variable for return value at lookup_inline_extent_backref() (bsc#1220120).
btrfs: use a single variable for return value at run_delayed_extent_op() (bsc#1220120).
btrfs: use bool type for delayed ref head fields that are used as booleans (bsc#1220120).
btrfs: use the correct superblock to compare fsid in btrfs_validate_super (git-fixes)
btrfs: use u64 for buffer sizes in the tree search ioctls (git-fixes)
btrfs: zoned: do not skip block groups with 100% zone unusable (bsc#1220120).
bus: mhi: ep: check the correct variable in mhi_ep_register_controller() (git-fixes).
bus: mhi: host: allow MHI client drivers to provide the firmware via a pointer (bsc#1227149).
bytcr_rt5640 : inverse jack detect for Archos 101 cesium (stable-fixes).
cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd (git-fixes).
cachefiles: remove requests from xarray during flushing requests (bsc#1226588).
can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct (git-fixes).
can: kvaser_usb: fix return value for hif_usb_send_regout (stable-fixes).
can: mcp251xfd: fix infinite loop when xmit fails (git-fixes).
cdrom: rearrange last_media_change check to avoid unintentional overflow (stable-fixes).
ceph: add ceph_cap_unlink_work to fire check_caps() immediately (bsc#1226022).
ceph: always check dir caps asynchronously (bsc#1226022).
ceph: always queue a writeback when revoking the Fb caps (bsc#1226022).
ceph: break the check delayed cap loop every 5s (bsc#1226022).
ceph: fix incorrect kmalloc size of pagevec mempool (bsc#1228417).
ceph: redirty page before returning AOP_WRITEPAGE_ACTIVATE (bsc#1224866).
ceph: stop copying to iter at EOF on sync reads (bsc#1222606).
ceph: switch to use cap_delay_lock for the unlink delay list (bsc#1226022).
char: tpm: Fix possible memory leak in tpm_bios_measurements_open() (git-fixes).
checkpatch: really skip LONG_LINE_* when LONG_LINE is ignored (git-fixes).
cifs: Add a laundromat thread for cached directories (git-fixes, bsc#1225172).
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use (git-fixes).
clk: Do not hold prepare_lock when calling kref_put() (stable-fixes).
clk: Get runtime PM before walking tree during disable_unused (git-fixes).
clk: Get runtime PM before walking tree for clk_summary (git-fixes).
clk: Initialize struct clk_core kref earlier (stable-fixes).
clk: mediatek: Do a runtime PM get on controllers during probe (git-fixes).
clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg (git-fixes).
clk: mediatek: mt8365-mm: fix DPI0 parent (git-fixes).
clk: mediatek: pllfh: Do not log error for missing fhctl node (git-fixes).
clk: qcom: clk-alpha-pll: fix rate setting for Stromer PLLs (git-fixes).
clk: qcom: clk-alpha-pll: remove invalid Stromer register offset (git-fixes).
clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs (git-fixes).
clk: qcom: dispcc-sm6350: fix DisplayPort clocks (git-fixes).
clk: qcom: dispcc-sm8450: fix DisplayPort clocks (git-fixes).
clk: qcom: dispcc-sm8550: fix DisplayPort clocks (git-fixes).
clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents (git-fixes).
clk: qcom: mmcc-msm8998: fix venus clock issue (git-fixes).
clk: qcom: reset: Commonize the de/assert functions (stable-fixes).
clk: qcom: reset: Ensure write completion on reset de/assertion (git-fixes).
clk: Remove prepare_lock hold assertion in __clk_release() (git-fixes).
clk: renesas: r8a779a0: Fix CANFD parent clock (git-fixes).
clk: renesas: r9a07g043: Add clock and reset entry for PLIC (git-fixes).
clk: rs9: fix wrong default value for clock amplitude (git-fixes).
clk: samsung: exynosautov9: fix wrong pll clock id value (git-fixes).
clk: Show active consumers of clocks in debugfs (stable-fixes).
clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change (git-fixes).
clocksource/drivers/arm_global_timer: Fix maximum prescaler value (git-fixes).
clocksource/drivers/imx: Fix -Wunused-but-set-variable warning (git-fixes).
comedi: vmk80xx: fix incomplete endpoint checking (git-fixes).
config/arm64: Enable CoreSight PMU drivers (bsc#1228289 jsc#PED-7859)
coresight: trbe: Add a representative coresight_platform_data for (bsc#1220587)
coresight: trbe: Allocate platform data per device (bsc#1220587)
coresight: trbe: Enable ACPI based TRBE devices (bsc#1220587)
counter: linux/counter.h: fix Excess kernel-doc description warning (git-fixes).
counter: ti-eqep: enable clock at probe (git-fixes).
cppc_cpufreq: Fix possible null pointer dereference (git-fixes).
cpufreq: amd-pstate: fix memory leak on CPU EPP exit (stable-fixes).
cpufreq: amd-pstate: Fix the inconsistency in max frequency units (git-fixes).
cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC systems (git-fixes).
cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations (git-fixes).
cpufreq: exit() callback is optional (git-fixes).
cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe() (git-fixes).
cpumask: Add for_each_cpu_from() (bsc#1225053).
crypto: aead,cipher - zeroize key buffer after use (stable-fixes).
crypto: bcm - Fix pointer arithmetic (git-fixes).
crypto: ccp - Add support for PCI device 0x156E (bsc#1223338).
crypto: ccp - Add support for PCI device 0x17E0 (bsc#1223338).
crypto: ccp - drop platform ifdef checks (git-fixes).
crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked (git-fixes).
crypto: deflate - Add aliases to deflate (bsc#1227190).
crypto: ecc - update ecc_gen_privkey for FIPS 186-5 (bsc#1222782).
crypto: ecdh - explicitly zeroize private_key (stable-fixes).
crypto/ecdh: make ecdh_compute_value() to zeroize the public key (bsc#1222768).
crypto: ecdsa - Fix module auto-load on add-key (git-fixes).
crypto: ecdsa - Fix the public key format description (git-fixes).
crypto/ecdsa: make ecdsa_ecc_ctx_deinit() to zeroize the public key (bsc#1222768).
crypto: ecrdsa - Fix module auto-load on add_key (stable-fixes).
crypto: hisilicon/debugfs - Fix debugfs uninit process issue (stable-fixes).
crypto: hisilicon/qm - Add the err memory release process to qm uninit (stable-fixes).
crypto: hisilicon/sec - Fix memory leak for sec resource release (stable-fixes).
crypto: iaa - Account for cpu-less numa nodes (bsc#1227190).
crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init (git-fixes).
crypto: qat - extend scope of lock in adf_cfg_add_key_value_param() (git-fixes).
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak (git-fixes).
crypto: qat - fix ring to service map for dcc in 4xxx (git-fixes).
crypto: qat - improve error logging to be consistent across features (git-fixes).
crypto: qat - relocate and rename get_service_enabled() (stable-fixes).
crypto: qat - specify firmware files for 402xx (git-fixes).
crypto: rsa - add a check for allocation failure (bsc#1222775).
crypto: rsa - allow only odd e and restrict value in FIPS mode (bsc#1222775).
crypto: testmgr - remove unused xts4096 and xts512 algorithms from testmgr.c (bsc#1222769).
crypto: x86/nh-avx2 - add missing vzeroupper (git-fixes).
crypto: x86/sha256-avx2 - add missing vzeroupper (git-fixes).
crypto: x86/sha512-avx2 - add missing vzeroupper (git-fixes).
cxgb4: Properly lock TX queue for the selftest (bsc#1214683 (PREEMPT_RT prerequisite backports)).
cxl/acpi: Fix load failures due to single window creation failure (git-fixes).
cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window (git-fixes).
cxl/region: Fix cxlr_pmem leaks (git-fixes).
cxl/region: Fix memregion leaks in devm_cxl_add_region() (git-fixes).
cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c (git-fixes).
cxl/trace: Correct DPA field masks for general_media & dram events (git-fixes).
cxl/trace: Properly initialize cxl_poison region name (git-fixes).
dax: alloc_dax() return ERR_PTR(-EOPNOTSUPP) for CONFIG_DAX=n (jsc#PED-5853).
dax/bus.c: replace driver-core lock usage by a local rwsem (jsc#PED-5853).
dax/bus.c: replace several sprintf() with sysfs_emit() (jsc#PED-5853).
decompress_bunzip2: fix rare decompression failure (git-fixes).
device-dax: make dax_bus_type const (jsc#PED-5853).
devres: Fix devm_krealloc() wasting memory (git-fixes).
devres: Fix memory leakage caused by driver API devm_free_percpu() (git-fixes).
dlm: fix user space lkb refcounting (git-fixes).
dlm: fix user space lock decision to copy lvb (git-fixes).
dma-buf: Fix NULL pointer dereference in sanitycheck() (git-fixes).
dma-buf/sw-sync: do not enable IRQ from sync_print_obj() (git-fixes).
dmaengine: axi-dmac: fix possible race in remove() (git-fixes).
dmaengine: idma64: Add check for dma_set_max_seg_size (git-fixes).
dmaengine: idxd: Avoid unnecessary destruction of file_ida (git-fixes).
dmaengine: idxd: Fix oops during rmmod on single-CPU platforms (git-fixes).
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (git-fixes).
dmaengine: ioatdma: Fix error path in ioat3_dma_probe() (git-fixes).
dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() (git-fixes).
dmaengine: ioatdma: Fix leaking on version mismatch (git-fixes).
dmaengine: ioatdma: Fix missing kmem_cache_destroy() (git-fixes).
dmaengine: owl: fix register access functions (git-fixes).
dmaengine: tegra186: Fix residual calculation (git-fixes).
dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels (git-fixes).
dma: fix call order in dmam_free_coherent (git-fixes).
dma-mapping: benchmark: fix node id validation (git-fixes).
dma-mapping: benchmark: handle NUMA_NO_NODE correctly (git-fixes).
dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users (git-fixes).
dma: xilinx_dpdma: Fix locking (git-fixes).
dm crypt: remove redundant state settings after waking up (jsc#PED-7542).
dm-integrity: set max_integrity_segments in dm_integrity_io_hints (jsc#PED-7542).
dm-multipath: dont't attempt SG_IO on non-SCSI-disks (bsc#1223575).
dm-raid: add a new helper prepare_suspend() in md_personality (jsc#PED-7542).
dm-raid: really frozen sync_thread during suspend (jsc#PED-7542).
dm thin: add braces around conditional code that spans lines (jsc#PED-7542).
dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list (jsc#PED-7542).
dm verity: set DM_TARGET_SINGLETON feature flag (jsc#PED-7542).
Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching sysfs file (git-fixes).
docs: crypto: async-tx-api: fix broken code example (git-fixes).
docs: kernel_include.py: Cope with docutils 0.21 (stable-fixes).
docs: netdev: Fix typo in Signed-off-by tag (git-fixes).
docs: Restore 'smart quotes' for quotes (stable-fixes).
dpll: spec: use proper enum for pin capabilities attribute (git-fixes).
driver core: Introduce device_link_wait_removal() (stable-fixes).
drivers: core: synchronize really_probe() and dev_uevent() (git-fixes).
drivers/nvme: Add quirks for device 126f:2262 (git-fixes).
drivers: soc: xilinx: check return status of get_api_version() (git-fixes).
drivers/xen: Improve the late XenStore init protocol (git-fixes).
drm: add drm_gem_object_is_shared_for_memory_stats() helper (stable-fixes).
drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init() (stable-fixes).
drm/amd/amdgpu: Fix uninitialized variable warnings (git-fixes).
drm/amd/display: Account for cursor prefetch BW in DML1 mode support (stable-fixes).
drm/amd/display: Add dml2 copy functions (stable-fixes).
drm/amd/display: Add dtbclk access to dcn315 (stable-fixes).
drm/amd/display: Add VCO speed parameter for DCN31 FPU (stable-fixes).
drm/amd/display: Allocate zero bw after bw alloc enable (stable-fixes).
drm/amd/display: Allow dirty rects to be sent to dmub when abm is active (stable-fixes).
drm/amd/display: ASSERT when failing to find index by plane/stream id (stable-fixes).
drm/amd/display: Atom Integrated System Info v2_2 for DCN35 (stable-fixes).
drm/amd/display: Change default size for dummy plane in DML2 (stable-fixes).
drm/amd/display: change dram_clock_latency to 34us for dcn35 (stable-fixes).
drm/amd/display: Check index msg_id before read or write (stable-fixes).
drm/amd/display: Check pipe offset before setting vblank (stable-fixes).
drm/amd/display: Disable seamless boot on 128b/132b encoding (stable-fixes).
drm/amd/display: Do not recursively call manual trigger programming (stable-fixes).
drm/amd/display: Enable colorspace property for MST connectors (git-fixes).
drm/amd/display: Exit idle optimizations before HDCP execution (stable-fixes).
drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport (stable-fixes).
drm/amd/display: Fix bounds check for dcn35 DcfClocks (git-fixes).
drm/amd/display: Fix DC mode screen flickering on DCN321 (stable-fixes).
drm/amd/display: fix disable otg wa logic in DCN316 (stable-fixes).
drm/amd/display: Fix division by zero in setup_dsc_config (stable-fixes).
drm/amd/display: Fix idle check for shared firmware state (stable-fixes).
drm/amd/display: Fix incorrect DSC instance for MST (stable-fixes).
drm/amd/display: fix input states translation error for dcn35 & dcn351 (stable-fixes).
drm/amd/display: Fix nanosec stat overflow (stable-fixes).
drm/amd/display: Fix noise issue on HDMI AV mute (stable-fixes).
drm/amd/display: Fix overlapping copy within dml_core_mode_programming (stable-fixes).
drm/amd/display: Fix potential index out of bounds in color transformation function (git-fixes).
drm/amd/display: Fix uninitialized variables in DM (stable-fixes).
drm/amd/display: handle range offsets in VRR ranges (stable-fixes).
drm/amd/display: Handle Y carry-over in VCP X.Y calculation (stable-fixes).
drm/amd/display: Init DPPCLK from SMU on dcn32 (stable-fixes).
drm/amd/display: Move 'struct scaler_data' off stack (git-fixes).
drm/amd/display: Override min required DCFCLK in dml1_validate (stable-fixes).
drm/amd/display: Prevent crash when disable stream (stable-fixes).
drm/amd/display: Program VSC SDP colorimetry for all DP sinks >= 1.4 (stable-fixes).
drm/amd/display: Remove MPC rate control logic from DCN30 and above (stable-fixes).
drm/amd/display: Remove pixle rate limit for subvp (stable-fixes).
drm/amd/display: Remove redundant condition in dcn35_calc_blocks_to_gate() (git-fixes).
drm/amd/display: Return the correct HDCP error code (stable-fixes).
drm/amd/display: revert Exit idle optimizations before HDCP execution (stable-fixes).
drm/amd/display: Revert Remove pixle rate limit for subvp (stable-fixes).
drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is present (stable-fixes).
drm/amd/display: Send DTBCLK disable message on first commit (git-fixes).
drm/amd/display: Set color_mgmt_changed to true on unsuspend (stable-fixes).
drm/amd/display: Set DCN351 BB and IP the same as DCN35 (stable-fixes).
drm/amd/display: Set VSC SDP Colorimetry same way for MST and SST (stable-fixes).
drm/amd/display: Skip finding free audio for unknown engine_id (stable-fixes).
drm/amd/display: Skip pipe if the pipe idx not set properly (stable-fixes).
drm/amd/display: Use freesync when DRM_EDID_FEATURE_CONTINUOUS_FREQ found (stable-fixes).
drm/amd/display: Workaround register access in idle race with cursor (stable-fixes).
drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms (git-fixes).
drm/amd: Flush GFXOFF requests in prepare stage (git-fixes).
drm/amdgpu: add error handle to avoid out-of-bounds (stable-fixes).
drm/amdgpu: always force full reset for SOC21 (stable-fixes).
drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag (stable-fixes).
drm/amdgpu: Assign correct bits for SDMA HDP flush (stable-fixes).
drm/amdgpu/atomfirmware: add intergrated info v2.3 table (stable-fixes).
drm/amdgpu/atomfirmware: fix parsing of vram_info (stable-fixes).
drm/amdgpu/atomfirmware: silence UBSAN warning (stable-fixes).
drm/amdgpu: avoid using null object of framebuffer (stable-fixes).
drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit (git-fixes).
drm/amdgpu/display: Address kdoc for 'is_psr_su' in 'fill_dc_dirty_rects' (git-fixes).
drm/amdgpu: drop setting buffer funcs in sdma442 (git-fixes).
drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode() (git-fixes).
drm/amdgpu: Fix comparison in amdgpu_res_cpu_visible (git-fixes).
drm/amdgpu: fix deadlock while reading mqd from debugfs (git-fixes).
drm/amdgpu: fix doorbell regression (git-fixes).
drm/amdgpu: fix incorrect number of active RBs for gfx11 (stable-fixes).
drm/amdgpu: Fix leak when GPU memory allocation fails (stable-fixes).
drm/amdgpu: fix locking scope when flushing tlb (stable-fixes).
drm/amdgpu: Fix memory range calculation (git-fixes).
drm/amdgpu: fix mmhub client id out-of-bounds access (git-fixes).
drm/amdgpu: Fix pci state save during mode-1 reset (git-fixes).
drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() (git-fixes).
drm/amdgpu: Fix the ring buffer size for queue VM flush (stable-fixes).
drm/amdgpu: fix the warning about the expression (int)size - len (stable-fixes).
drm/amdgpu: fix UBSAN warning in kv_dpm.c (stable-fixes).
drm/amdgpu: fix uninitialized scalar variable warning (stable-fixes).
drm/amdgpu: Fix uninitialized variable warnings (stable-fixes).
drm/amdgpu: fix use-after-free bug (stable-fixes).
drm/amdgpu: Fix VCN allocation in CPX partition (stable-fixes).
drm/amdgpu: fix visible VRAM handling during faults (git-fixes).
drm/amdgpu: Fix VRAM memory accounting (stable-fixes).
drm/amdgpu: implement IRQ_STATE_ENABLE for SDMA v4.4.2 (stable-fixes).
drm/amdgpu: Indicate CU havest info to CP (stable-fixes).
drm/amdgpu: Initialize timestamp for some legacy SOCs (stable-fixes).
drm/amdgpu: init microcode chip name from ip versions (stable-fixes).
drm/amdgpu: make damage clips support configurable (stable-fixes).
drm/amdgpu/mes: fix use-after-free issue (stable-fixes).
drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2 (git-fixes).
drm/amdgpu/pm: Check the validity of overdiver power limit (git-fixes).
drm/amdgpu/pm: Fix NULL pointer dereference when get power limit (git-fixes).
drm/amdgpu/pm: Fix the error of pwm1_enable setting (stable-fixes).
drm/amdgpu: Refine IB schedule error logging (stable-fixes).
drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1 (git-fixes).
drm/amdgpu: remove invalid resource->start check v2 (git-fixes).
drm/amdgpu: Reset dGPU if suspend got aborted (stable-fixes).
drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 (stable-fixes).
drm/amdgpu: silence UBSAN warning (stable-fixes).
drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc (stable-fixes).
drm/amdgpu: validate the parameters of bo mapping operations more clearly (git-fixes).
drm/amdkfd: Add VRAM accounting for SVM migration (stable-fixes).
drm/amdkfd: Check cgroup when returning DMABuf info (stable-fixes).
drm/amdkfd: do not allow mapping the MMIO HDP page with large pages (git-fixes).
drm/amdkfd: Fix CU Masking for GFX 9.4.3 (git-fixes).
drm/amdkfd: Fix memory leak in create_process failure (git-fixes).
drm/amdkfd: fix TLB flush after unmap for GFX9.4.2 (stable-fixes).
drm/amdkfd: Flush the process wq before creating a kfd_process (stable-fixes).
drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs (stable-fixes).
drm/amdkfd: range check cp bad op exception interrupts (stable-fixes).
drm/amdkfd: Reset GPU on queue preemption failure (stable-fixes).
drm/amd/pm: Fix aldebaran pcie speed reporting (git-fixes).
drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11 (stable-fixes).
drm/amd/pm: remove logically dead code for renoir (git-fixes).
drm/amd/pm: Restore config space after reset (stable-fixes).
drm/amd/swsmu: modify the gfx activity scaling (stable-fixes).
drm/arm/komeda: Fix komeda probe failing if there are no links in the secondary pipeline (git-fixes).
drm/arm/malidp: fix a possible null pointer dereference (git-fixes).
drm/ast: Fix soft lockup (git-fixes).
drm/bridge: anx7625: Do not log an error when DSI host can't be found (git-fixes).
drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference (git-fixes).
drm/bridge: dpc3433: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge: Fix improper bridge init order with pre_enable_prev_first (git-fixes).
drm/bridge: icn6211: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge: it6505: fix hibernate to resume no display issue (git-fixes).
drm/bridge: lt8912b: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge: lt9611: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge: lt9611uxc: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge/panel: Fix runtime warning on panel bridge release (git-fixes).
drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll (git-fixes).
drm/bridge: tc358775: Do not log an error when DSI host can't be found (git-fixes).
drm/bridge: tc358775: fix support for jeida-18 and jeida-24 (git-fixes).
drm/buddy: check range allocation matches alignment (stable-fixes).
drm: Check output polling initialized before disabling (stable-fixes).
drm: Check polling initialized before enabling in drm_helper_probe_single_connector_modes (stable-fixes).
drm/client: Fully protect modes[] with dev->mode_config.mutex (stable-fixes).
drm/connector: Add \n to message about demoting connector force-probes (git-fixes).
drm/display: fix typo (git-fixes).
drm/dp_mst: Fix all mstb marked as not probed after suspend/resume (git-fixes).
drm/etnaviv: fix DMA direction handling for cached RW buffers (git-fixes).
drm/etnaviv: fix tx clock gating on some GC7000 variants (stable-fixes).
drm/exynos: do not return negative values from .get_modes() (stable-fixes).
drm/exynos: dp: drop driver owner initialization (stable-fixes).
drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found (git-fixes).
drm/exynos/vidi: fix memory leak in .get_modes() (stable-fixes).
drm/fbdev-dma: Fix framebuffer mode for big endian devices (git-fixes).
drm/fbdev-dma: Only set smem_start is enable per module option (git-fixes).
drm/fbdev-generic: Do not set physical framebuffer address (git-fixes).
drm/fbdev-generic: Fix framebuffer on big endian devices (git-fixes).
drm: Fix drm_fixp2int_round() making it add 0.5 (git-fixes).
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (git-fixes).
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (git-fixes).
drm/gma500: Remove lid code (git-fixes).
drm/i915/audio: Fix audio time stamp programming for DP (stable-fixes).
drm/i915/bios: Fix parsing backlight BDB data (git-fixes).
drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode() (stable-fixes).
drm/i915/cdclk: Fix CDCLK programming order when pipes are active (git-fixes).
drm/i915: Disable port sync when bigjoiner is used (stable-fixes).
drm/i915/display: Use i915_gem_object_get_dma_address to get dma address (stable-fixes).
drm/i915: Do not match JSL in ehl_combo_pll_div_frac_wa_needed() (git-fixes).
drm/i915/dp: Do not switch the LTTPR mode on an active link (git-fixes).
drm/i915/dp: Fix the computation for compressed_bpp for DISPLAY < 13 (git-fixes).
drm/i915/dp: Remove support for UHBR13.5 (git-fixes).
drm/i915/dpt: Make DPT object unshrinkable (git-fixes).
drm/i915/dsb: Fix DSB vblank waits when using VRR (git-fixes).
drm/i915/dsi: Go back to the previous INIT_OTP/DISPLAY_ON order, mostly (git-fixes).
drm/i915: Fix audio component initialization (git-fixes).
drm/i915/gt: Automate CCS Mode setting during engine resets (git-fixes).
drm/i915/gt: Disable HW load balancing for CCS (git-fixes).
drm/i915/gt: Disarm breadcrumbs if engines are already idle (git-fixes).
drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 (git-fixes).
drm/i915/gt: Do not generate the command streamer for all the CCS (git-fixes).
drm/i915/gt: Enable only one CCS for compute workload (git-fixes).
drm/i915/gt: Fix CCS id's calculation for CCS mode setting (git-fixes).
drm/i915/gt: Fix potential UAF by revoke of fence registers (git-fixes).
drm/i915/gt: Reset queue_priority_hint on parking (git-fixes).
drm/i915/guc: avoid FIELD_PREP warning (git-fixes).
drm/i915/hwmon: Fix locking inversion in sysfs getter (git-fixes).
drm/i915/hwmon: Get rid of devm (stable-fixes).
drm/i915: Include the PLL name in the debug messages (stable-fixes).
drm/i915/lspcon: Separate function to set expected mode (bsc#1193599).
drm/i915/lspcon: Separate lspcon probe and lspcon init (bsc#1193599).
drm/i915/mso: using joiner is not possible with eDP MSO (git-fixes).
drm/i915/mst: Limit MST+DSC to TGL+ (git-fixes).
drm/i915/mst: Reject FEC+MST on ICL (git-fixes).
drm/i915: Pre-populate the cursor physical dma address (git-fixes).
drm/i915: Replace a memset() with zero initialization (stable-fixes).
drm/i915: Stop printing pipe name as hex (stable-fixes).
drm/i915: Suppress old PLL pipe_mask checks for MG/TC/TBT PLLs (stable-fixes).
drm/i915: Try to preserve the current shared_dpll for fastset on type-c ports (stable-fixes).
drm/i915: Use named initializers for DPLL info (stable-fixes).
drm/i915/vrr: Disable VRR when using bigjoiner (stable-fixes).
drm/i915/vrr: Generate VRR 'safe window' for DSB (git-fixes).
drm/imx/ipuv3: do not return negative values from .get_modes() (stable-fixes).
drm/komeda: check for error-valued pointer (git-fixes).
drm/lcdif: Do not disable clocks on already suspended hardware (git-fixes).
drm/lima: add mask irq callback to gp and pp (stable-fixes).
drm/lima: fix shared irq handling on driver remove (stable-fixes).
drm/lima: Mark simple_ondemand governor as softdep (git-fixes).
drm/lima: mask irqs in timeout path before hard reset (stable-fixes).
drm/mediatek: Add 0 size check to mtk_drm_gem_obj (git-fixes).
drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property (git-fixes).
drm/mediatek: Add OVL compatible name for MT8195 (git-fixes).
drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time (stable-fixes).
drm/mediatek: dp: Fix mtk_dp_aux_transfer return value (git-fixes).
drm/mediatek: Fix bit depth overwritten for mtk_ovl_set bit_depth() (git-fixes).
drm/mediatek: Fix destination alpha error in OVL (git-fixes).
drm/mediatek: Fix XRGB setting error in Mixer (git-fixes).
drm/mediatek: Fix XRGB setting error in OVL (git-fixes).
drm/mediatek: Init ddp_comp with devm_kcalloc() (git-fixes).
drm/mediatek: Remove less-than-zero comparison of an unsigned value (git-fixes).
drm/mediatek: Set DRM mode configs accordingly (git-fixes).
drm/mediatek: Support DRM plane alpha in Mixer (git-fixes).
drm/mediatek: Support DRM plane alpha in OVL (git-fixes).
drm/mediatek: Support RGBA8888 and RGBX8888 in OVL on MT8195 (git-fixes).
drm/mediatek: Turn off the layers with zero width or height (git-fixes).
drm/mediatek: Use 8-bit alpha in ETHDR (git-fixes).
drm/meson: dw-hdmi: add bandgap setting for g12 (git-fixes).
drm/meson: dw-hdmi: power up phy on device init (git-fixes).
drm/meson: fix canvas release in bind function (git-fixes).
drm/meson: gate px_clk when setting rate (git-fixes).
drm/meson: vclk: fix calculation of 59.94 fractional rates (git-fixes).
drm/mgag200: Bind I2C lifetime to DRM device (git-fixes).
drm/mgag200: Set DDC timeout in milliseconds (git-fixes).
drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq() (git-fixes).
drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq() (git-fixes).
drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails (git-fixes).
drm/msm: Add newlines to some debug prints (git-fixes).
drm/msm/adreno: fix CP cycles stat retrieval on a7xx (git-fixes).
drm/msm/dp: allow voltage swing / pre emphasis of 3 (git-fixes).
drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected (git-fixes).
drm/msm/dp: fix typo in dp_display_handle_port_status_changed() (git-fixes).
drm/msm/dpu: Add callback function pointer check before its call (git-fixes).
drm/msm/dpu: Allow configuring multiple active DSC blocks (git-fixes).
drm/msm/dpu: Always flush the slave INTF on the CTL (git-fixes).
drm/msm/dpu: do not allow overriding data from catalog (git-fixes).
drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op (git-fixes).
drm/msm/dpu: fix encoder irq wait skip (git-fixes).
drm/msm/dpu: make error messages at dpu_core_irq_register_callback() more sensible (git-fixes).
drm/msm/dpu: use devres-managed allocation for MDP TOP (stable-fixes).
drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk (git-fixes).
drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC (git-fixes).
drm/msm/mdp5: Remove MDP_CAP_SRC_SPLIT from msm8x53_config (git-fixes).
drm/nouveau/disp: Fix missing backlight control on Macbook 5, 1 (bsc#1223838).
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes (stable-fixes).
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes (stable-fixes).
drm/nouveau: do not attempt to schedule hpd_work on headless cards (git-fixes).
drm/nouveau/dp: Do not probe eDP ports twice harder (stable-fixes).
drm/nouveau/dp: Fix incorrect return code in r535_dp_aux_xfer() (git-fixes).
drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor() (stable-fixes).
drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes (git-fixes).
drm/nouveau: use tile_mode and pte_kind for VM_BIND bo allocations (git-fixes).
drm: nv04: Fix out of bounds access (git-fixes).
drm/omapdrm: Fix console by implementing fb_dirty (git-fixes).
drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() (git-fixes).
drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators (git-fixes).
drm/panel: do not return negative error codes from drm_panel_get_modes() (stable-fixes).
drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on() better (git-fixes).
drm/panel: ili9341: Respect deferred probe (git-fixes).
drm/panel: ili9341: Use predefined error codes (git-fixes).
drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep (stable-fixes).
drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare() (git-fixes).
drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators (git-fixes).
drm/panel: ltk050h3146w: add MIPI_DSI_MODE_VIDEO to LTK050H3148W flags (git-fixes).
drm/panel: ltk050h3146w: drop duplicate commands from LTK050H3148W init (git-fixes).
drm/panel: novatek-nt35950: Do not log an error when DSI host can't be found (git-fixes).
drm: panel-orientation-quirks: Add quirk for Aya Neo KUN (stable-fixes).
drm: panel-orientation-quirks: Add quirk for GPD Win Mini (stable-fixes).
drm: panel-orientation-quirks: Add quirk for Valve Galileo (stable-fixes).
drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA (git-fixes).
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector (git-fixes).
drm/panel: sitronix-st7789v: Add check for of_drm_get_panel_orientation (git-fixes).
drm/panel: sitronix-st7789v: fix display size for jt240mhqs_hwt_ek_e3 panel (git-fixes).
drm/panel: sitronix-st7789v: fix timing for jt240mhqs_hwt_ek_e3 panel (git-fixes).
drm/panel: sitronix-st7789v: tweak timing for jt240mhqs_hwt_ek_e3 panel (git-fixes).
drm/panel: visionox-rm69299: do not unregister DSI device (git-fixes).
drm/panfrost: fix power transition timeout warnings (git-fixes).
drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() (git-fixes).
drm/panfrost: Mark simple_ondemand governor as softdep (git-fixes).
drm/prime: Unbreak virtgpu dma-buf export (git-fixes).
drm/probe-helper: warn about negative .get_modes() (stable-fixes).
drm/qxl: Add check for drm_cvt_mode (git-fixes).
drm/qxl: remove unused count variable from qxl_surface_id_alloc() (git-fixes).
drm/qxl: remove unused variable from qxl_process_single_command() (git-fixes).
drm/radeon: check bo_va->bo is non-NULL before using it (stable-fixes).
drm/radeon: fix UBSAN warning in kv_dpm.c (stable-fixes).
drm/radeon: make -fstrict-flex-arrays=3 happy (git-fixes).
drm/radeon/radeon_display: Decrease the size of allocated memory (stable-fixes).
drm/radeon: silence UBSAN warning (v3) (stable-fixes).
drm/rockchip: vop2: Do not divide height twice for YUV (git-fixes).
drm/rockchip: vop2: Fix the port mux of VP2 (git-fixes).
drm/rockchip: vop2: Remove AR30 and AB30 format support (git-fixes).
drm/sched: fix null-ptr-deref in init entity (git-fixes).
drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) (git-fixes).
drm/sun4i: hdmi: Convert encoder to atomic (stable-fixes).
drm/sun4i: hdmi: Move mode_set into enable (stable-fixes).
drm/ttm: Always take the bo delayed cleanup path for imported bos (git-fixes).
drm/ttm: return ENOSPC from ttm_bo_mem_space v3 (stable-fixes).
drm/ttm: stop pooling cached NUMA pages v2 (git-fixes).
drm/udl: Remove DRM_CONNECTOR_POLL_HPD (git-fixes).
drm/vc4: do not check if plane->state->fb == state->fb (stable-fixes).
drm: vc4: Fix possible null pointer dereference (git-fixes).
drm/vc4: hdmi: do not return negative values from .get_modes() (stable-fixes).
drm/vmwgfx: 3D disabled should not effect STDU memory limits (git-fixes).
drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed (git-fixes).
drm/vmwgfx: Do not memcmp equivalent pointers (git-fixes).
drm/vmwgfx: Enable DMA mappings with SEV (git-fixes).
drm/vmwgfx: Filter modes which exceed graphics memory (git-fixes).
drm/vmwgfx: Fix crtc's atomic check conditional (git-fixes).
drm/vmwgfx: Fix invalid reads in fence signaled events (git-fixes).
drm/vmwgfx: Fix Legacy Display Unit (git-fixes).
drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency (stable-fixes).
drm/vmwgfx: Fix prime import/export (git-fixes).
drm/vmwgfx: Sort primary plane formats by order of preference (git-fixes).
drm: zynqmp_dpsub: Always register bridge (git-fixes).
drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe() (git-fixes).
drm: zynqmp_kms: Fix AUX bus not getting unregistered (git-fixes).
dt-bindings: clock: qcom: Add missing UFS QREF clocks (git-fixes)
dump_stack: Do not get cpu_sync for panic CPU (bsc#1225607).
dyndbg: fix old BUG_ON in >control parser (stable-fixes).
e1000e: Minor flow correction in e1000_shutdown function (git-fixes).
e1000e: move force SMBUS from enable ulp function to avoid PHY loss issue (git-fixes).
e1000e: Workaround for sporadic MDI error on Meteor Lake systems (git-fixes).
ecryptfs: Fix buffer size for tag 66 packet (git-fixes)
ecryptfs: Reject casefold directory inodes (git-fixes)
EDAC/synopsys: Fix ECC status and IRQ control race condition (git-fixes).
Edit 'amdkfd: use calloc instead of kzalloc to avoid integer overflow' Reference CVE and bug numbers.
eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (stable-fixes).
eeprom: digsy_mtc: Fix 93xx46 driver probe failure (git-fixes).
efi: disable mirror feature during crashkernel (stable-fixes).
efi: fix panic in kdump kernel (git-fixes).
efi: libstub: only free priv.runtime_map when allocated (git-fixes).
efi/unaccepted: do not let /proc/vmcore try to access unaccepted memory (git-fixes).
efi/unaccepted: touch soft lockup during memory accept (git-fixes).
efi/x86: Free EFI memory map only when installing a new one (git-fixes).
Enable CONFIG_FIPS_SIGNATURE_SELFTEST (bsc#1222771)
Enable CONFIG_SCHED_CLUSTER=y on arm64 (jsc#PED-8701).
erofs: ensure m_llen is reset to 0 if metadata is invalid (git-fixes).
exfat: fix potential deadlock on __exfat_get_dentry_set (git-fixes).
extcon: max8997: select IRQ_DOMAIN instead of depending on it (git-fixes).
f2fs: fix error path of __f2fs_build_free_nids (git-fixes).
fast_dput(): handle underflows gracefully (git-fixes)
fat: fix uninitialized field in nostale filehandles (git-fixes)
fbdev: fix incorrect address computation in deferred IO (git-fixes).
fbdev: savage: Handle err return when savagefb_check_var failed (git-fixes).
fbdev: sh7760fb: allow modular build (git-fixes).
fbdev: shmobile: fix snprintf truncation (git-fixes).
fbdev: sisfb: hide unused variables (git-fixes).
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 (stable-fixes).
fbmon: prevent division by zero in fb_videomode_from_videomode() (stable-fixes).
filelock: fix potential use-after-free in posix_lock_inode (git-fixes).
firewire: core: use long bus reset on gap count error (stable-fixes).
firewire: ohci: mask bus reset interrupts between ISR and bottom half (stable-fixes).
firmware: arm_scmi: Make raw debugfs entries non-seekable (git-fixes).
firmware: cs_dsp: Fix overflow checking of wmfw header (git-fixes).
firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers (git-fixes).
firmware: cs_dsp: Return error if block header overflows file (git-fixes).
firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files (git-fixes).
firmware: cs_dsp: Validate payload length before processing block (git-fixes).
firmware: dmi-id: add a release callback function (git-fixes).
firmware: dmi: Stop decoding on broken entry (stable-fixes).
firmware: psci: Fix return value from psci_system_suspend() (git-fixes).
firmware: raspberrypi: Use correct device for DMA mappings (git-fixes).
firmware: tegra: bpmp: Return directly after a failed kzalloc() in get_filename() (stable-fixes).
firmware: turris-mox-rwtm: Do not complete if there are no waiters (git-fixes).
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() (git-fixes).
firmware: turris-mox-rwtm: Initialize completion before mailbox (git-fixes).
Fix a potential infinite loop in extract_user_to_sg() (git-fixes).
Fix build errors due to new UIO_MEM_DMA_COHERENT mess (git-fixes).
fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card (stable-fixes).
fs/9p: only translate RWX permissions for plain 9P2000 (git-fixes)
fs/9p: translate O_TRUNC into OTRUNC (git-fixes)
fs/file: fix the check in find_next_fd() (git-fixes).
fs: Fix error checking for d_hash_and_lookup() (git-fixes)
fs: indicate request originates from old mount API (git-fixes)
fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() (git-fixes).
fs: relax mount_setattr() permission checks (git-fixes)
fsverity: skip PKCS#7 parser when keyring is empty (git-fixes)
ftrace: Fix possible use-after-free issue in ftrace_location() (git-fixes).
fuse: do not unhash root (bsc#1223946).
fuse: fix root lookup with nonzero generation (bsc#1223945).
fuse: verify {g,u}id mount options correctly (bsc#1228193).
geneve: fix header validation in geneve[6]_xmit_skb (git-fixes).
geneve: make sure to pull inner header in geneve_rx() (git-fixes).
genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() (git-fixes).
gfs2: convert to ctime accessor functions (git-fixes).
gfs2: Do not forget to complete delayed withdraw (git-fixes).
gfs2: Fix 'ignore unlock failures after withdraw' (git-fixes).
gfs2: Fix invalid metadata access in punch_hole (git-fixes).
gfs2: Get rid of gfs2_alloc_blocks generation parameter (git-fixes).
gfs2: Rename gfs2_lookup_{ simple => meta } (git-fixes).
gfs2: Use mapping->gfp_mask for metadata inodes (git-fixes).
gpio: cdev: check for NULL labels when sanitizing them for irqs (git-fixes).
gpio: cdev: fix missed label sanitizing in debounce_setup() (git-fixes).
gpio: cdev: sanitize the label before requesting the interrupt (stable-fixes).
gpio: crystalcove: Use -ENOTSUPP consistently (stable-fixes).
gpio: davinci: Validate the obtained number of IRQs (git-fixes).
gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) (git-fixes).
gpiolib: cdev: fix uninitialised kfifo (git-fixes).
gpiolib: cdev: relocate debounce_period_us from struct gpio_desc (stable-fixes).
gpiolib: swnode: Remove wrong header inclusion (git-fixes).
gpio: lpc32xx: fix module autoloading (stable-fixes).
gpio: mc33880: Convert comma to semicolon (git-fixes).
gpio: pca953x: fix pca953x_irq_bus_sync_unlock race (stable-fixes).
gpio: tangier: Use correct type for the IRQ chip data (git-fixes).
gpio: tegra186: Fix tegra186_gpio_is_accessible() check (git-fixes).
gpio: tqmx86: fix broken IRQ_TYPE_EDGE_BOTH interrupt type (git-fixes).
gpio: tqmx86: fix typo in Kconfig label (git-fixes).
gpio: tqmx86: introduce shadow register for GPIO output value (git-fixes).
gpio: tqmx86: store IRQ trigger type and unmask status separately (git-fixes).
gpio: wcove: Use -ENOTSUPP consistently (stable-fixes).
gpu: host1x: Do not setup DMA for virtual devices (stable-fixes).
gtp: fix use-after-free and null-ptr-deref in gtp_newlink() (git-fixes).
hfsplus: fix to avoid false alarm of circular locking (git-fixes).
hfsplus: fix uninit-value in copy_name (git-fixes).
HID: Add quirk for Logitech Casa touchpad (stable-fixes).
HID: amd_sfh: Handle 'no sensors' in PM operations (git-fixes).
HID: core: remove unnecessary WARN_ON() in implement() (git-fixes).
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up (git-fixes).
HID: Ignore battery for ELAN touchscreens 2F2C and 4116 (stable-fixes).
HID: input: avoid polling stylus battery on Chromebook Pompom (stable-fixes).
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors (git-fixes).
HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc (git-fixes).
HID: logitech-dj: allow mice to use all types of reports (git-fixes).
HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() (git-fixes).
HID: mcp-2221: cancel delayed_work only when CONFIG_IIO is enabled (stable-fixes).
HID: multitouch: Add required quirk for Synaptics 0xcddc device (stable-fixes).
HID: wacom: Modify pen IDs (git-fixes).
hpet: Support 32-bit userspace (git-fixes).
hwmon: (adt7475) Fix default duty on fan is disabled (git-fixes).
hwmon: (amc6821) add of_match table (stable-fixes).
hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock (git-fixes).
hwmon: (corsair-cpro) Use a separate buffer for sending commands (git-fixes).
hwmon: (corsair-cpro) Use complete_all() instead of complete() in ccp_raw_event() (git-fixes).
hwmon: (intel-m10-bmc-hwmon) Fix multiplier for N6000 board power sensor (git-fixes).
hwmon: (lm70) fix links in doc and comments (git-fixes).
hwmon: (max6697) Fix swapped temp{1,8} critical alarms (git-fixes).
hwmon: (max6697) Fix underflow when writing limit attributes (git-fixes).
hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us (git-fixes).
hwmon: (shtc1) Fix property misspelling (git-fixes).
hwrng: amd - Convert PCIBIOS_* return codes to errnos (git-fixes).
hwrng: core - Fix wrong quality calculation at hw rng registration (git-fixes).
hwtracing: hisi_ptt: Move type check to the beginning of hisi_ptt_pmu_event_init() (git-fixes).
i2c: acpi: Unbind mux adapters before delete (git-fixes).
i2c: at91: Fix the functionality flags of the slave-only interface (git-fixes).
i2c: cadence: Avoid fifo clear after start (git-fixes).
i2c: designware: Fix the functionality flags of the slave-only interface (git-fixes).
i2c: i801: Annotate apanel_addr as __ro_after_init (stable-fixes).
i2c: mark HostNotify target address as used (git-fixes).
i2c: ocores: set IACK bit after core is enabled (git-fixes).
i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr (git-fixes).
i2c: pxa: hide unused icr_bits[] variable (git-fixes).
i2c: rcar: bring hardware to known state when probing (git-fixes).
i2c: smbus: fix NULL function pointer dereference (git-fixes).
i2c: synquacer: Fix an error handling path in synquacer_i2c_probe() (git-fixes).
i2c: testunit: avoid re-issued work after read message (git-fixes).
i2c: testunit: correct Kconfig description (git-fixes).
i2c: testunit: discard write requests while old command is running (git-fixes).
i2c: testunit: do not erase registers after STOP (git-fixes).
i3c: master: svc: change ENXIO to EAGAIN when IBI occurs during start frame (git-fixes).
i3c: master: svc: fix invalidate IBI type and miss call client IBI handler (git-fixes).
i40e: disable NAPI right after disabling irqs when handling xsk_pool (git-fixes).
i40e: Enforce software interrupt during busy-poll exit (git-fixes).
i40e: Fix firmware version comparison function (git-fixes).
i40e: fix i40e_count_filters() to count only active/new filters (git-fixes).
i40e: fix: remove needless retries of NVM update (bsc#1227736).
i40e: Fix VF MAC filter removal (git-fixes).
i40e: fix vf may be used uninitialized in this function warning (git-fixes).
i915: make inject_virtual_interrupt() void (stable-fixes).
IB/mlx5: Use __iowrite64_copy() for write combining stores (git-fixes)
ice: fix enabling RX VLAN filtering (git-fixes).
ice: fix memory corruption bug with suspend and rebuild (git-fixes).
ice: fix stats being updated by way too large values (git-fixes).
ice: fix typo in assignment (git-fixes).
ice: fix uninitialized dplls mutex usage (git-fixes).
ice: reconfig host after changing MSI-X on VF (git-fixes).
ice: Refactor FW data type and fix bitmap casting issue (git-fixes).
ice: reorder disabling IRQ and NAPI in ice_qp_dis (git-fixes).
ice: use relative VSI index for VFs instead of PF VSI number (git-fixes).
ice: virtchnl: stop pretending to support RSS over AQ or registers (git-fixes).
ida: make 'ida_dump' static (git-fixes).
idma64: Do not try to serve interrupts when device is powered off (git-fixes).
idpf: disable local BH when scheduling napi for marker packets (git-fixes).
idpf: extend tx watchdog timeout (bsc#1224137).
idpf: fix kernel panic on unknown packet types (git-fixes).
igb: extend PTP timestamp adjustments to i211 (git-fixes).
igb: Fix missing time sync events (git-fixes).
igc: avoid returning frame twice in XDP_REDIRECT (git-fixes).
igc: Fix missing time sync events (git-fixes).
igc: Remove stale comment about Tx timestamping (git-fixes).
iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF (git-fixes).
iio: accel: mxc4005: allow module autoloading via OF compatible (stable-fixes).
iio: accel: mxc4005: Interrupt handling fixes (git-fixes).
iio: accel: mxc4005: Reset chip on probe() and resume() (stable-fixes).
iio: adc: ad7266: Fix variable checking bug (git-fixes).
iio: adc: ad9467: fix scan type sign (git-fixes).
iio: adc: ad9467: use chip_info variables instead of array (stable-fixes).
iio: adc: ad9467: use spi_get_device_match_data() (stable-fixes).
iio: adc: stm32: Fixing err code to not indicate success (git-fixes).
iio: chemical: bme680: Fix calibration data variable (git-fixes).
iio: chemical: bme680: Fix overflows in compensate() functions (git-fixes).
iio: chemical: bme680: Fix pressure value output (git-fixes).
iio: chemical: bme680: Fix sensor data read operation (git-fixes).
iio: core: Leave private pointer NULL when no private data supplied (git-fixes).
iio: dac: ad5592r: fix temperature channel scaling value (git-fixes).
iio: dummy_evgen: remove Excess kernel-doc comments (git-fixes).
iio: Fix the sorting functionality in iio_gts_build_avail_time_table (git-fixes).
iio: frequency: adrf6780: rm clk provider include (git-fixes).
iio: gts-helper: Fix division loop (git-fixes).
iio:imu: adis16475: Fix sync mode setting (git-fixes).
iio: imu: inv_icm42600: delete unneeded update watermark call (git-fixes).
iio: pressure: bmp280: Fix BMP580 temperature reading (stable-fixes).
iio: pressure: dps310: support negative temperature values (git-fixes).
iio: pressure: Fixes BME280 SPI driver data (git-fixes).
iio: pressure: fix some word spelling errors (stable-fixes).
iio: xilinx-ams: Do not include ams_ctrl_channels in scan_mask (git-fixes).
inet_diag: annotate data-races around inet_diag_table[] (git-fixes).
inet: frags: eliminate kernel-doc warning (git-fixes).
init/main.c: Fix potential static_command_line memory overflow (git-fixes).
init: open /initrd.image with O_LARGEFILE (stable-fixes).
input: Add event code for accessibility key (stable-fixes).
input: Add support for 'Do Not Disturb' (stable-fixes).
Input: ads7846 - use spi_device_id table (stable-fixes).
Input: cyapa - add missing input core locking to suspend/resume functions (git-fixes).
Input: elan_i2c - do not leave interrupt disabled on suspend failure (git-fixes).
Input: elantech - fix touchpad state on resume for Lenovo N24 (stable-fixes).
Input: ff-core - prefer struct_size over open coded arithmetic (stable-fixes).
Input: gpio_keys_polled - suppress deferred probe error for gpio (stable-fixes).
Input: i8042 - add Ayaneo Kun to i8042 quirk table (stable-fixes).
Input: ili210x - fix ili251x_read_touch_data() return value (git-fixes).
Input: imagis - use FIELD_GET where applicable (stable-fixes).
Input: ims-pcu - fix printf string overflow (git-fixes).
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation (git-fixes).
Input: qt1050 - handle CHIP_ID reading error (git-fixes).
Input: silead - Always support 10 fingers (stable-fixes).
Input: synaptics-rmi4 - fail probing if memory allocation for 'phys' fails (stable-fixes).
input/touchscreen: imagis: Correct the maximum touch area value (stable-fixes).
Input: xpad - add additional HyperX Controller Identifiers (stable-fixes).
Input: xpad - add support for ASUS ROG RAIKIRI (git-fixes).
Input: xpad - add support for ASUS ROG RAIKIRI PRO (stable-fixes).
Input: xpad - add support for Snakebyte GAMEPADs (stable-fixes).
intel: legacy: Partial revert of field get conversion (git-fixes).
intel_th: pci: Add Granite Rapids SOC support (stable-fixes).
intel_th: pci: Add Granite Rapids support (stable-fixes).
intel_th: pci: Add Lunar Lake support (stable-fixes).
intel_th: pci: Add Meteor Lake-S CPU support (stable-fixes).
intel_th: pci: Add Meteor Lake-S support (stable-fixes).
intel_th: pci: Add Sapphire Rapids SOC support (stable-fixes).
interconnect: qcom: osm-l3: Replace custom implementation of COUNT_ARGS() (git-fixes).
interconnect: qcom: qcm2290: Fix mas_snoc_bimc QoS port assignment (git-fixes).
interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID (git-fixes).
interconnect: qcom: sc8180x: Mark CO0 BCM keepalive (git-fixes).
interconnect: qcom: sm8550: Enable sync_state (git-fixes).
iomap: clear the per-folio dirty bits on all writeback failures (git-fixes)
iommu/amd: Enhance def_domain_type to handle untrusted device (git-fixes).
iommu/amd: Fix panic accessing amd_iommu_enable_faulting (bsc#1224767).
iommu/amd: Fix sysfs leak in iommu init (git-fixes).
iommu/arm-smmu-v3: Check that the RID domain is S1 in SVA (git-fixes).
iommu/arm-smmu-v3: Free MSIs in case of ENOMEM (git-fixes).
iommu/dma: Force swiotlb_max_mapping_size on an untrusted device (bsc#1224331)
iommu/dma: Trace bounce buffer usage when mapping buffers (git-fixes).
iommufd: Add missing IOMMUFD_DRIVER kconfig for the selftest (git-fixes).
iommufd: Fix iopt_access_list_id overwrite bug (git-fixes).
iommufd/iova_bitmap: Bounds check mapped::pages access (git-fixes).
iommufd/iova_bitmap: Consider page offset for the pages to be pinned (git-fixes).
iommufd/iova_bitmap: Switch iova_bitmap::bitmap to an u8 array (git-fixes).
iommufd: Reject non-zero data_type if no data_len is provided (git-fixes).
iommu: Fix compilation without CONFIG_IOMMU_INTEL (git-fixes).
iommu: Map reserved memory as cacheable if device is coherent (git-fixes).
iommu: mtk: fix module autoloading (git-fixes).
iommu: Return right value in iommu_sva_bind_device() (git-fixes).
iommu: Undo pasid attachment only for the devices that have succeeded (git-fixes).
iommu/vt-d: Allocate DMAR fault interrupts locally (bsc#1224767).
iommu/vt-d: Allocate local memory for page request queue (git-fixes).
iommu/vt-d: Fix WARN_ON in iommu probe path (git-fixes).
iommu/vt-d: Fix wrong use of pasid config (git-fixes).
iommu/vt-d: Improve ITE fault handling if target device isn't present (git-fixes).
iommu/vt-d: Set SSADE when attaching to a parent with dirty tracking (git-fixes).
iommu/vt-d: Use rbtree to track iommu probed devices (git-fixes).
ionic: set adminq irq affinity (git-fixes).
io_uring: clean rings on NO_MMAP alloc fail (git-fixes).
io_uring: clear opcode specific data for an early failure (git-fixes).
io_uring: do not save/restore iowait state (git-fixes).
io_uring: fail NOP if non-zero op flags is passed in (git-fixes).
io_uring: Fix io_cqring_wait() not restoring sigmask on get_timespec64() failure (git-fixes).
io_uring: fix io_queue_proc modifying req->flags (git-fixes).
io_uring: fix mshot io-wq checks (git-fixes).
io_uring: fix mshot read defer taskrun cqe posting (git-fixes).
io_uring: fix poll_remove stalled req completion (git-fixes).
io_uring/io-wq: avoid garbage value of 'match' in io_wq_enqueue() (git-fixes).
io_uring/io-wq: Use set_bit() and test_bit() at worker->flags (git-fixes).
io_uring: kabi cookie remove (bsc#1217384).
io_uring/kbuf: get rid of bl->is_ready (git-fixes).
io_uring/kbuf: get rid of lower BGID lists (git-fixes). Including kabi preservation patch.
io_uring/kbuf: protect io_buffer_list teardown with a reference (git-fixes). Reuses a padding space in the structure.
io_uring/kbuf: rename is_mapped (git-fixes).
io_uring/net: correctly handle multishot recvmsg retry setup (git-fixes).
io_uring/net: correct the type of variable (git-fixes).
io_uring/net: fix sendzc lazy wake polling (git-fixes).
io_uring/net: move receive multishot out of the generic msghdr path (git-fixes).
io_uring/net: restore msg_control on sendzc retry (git-fixes).
io_uring/net: unify how recvmsg and sendmsg copy in the msghdr (git-fixes).
io_uring: remove looping around handling traditional task_work (git-fixes).
io_uring: remove unconditional looping in local task_work handling (git-fixes).
io_uring/rsrc: do not lock while !TASK_RUNNING (git-fixes).
io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed (git-fixes).
io_uring/rw: do not allow multishot reads without NOWAIT support (git-fixes).
io_uring/rw: return IOU_ISSUE_SKIP_COMPLETE for multishot retry (git-fixes).
io_uring/sqpoll: work around a potential audit memory leak (git-fixes).
io_uring/unix: drop usage of io_uring socket (git-fixes).
io_uring: use private workqueue for exit work (git-fixes).
io_uring: use the right type for work_llist empty check (git-fixes).
io-wq: write next_work before dropping acct_lock (git-fixes).
ipmi: ssif_bmc: prevent integer overflow on 32bit systems (git-fixes).
ipv4: annotate data-races around fi->fib_dead (git-fixes).
ipvs: Fix checksumming on GSO of SCTP packets (bsc#1221958)
irqchip/alpine-msi: Fix off-by-one in allocation error path (git-fixes).
irqchip/armada-370-xp: Suppress unused-function warning (git-fixes).
irqchip/gic-v3-its: Do not assume vPE tables are preallocated (git-fixes).
irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 (git-fixes).
irqchip/gic-v3-its: Prevent double free on error (git-fixes).
irqchip/loongson-pch-msi: Fix off-by-one on allocation error path (git-fixes).
irqchip/mbigen: Do not use bus_get_dev_root() to find the parent (git-fixes).
irqchip/renesas-rzg2l: Add macro to retrieve TITSR register offset based on register's index (stable-fixes).
irqchip/renesas-rzg2l: Flush posted write in irq_eoi() (git-fixes).
irqchip/renesas-rzg2l: Implement restriction when writing ISCR register (stable-fixes).
irqchip/renesas-rzg2l: Prevent spurious interrupts when setting trigger type (git-fixes).
irqchip/renesas-rzg2l: Rename rzg2l_irq_eoi() (stable-fixes).
irqchip/renesas-rzg2l: Rename rzg2l_tint_eoi() (stable-fixes).
iwlwifi: fw: fix more kernel-doc warnings (bsc#1227149).
iwlwifi: mvm: Drop unused fw_trips_index[] from iwl_mvm_thermal_device (bsc#1227149).
iwlwifi: mvm: Populate trip table before registering thermal zone (bsc#1227149).
iwlwifi: mvm: Use for_each_thermal_trip() for walking trip points (bsc#1227149).
ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() (git-fixes).
ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able (git-fixes).
jffs2: Fix potential illegal address access in jffs2_free_inode (git-fixes).
jffs2: prevent xattr node from overflowing the eraseblock (git-fixes).
jfs: Fix array-index-out-of-bounds in diFree (git-fixes).
jfs: xattr: fix buffer overflow for invalid xattr (bsc#1227383).
kABI: Adjust trace_iterator.wait_index (git-fixes).
kABI: bpf: verifier kABI workaround (bsc#1225903).
kABI fix of KVM: x86/pmu: Allow programming events that match unsupported arch events (bsc#1225696).
kABI fix of KVM: x86/pmu: Prioritize VMX interception over
kABI fix of KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible (git-fixes).
kabi fix of perf/x86/intel: Expose existence of callback support to KVM (git fixes).
kabi/severities: cleanup and update for WiFi driver entries (bsc#1227149)
kabi/severities: cover all ath/* drivers (bsc#1227149) All symbols in ath/* network drivers are local and can be ignored
kabi/severities: cover all mt76 modules (bsc#1227149)
kabi/severities: ignore amd pds internal symbols
kabi/severities: ignore brcmfmac-specific local symbols
kabi/severities: ignore IMS functions They were dropped in previous patches. Noone is supposed to use them.
kabi/severities: Ignore io_uring internal symbols
kabi/severities: ignore kABI changes Realtek WiFi drivers (bsc#1227149) All those symbols are local and used for its own helpers
kabi/severities: ignore TAS2781 symbol drop, it's only locally used
kabi/severities: ignore Wangxun ethernet driver local symbols
kabi/severities: Remove mitigation-related symbols Those are used by the core kernel to implement CPU vulnerabilities mitigation and are not expected to be consumed by 3rd party users.
kabi: Use __iowriteXX_copy_inlined for in-kernel modules (bsc#1226502)
kABI workaround for cs35l56 (git-fixes).
kABI workaround for of driver changes (git-fixes).
kABI workaround for sof_ipc_pcm_ops (git-fixes).
kABI workaround for wireless updates (bsc#1227149).
kasan: disable kasan_non_canonical_hook() for HW tags (git-fixes).
kasan, fortify: properly rename memintrinsics (git-fixes).
kasan: print the original fault addr when access invalid shadow (git-fixes).
kasan/test: avoid gcc warning for intentional overflow (git-fixes).
kbuild: avoid build error when single DTB is turned into composite DTB (git-fixes).
kbuild: Fix build target deb-pkg: ln: failed to create hard link (git-fixes).
kbuild: Install dtb files as 0644 in Makefile.dtbinst (git-fixes).
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 (stable-fixes).
kconfig: doc: fix a typo in the note about 'imply' (git-fixes).
kconfig: fix comparison to constant symbols, 'm', 'n' (git-fixes).
kconfig: fix infinite loop when expanding a macro at the end of file (git-fixes).
kconfig: gconf: give a proper initial state to the Save button (stable-fixes).
kconfig: remove wrong expr_trans_bool() (stable-fixes).
kcov: do not lose track of remote references during softirqs (git-fixes).
kernel-binary: vdso: Own module_dir
kernel-doc: fix struct_group_tagged() parsing (git-fixes).
kexec: do syscore_shutdown() in kernel_kexec (git-fixes).
KEYS: trusted: Do not use WARN when encode fails (git-fixes).
KEYS: trusted: Fix memory leak in tpm2_key_encode() (git-fixes).
kheaders: explicitly define file modes for archived headers (stable-fixes).
knfsd: LOOKUP can return an illegal error value (git-fixes).
kobject_uevent: Fix OOB access within zap_modalias_env() (git-fixes).
kprobe/ftrace: bail out if ftrace was killed (git-fixes).
kprobe/ftrace: fix build error due to bad function definition (git-fixes).
kprobes: Fix possible use-after-free issue on kprobe registration (git-fixes).
kselftest: Add a ksft_perror() helper (stable-fixes).
kunit: Fix checksum tests on big endian CPUs (git-fixed).
kunit/fortify: Fix mismatched kvalloc()/vfree() usage (git-fixes).
KVM: arm64: Use local TLBI on permission relaxation (bsc#1219478).
KVM: nVMX: Clear EXIT_QUALIFICATION when injecting an EPT Misconfig (git-fixes).
KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M (git-fixes bsc#1224790).
KVM: SEV-ES: Delegate LBR virtualization to the processor (git-fixes).
KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent (git-fixes).
KVM: SVM: Add support for allowing zero SEV ASIDs (git-fixes).
KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() (git-fixes).
KVM: SVM: Use unsigned integers when dealing with ASIDs (git-fixes).
KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked (git-fixes).
KVM: VMX: Disable LBR virtualization if the CPU does not support LBR callstacks (git-fixes).
KVM: VMX: Report up-to-date exit qualification to userspace (git-fixes).
KVM: x86: Allow, do not ignore, same-value writes to immutable MSRs (git-fixes).
KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes (git-fixes).
KVM: x86: Do not advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID (git-fixes).
KVM: x86: Fix broken debugregs ABI for 32 bit kernels (git-fixes).
KVM: x86: Fully re-initialize supported_mce_cap on vendor module load (git-fixes).
KVM: x86: Introduce __kvm_get_hypervisor_cpuid() helper (git-fixes).
KVM: x86: Mark target gfn of emulated atomic instruction as dirty (git-fixes).
KVM: x86/mmu: Do not force emulation of L2 accesses to non-APIC internal slots (git-fixes).
KVM: x86/mmu: Move private vs. shared check above slot validity checks (git-fixes).
KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU (git-fixes).
KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status (git-fixes).
KVM: x86: Only set APICV_INHIBIT_REASON_ABSENT if APICv is enabled (git-fixes).
KVM: x86/pmu: Allow programming events that match unsupported arch events (git-fixes).
KVM: x86/pmu: Always treat Fixed counters as available when supported (git-fixes).
KVM: x86/pmu: Apply 'fast' RDPMC only to Intel PMUs (git-fixes).
KVM: x86/pmu: Disable support for adaptive PEBS (git-fixes).
KVM: x86/pmu: Disallow 'fast' RDPMC for architectural Intel PMUs (git-fixes).
KVM: x86/pmu: Do not ignore bits 31:30 for RDPMC index on AMD (git-fixes).
KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms (git-fixes).
KVM: x86/pmu: Explicitly check NMI from guest to reducee false positives (git-fixes).
KVM: x86/pmu: Prioritize VMX interception over #GP on RDPMC due to bad index (bsc#1226158).
KVM: x86/pmu: Prioritize VMX interception over #GP on RDPMC due to bad index (git-fixes).
KVM: x86/pmu: Set enable bits for GP counters in PERF_GLOBAL_CTRL at 'RESET' (git-fixes).
KVM: x86/pmu: Zero out PMU metadata on AMD if PMU is disabled (git-fixes).
KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible (git-fixes).
KVM: x86: Use actual kvm_cpuid.base for clearing KVM_FEATURE_PV_UNHALT (git-fixes).
KVM: x86/xen: fix recursive deadlock in timer injection (git-fixes).
KVM: x86/xen: improve accuracy of Xen timers (git-fixes).
KVM: x86/xen: inject vCPU upcall vector when local APIC is enabled (git-fixes).
KVM: x86/xen: remove WARN_ON_ONCE() with false positives in evtchn delivery (git-fixes).
leds: flash: leds-qcom-flash: Test the correct variable in init (git-fixes).
leds: mt6360: Fix memory leak in mt6360_init_isnk_properties() (git-fixes).
leds: pwm: Disable PWM when going to suspend (git-fixes).
leds: ss4200: Convert PCIBIOS_* return codes to errnos (git-fixes).
leds: triggers: Flush pending brightness before activating trigger (git-fixes).
leds: trigger: Unregister sysfs attributes before calling deactivate() (git-fixes).
libceph: fix race between delayed_work() and ceph_monc_stop() (bsc#1228192).
libnvdimm: Fix ACPI_NFIT in BLK_DEV_PMEM help (jsc#PED-5853).
lib: objagg: Fix general protection fault (git-fixes).
lib: objagg: Fix spelling (git-fixes).
libperf evlist: Avoid out-of-bounds access (git-fixes).
libsubcmd: Fix parse-options memory leak (git-fixes).
lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure (git-fixes).
lib: test_objagg: Fix spelling (git-fixes).
livepatch: Fix missing newline character in klp_resolve_symbols() (bsc#1223539).
locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock (git-fixes)
lsm: fix the logic in security_inode_getsecctx() (git-fixes).
mac802154: fix llsec key resources release in mac802154_llsec_key_del (git-fixes).
mac802154: fix time calculation in ieee802154_configure_durations() (git-fixes).
mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() (git-fixes).
maple_tree: fix mas_empty_area_rev() null pointer dereference (git-fixes).
md: add a new helper rdev_has_badblock() (jsc#PED-7542).
md: add a new helper reshape_interrupted() (jsc#PED-7542).
md: changed the switch of RAID_VERSION to if (jsc#PED-7542).
md: check mddev->pers before calling md_set_readonly() (jsc#PED-7542).
md: clean up invalid BUG_ON in md_ioctl (jsc#PED-7542).
md: clean up openers check in do_md_stop() and md_set_readonly() (jsc#PED-7542).
md/dm-raid: do not call md_reap_sync_thread() directly (jsc#PED-7542).
md: Do not clear MD_CLOSING when the raid is about to stop (jsc#PED-7542).
md: do not clear MD_RECOVERY_FROZEN for new dm-raid until resume (jsc#PED-7542).
md: export helper md_is_rdwr() (jsc#PED-7542).
md: export helpers to stop sync_thread (jsc#PED-7542).
md: factor out a helper to sync mddev (jsc#PED-7542).
md: fix kmemleak of rdev->serial (jsc#PED-7542).
md: get rdev->mddev with READ_ONCE() (jsc#PED-7542).
md: merge the check of capabilities into md_ioctl_valid() (jsc#PED-7542).
md: preserve KABI in struct md_personality (jsc#PED-7542).
md/raid1-10: add a helper raid1_check_read_range() (jsc#PED-7542).
md/raid1-10: factor out a new helper raid1_should_read_first() (jsc#PED-7542).
md/raid1: factor out choose_bb_rdev() from read_balance() (jsc#PED-7542).
md/raid1: factor out choose_slow_rdev() from read_balance() (jsc#PED-7542).
md/raid1: factor out helpers to add rdev to conf (jsc#PED-7542).
md/raid1: factor out helpers to choose the best rdev from read_balance() (jsc#PED-7542).
md/raid1: factor out read_first_rdev() from read_balance() (jsc#PED-7542).
md/raid1: factor out the code to manage sequential IO (jsc#PED-7542).
md/raid1: fix choose next idle in read_balance() (jsc#PED-7542).
md/raid1: record nonrot rdevs while adding/removing rdevs to conf (jsc#PED-7542).
md: remove redundant check of 'mddev->sync_thread' (jsc#PED-7542).
md: remove redundant md_wakeup_thread() (jsc#PED-7542).
md: return directly before setting did_set_md_closing (jsc#PED-7542).
md: sync blockdev before stopping raid or setting readonly (jsc#PED-7542).
md: use RCU lock to protect traversal in md_spares_need_change() (jsc#PED-7542).
media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries (git-fixes).
media: cadence: csi2rx: use match fwnode for media link (git-fixes).
media: cec: core: remove length check of Timer Status (stable-fixes).
media: dt-bindings: ovti,ov2680: Fix the power supply names (git-fixes).
media: dvb: as102-fe: Fix as10x_register_addr packing (stable-fixes).
media: dvbdev: Initialize sbuf (stable-fixes).
media: dvb-frontends: tda10048: Fix integer overflow (stable-fixes).
media: dvb-frontends: tda18271c2dd: Remove casting during div (stable-fixes).
media: dvb-usb: dib0700_devices: Add missing release_firmware() (stable-fixes).
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() (git-fixes).
media: dw2102: Do not translate i2c read into write (stable-fixes).
media: dw2102: fix a potential buffer overflow (git-fixes).
media: flexcop-usb: fix sanity check of bNumEndpoints (git-fixes).
media: i2c: et8ek8: Do not strip remove function when driver is builtin (git-fixes).
media: i2c: Fix imx412 exposure control (git-fixes).
media: imon: Fix race getting ictx->lock (git-fixes).
media: imx-jpeg: Drop initial source change event if capture has been setup (git-fixes).
media: imx-jpeg: Remove some redundant error logs (git-fixes).
media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() (git-fixes).
media: ipu3-cio2: Request IRQ earlier (git-fixes).
media: lgdt3306a: Add a check against null-pointer-def (stable-fixes).
media: mc: Fix flags handling when creating pad links (stable-fixes).
media: mc: Fix graph walk in media_pipeline_start (git-fixes).
media: mc: mark the media devnode as registered from the, start (git-fixes).
media: mc: Rename pad variable to clarify intent (stable-fixes).
media: mxl5xx: Move xpt structures off stack (stable-fixes).
media: ngene: Add dvb_ca_en50221_init return value check (git-fixes).
media: pci: ivtv: Add check for DMA map result (git-fixes).
media: radio-shark2: Avoid led_names truncations (git-fixes).
media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2 (git-fixes).
media: rcar-vin: work around -Wenum-compare-conditional warning (git-fixes).
media: renesas: vsp1: Fix _irqsave and _irq mix (git-fixes).
media: renesas: vsp1: Store RPF partition configuration per RPF instance (git-fixes).
media: rkisp1: Fix IRQ handling due to shared interrupts (stable-fixes).
media: s2255: Use refcount_t instead of atomic_t for num_channels (stable-fixes).
media: sta2x11: fix irq handler cast (stable-fixes).
media: stk1160: fix bounds checking in stk1160_copy_video() (git-fixes).
media: sunxi: a83-mips-csi2: also select GENERIC_PHY (git-fixes).
media: uvcvideo: Add quirk for Logitech Rally Bar (git-fixes).
media: uvcvideo: Fix integer overflow calculating timestamp (git-fixes).
media: uvcvideo: Override default flags (git-fixes).
media: v4l2-core: hold videodev_lock until dev reg, finishes (stable-fixes).
media: v4l2-subdev: Fix stream handling for crop API (git-fixes).
media: v4l: async: Fix NULL pointer dereference in adding ancillary links (git-fixes).
media: v4l: Do not turn on privacy LED if streamon fails (git-fixes).
media: v4l: subdev: Fix typo in documentation (git-fixes).
media: venus: fix use after free in vdec_close (git-fixes).
media: venus: flush all buffers in output plane streamoff (git-fixes).
mei: demote client disconnect warning on suspend to debug (stable-fixes).
mei: me: add arrow lake point H DID (stable-fixes).
mei: me: add arrow lake point S DID (stable-fixes).
mei: me: add lunar lake point M DID (stable-fixes).
mei: me: disable RPL-S on SPS and IGN firmwares (git-fixes).
mei: me: release irq in mei_me_pci_resume error path (git-fixes).
Merge branch 'SLE15-SP6' (7c8fc2c7cc52) into 'SLE15-SP6-RT'
mfd: omap-usb-tll: Use struct_size to allocate tll (git-fixes).
mfd: pm8008: Fix regmap irq chip initialisation (git-fixes).
misc: fastrpc: Avoid updating PD type for capability request (git-fixes).
misc: fastrpc: Copy the complete capability structure to user (git-fixes).
misc: fastrpc: Fix DSP capabilities request (git-fixes).
misc: fastrpc: Fix memory leak in audio daemon attach operation (git-fixes).
misc: fastrpc: Fix ownership reassignment of remote heap (git-fixes).
misc: fastrpc: Restrict untrusted app to attach to privileged PD (git-fixes).
misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() (git-fixes).
misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() (git-fixes).
mISDN: Fix a use after free in hfcmulti_tx() (git-fixes).
mISDN: fix MISDN_TIME_STAMP handling (git-fixes).
mlxbf_gige: call request_irq() after NAPI initialized (git-fixes).
mlxbf_gige: stop interface during shutdown (git-fixes).
mlxbf_gige: stop PHY during open() error paths (git-fixes).
mlxsw: Use refcount_t for reference counting (git-fixes).
mmc: core: Add HS400 tuning in HS400es initialization (stable-fixes).
mmc: core: Add mmc_gpiod_set_cd_config() function (stable-fixes).
mmc: core: Avoid negative index with array access (git-fixes).
mmc: core: Do not force a retune before RPMB switch (stable-fixes).
mmc: core: Initialize mmc_blk_ioc_data (git-fixes).
mmc: davinci: Do not strip remove function when driver is builtin (git-fixes).
mmc: omap: fix broken slot switch lookup (git-fixes).
mmc: omap: fix deferred probe (git-fixes).
mmc: omap: restore original power up/down steps (git-fixes).
mmc: sdhci-acpi: Add quirk to enable pull-up on the card-detect GPIO on Asus T100TA (git-fixes).
mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A (stable-fixes).
mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working (stable-fixes).
mmc: sdhci-acpi: Sort DMI quirks alphabetically (stable-fixes).
mmc: sdhci: Add support for 'Tuning Error' interrupts (stable-fixes).
mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock (git-fixes).
mmc: sdhci_am654: Add OTAP/ITAP delay enable (git-fixes).
mmc: sdhci_am654: Add tuning algorithm for delay chain (git-fixes).
mmc: sdhci_am654: Fix ITAPDLY for HS400 timing (git-fixes).
mmc: sdhci_am654: Write ITAPDLY for DDR52 timing (git-fixes).
mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard (git-fixes).
mmc: sdhci: Do not invert write-protect twice (git-fixes).
mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() (git-fixes).
mmc: sdhci-msm: pervent access to suspended controller (git-fixes).
mmc: sdhci-omap: re-tuning is needed after a pm transition to support emmc HS200 mode (git-fixes).
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos (git-fixes).
mm_init kABI workaround (git-fixes).
mm: memcg: do not periodically flush stats when memcg is disabled (bsc#1222525).
mm: memcg: use larger batches for proactive reclaim (bsc#1222522).
mm,page_owner: check for null stack_record before bumping its refcount (bsc#1222366).
mm,page_owner: Defer enablement of static branch (bsc#1222366).
mm,page_owner: drop unnecessary check (bsc#1222366).
mm,page_owner: Fix accounting of pages when migrating (bsc#1222366).
mm,page_owner: Fix printing of stack records (bsc#1222366).
mm,page_owner: fix recursion (bsc#1222366).
mm,page_owner: Fix refcount imbalance (bsc#1222366).
mm: page_owner: fix wrong information in dump_page_owner (git-fixes).
mm,page_owner: Update metadata for tail pages (bsc#1222366).
mm/slab: make __free(kfree) accept error pointers (git-fixes).
modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS (stable-fixes).
module: do not ignore sysfs_create_link() failures (git-fixes).
mptcp: annotate data-races around msk->rmem_fwd_alloc (git-fixes).
mptcp: fix bogus receive window shrinkage with multiple subflows (git-fixes).
mptcp: move __mptcp_error_report in protocol.c (git-fixes).
mptcp: process pending subflow error on close (git-fixes).
mptcp: Remove unnecessary test for __mptcp_init_sock() (git-fixes).
mt76: connac: move more mt7921/mt7915 mac shared code in connac lib (bsc#1227149).
mt76: mt7996: rely on mt76_sta_stats in mt76_wcid (bsc#1227149).
mtd: core: Report error if first mtd_otp_size() call fails in mtd_otp_nvmem_add() (git-fixes).
mtd: diskonchip: work around ubsan link failure (stable-fixes).
mtd: partitions: redboot: Added conversion of operands to a larger type (stable-fixes).
mtd: rawnand: Bypass a couple of sanity checks during NAND identification (git-fixes).
mtd: rawnand: Ensure ECC configuration is propagated to upper layers (git-fixes).
mtd: rawnand: Fix the nand_read_data_op() early check (git-fixes).
mtd: rawnand: hynix: fixed typo (git-fixes).
mtd: rawnand: rockchip: ensure NVDDR timings are rejected (git-fixes).
mtd: spinand: Add support for 5-byte IDs (stable-fixes).
net: add netdev_lockdep_set_classes() to virtual drivers (git-fixes).
net: annotate data-races around sk->sk_bind_phc (git-fixes).
net: annotate data-races around sk->sk_forward_alloc (git-fixes).
net: annotate data-races around sk->sk_lingertime (git-fixes).
net: annotate data-races around sk->sk_tsflags (git-fixes).
net: bonding: remove kernel-doc comment marker (git-fixes).
net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new (git-fixes).
net: can: j1939: Initialize unused data in j1939_send_one() (git-fixes).
net: can: j1939: recover socket queue on CAN bus error during BAM transmission (git-fixes).
net: cfg802154: fix kernel-doc notation warnings (git-fixes).
net/dcb: check for detached device before executing callbacks (bsc#1215587).
net: dsa: microchip: fix register write order in ksz8_ind_write8() (git-fixes).
net: dsa: mt7530: fix handling of all link-local frames (git-fixes).
net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports (git-fixes).
net: dsa: mt7530: prevent possible incorrect XTAL frequency selection (git-fixes).
net: dsa: mt7530: trap link-local frames regardless of ST Port State (git-fixes).
net: dsa: sja1105: Fix parameters order in sja1110_pcs_mdio_write_c45() (git-fixes).
net: ena: Fix incorrect descriptor free behavior (git-fixes).
net: ena: Fix potential sign extension issue (git-fixes).
net: ena: Fix redundant device NUMA node override (jsc#PED-8688).
net: ena: Move XDP code to its new files (git-fixes).
net: ena: Pass ena_adapter instead of net_device to ena_xmit_common() (git-fixes).
net: ena: Remove ena_select_queue (git-fixes).
net: ena: Set tx_info->xdpf value to NULL (git-fixes).
net: ena: Use tx_ring instead of xdp_ring for XDP channel TX (git-fixes).
net: ena: Wrong missing IO completions check order (git-fixes).
net: ethernet: mtk_eth_soc: fix PPE hanging issue (git-fixes).
net: ethernet: mtk_wed: introduce mtk_wed_buf structure (bsc#1227149).
net: ethernet: mtk_wed: rename mtk_rxbm_desc in mtk_wed_bm_desc (bsc#1227149).
net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio (git-fixes).
net: fec: Set mac_managed_pm during probe (git-fixes).
net: fill in MODULE_DESCRIPTION()s in kuba@'s modules (bsc#1227149).
netfilter: nf_tables: disable toggling dormant table state more than once (git-fixes).
netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID (git-fixes).
netfilter: nft_ct: fix l3num expectations with inet pseudo family (git-fixes).
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention (git-fixes).
net: hns3: fix index limit to support all queue stats (git-fixes).
net: hns3: fix kernel crash when 1588 is received on HIP08 devices (git-fixes).
net: hns3: fix kernel crash when devlink reload during pf initialization (git-fixes).
net: hns3: fix port duplex configure error in IMP reset (git-fixes).
net: hns3: fix wrong judgment condition issue (git-fixes).
net: hns3: mark unexcuted loopback test result as UNEXECUTED (git-fixes).
net: hns3: Remove io_stop_wc() calls after __iowrite64_copy() (bsc#1226502)
net: hns3: tracing: fix hclgevf trace event strings (git-fixes).
net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (git-fixes).
net: ks8851: Handle softirqs at the end of IRQ thread to fix hang (git-fixes).
net: ks8851: Inline ks8851_rx_skb() (git-fixes).
net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs (git-fixes).
net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips (git-fixes).
net: lan743x: disable WOL upon resume to restore full data path operation (git-fixes).
net: lan743x: Support WOL at both the PHY and MAC appropriately (git-fixes).
net: libwx: fix memory leak on free page (git-fixes).
net: llc: fix kernel-doc notation warnings (git-fixes).
net: ll_temac: platform_get_resource replaced by wrong function (git-fixes).
net: mana: Enable MANA driver on ARM64 with 4K page size (jsc#PED-8491).
net: mana: Fix possible double free in error handling path (git-fixes).
net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes).
net: mana: Fix the extra HZ in mana_hwc_send_request (git-fixes).
net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up (git-fixes).
net/mlx5: Correctly compare pkt reformat ids (git-fixes).
net/mlx5e: Change the warning when ignore_flow_level is not supported (git-fixes).
net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE xmit (git-fixes).
net/mlx5e: Fix MACsec state loss upon state update in offload path (git-fixes).
net/mlx5e: Fix mlx5e_priv_init() cleanup flow (git-fixes).
net/mlx5e: HTB, Fix inconsistencies with QoS SQs number (git-fixes).
net/mlx5e: RSS, Block changing channels number when RXFH is configured (git-fixes).
net/mlx5e: RSS, Block XOR hash with over 128 channels (git-fixes).
net/mlx5: E-switch, Change flow rule destination checking (git-fixes).
net/mlx5: E-switch, store eswitch pointer before registering devlink_param (git-fixes).
net/mlx5e: Switch to using _bh variant of of spinlock API in port timestamping NAPI poll context (git-fixes).
net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map (git-fixes).
net/mlx5: Fix fw reporter diagnose output (git-fixes).
net/mlx5: Fix MTMP register capability offset in MCAM register (git-fixes).
net/mlx5: Fix peer devlink set for SF representor devlink port (git-fixes).
net/mlx5: Lag, restore buckets number to default after hash LAG deactivation (git-fixes).
net/mlx5: offset comp irq index in name by one (git-fixes).
net/mlx5: Properly link new fs rules into the tree (git-fixes).
net/mlx5: Register devlink first under devlink lock (git-fixes).
net/mlx5: Restore mistakenly dropped parts in register devlink flow (git-fixes).
net/mlx5: SF, Stop waiting for FW as teardown was called (git-fixes).
net: nfc: remove inappropriate attrs check (stable-fixes).
net: NSH: fix kernel-doc notation warning (git-fixes).
net: pcs: xpcs: Return EINVAL in the internal methods (git-fixes).
net: phy: fix phy_read_poll_timeout argument type in genphy_loopback (git-fixes).
net: phy: micrel: add Microchip KSZ 9477 to the device table (git-fixes).
net: phy: micrel: fix KSZ9477 PHY issues after suspend/resume (git-fixes).
net: phy: micrel: Fix potential null pointer dereference (git-fixes).
net: phy: Micrel KSZ8061: fix errata solution not taking effect problem (git-fixes).
net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping (git-fixes).
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061 (git-fixes).
net: phy: microchip: lan87xx: reinit PHY after cable test (git-fixes).
net: phy: mxl-gpy: Remove interrupt mask clearing from config_init (git-fixes).
net: phy: phy_device: Fix PHY LED blinking code comment (git-fixes).
net: phy: phy_device: Prevent nullptr exceptions on ISR (git-fixes).
net: phy: phy_device: Prevent nullptr exceptions on ISR (stable-fixes).
net: ravb: Always process TX descriptor ring (git-fixes).
net: ravb: Let IP-specific receive function to interrogate descriptors (git-fixes).
net: Remove conditional threaded-NAPI wakeup based on task state (bsc#1214683 (PREEMPT_RT prerequisite backports)).
net/smc: bugfix for smcr v2 server connect success statistic (git-fixes).
net/smc: fix documentation of buffer sizes (git-fixes).
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add (git-fixes).
net: smsc95xx: add support for SYS TEC USB-SPEmodule1 (git-fixes).
net: sparx5: Fix use after free inside sparx5_del_mact_entry (git-fixes).
net: sparx5: fix wrong config being used when reconfiguring PCS (git-fixes).
net: sparx5: flower: fix fragment flags handling (git-fixes).
net: stmmac: dwmac-starfive: Add support for JH7100 SoC (git-fixes).
net: stmmac: Fix incorrect dereference in interrupt handlers (git-fixes).
net: stmmac: fix rx queue priority assignment (git-fixes).
net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() (git-fixes).
net: tcp: fix unexcepted socket die when snd_wnd is 0 (git-fixes).
net: tls: fix returned read length with async decrypt (bsc#1221858).
net: tls: fix use-after-free with partial reads and async (bsc#1221858).
net: tls, fix WARNIING in __sk_msg_free (bsc#1221858).
net: usb: ax88179_178a: avoid the interface always configured as random address (git-fixes).
net: usb: ax88179_178a: avoid writing the mac address before first reading (git-fixes).
net: usb: ax88179_178a: fix link status when link is set to down/up (git-fixes).
net: usb: ax88179_178a: improve link status logs (git-fixes).
net: usb: ax88179_178a: improve reset check (git-fixes).
net: usb: ax88179_178a: stop lying about skb->truesize (git-fixes).
net: usb: qmi_wwan: add Telit FN912 compositions (stable-fixes).
net: usb: qmi_wwan: add Telit FN920C04 compositions (git-fixes).
net:usb:qmi_wwan: support Rolling modules (stable-fixes).
net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings (git-fixes).
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM (git-fixes).
net: usb: smsc95xx: stop lying about skb->truesize (git-fixes).
net: usb: sr9700: stop lying about skb->truesize (git-fixes).
net: Use sockaddr_storage for getsockopt(SO_PEERNAME) (git-fixes).
net: veth: do not manipulate GRO when using XDP (git-fixes).
net: wwan: t7xx: Split 64bit accesses to fix alignment issues (git-fixes).
net/x25: fix incorrect parameter validation in the x25_getsockopt() function (git-fixes).
nfc/nci: Add the inconsistency check between the input data length and count (stable-fixes).
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() (git-fixes).
nfc: nci: Fix kcov check in nci_rx_work() (git-fixes).
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (git-fixes).
nfc: nci: Fix uninit-value in nci_rx_work (git-fixes).
nf_conntrack: fix -Wunused-const-variable= (git-fixes).
NFC: trf7970a: disable all regulators on removal (git-fixes).
nfp: flower: handle acti_netdevs allocation failure (git-fixes).
NFS: abort nfs_atomic_open_v23 if name is too long (bsc#1219847).
NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly (bsc#1219847).
NFS: add barriers when testing for NFS_FSDATA_BLOCKED (git-fixes).
nfs: Avoid flushing many pages with NFS_FILE_SYNC (bsc#1218442).
NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633 bsc#1226226).
nfs: Block on write congestion (bsc#1218442).
nfs: Bump default write congestion size (bsc#1218442).
NFSD: change LISTXATTRS cookie encoding to big-endian (git-fixes).
NFSD: Convert the callback workqueue to use delayed_work (git-fixes).
nfsd: do not call locks_release_private() twice concurrently (git-fixes).
nfsd: Fix a regression in nfsd_setattr() (git-fixes).
NFSD: Fix checksum mismatches in the duplicate reply cache (git-fixes).
NFSD: fix LISTXATTRS returning a short list with eof=TRUE (git-fixes).
NFSD: fix LISTXATTRS returning more bytes than maxcount (git-fixes).
NFSD: fix nfsd4_listxattr_validate_cookie (git-fixes).
NFSD: Fix nfsd_clid_class use of __string_len() macro (git-fixes).
nfsd: hold a lighter-weight client reference over CB_RECALL_ANY (git-fixes).
nfsd: optimise recalculate_deny_mode() for a common case (bsc#1217912).
NFSD: Reschedule CB operations when backchannel rpc_clnt is shut down (git-fixes).
NFSD: Reset cb_seq_status after NFS4ERR_DELAY (git-fixes).
NFSD: Retransmit callbacks after client reconnects (git-fixes).
nfs: Drop pointless check from nfs_commit_release_pages() (bsc#1218442).
nfs: drop the incorrect assertion in nfs_swap_rw() (git-fixes).
nfsd: use __fput_sync() to avoid delayed closing of files (bsc#1223380 bsc#1217408).
NFS: Fix an off by one in root_nfs_cat() (git-fixes).
NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt (git-fixes).
nfs: fix panic when nfs4_ff_layout_prepare_ds() fails (git-fixes).
NFS: Fix READ_PLUS when server does not support OP_READ_PLUS (git-fixes).
nfs: fix undefined behavior in nfs_block_bits() (git-fixes).
nfs: Fix up kabi after adding write_congestion_wait (bsc#1218442).
nfs: Handle error of rpc_proc_register() in nfs_net_init() (git-fixes).
nfs: keep server info for remounts (git-fixes).
nfs: Properly initialize server->writeback (bsc#1218442).
NFS: Read unlock folio on nfs_page_create_from_folio() error (git-fixes).
NFSv4.1 enforce rootpath check in fs_location query (git-fixes).
NFSv4.1/pnfs: fix NFS with TLS in pnfs (git-fixes).
NFSv4.2: fix listxattr maximum XDR buffer size (git-fixes).
NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 (git-fixes).
NFSv4: Fixup smatch warning for ambiguous return (git-fixes).
NFSv4.x: by default serialize open/close operations (bsc#1223863 bsc#1227362).
nilfs2: add missing check for inode numbers on directory entries (stable-fixes).
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro (git-fixes).
nilfs2: convert persistent object allocator to use kmap_local (git-fixes).
nilfs2: fix incorrect inode allocation from reserved inodes (git-fixes).
nilfs2: fix inode number range checks (stable-fixes).
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors (git-fixes).
nilfs2: fix OOB in nilfs_set_de_type (git-fixes).
nilfs2: fix out-of-range warning (git-fixes).
nilfs2: fix potential bug in end_buffer_async_write (git-fixes).
nilfs2: fix potential hang in nilfs_detach_log_writer() (git-fixes).
nilfs2: fix unexpected freezing of nilfs_segctor_sync() (git-fixes).
nilfs2: fix use-after-free of timer for log writer thread (git-fixes).
nilfs2: make superblock data array index computation sparse friendly (git-fixes).
nilfs2: return the mapped address from nilfs_get_page() (stable-fixes).
nouveau: add an ioctl to report vram usage (stable-fixes).
nouveau: add an ioctl to return vram bar size (stable-fixes).
nouveau/dmem: handle kcalloc() allocation failure (git-fixes).
nouveau: fix devinit paths to only handle display on GSP (git-fixes).
nouveau: fix function cast warning (git-fixes).
nouveau: fix instmem race condition around ptr stores (git-fixes).
nouveau/gsp: do not check devinit disable on GSP (git-fixes).
nouveau: lock the client object tree (stable-fixes).
nouveau: report byte usage in VRAM usage (git-fixes).
nouveau: reset the bo resource bus info after an eviction (git-fixes).
nouveau/uvmm: fix addr/range calcs for remap operations (git-fixes).
nvdimm: make nvdimm_bus_type const (jsc#PED-5853).
nvdimm/pmem: fix leak on dax_add_host() failure (jsc#PED-5853).
nvdimm/pmem: Treat alloc_dax() -EOPNOTSUPP failure as non-fatal (jsc#PED-5853).
nvme: cancel pending I/O if nvme controller is in terminal state (bsc#1226503).
nvme: do not retry authentication failures (bsc#1186716).
nvme-fabrics: short-circuit reconnect retries (bsc#1186716).
nvme-fc: do not wait in vain when unloading module (git-fixes).
nvme: find numa distance only if controller has valid numa id (git-fixes).
nvme: fix multipath batched completion accounting (git-fixes).
nvme: fix nvme_pr_* status code parsing (git-fixes).
nvme: fix reconnection fail due to reserved tag allocation (git-fixes).
nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH (git-fixes).
nvme-multipath: fix io accounting on failover (git-fixes).
nvme-pci: Add quirk for broken MSIs (git-fixes).
nvme: return kernel error codes for admin queue connect (bsc#1186716).
nvmet-auth: replace pr_debug() with pr_err() to report an error (git-fixes).
nvmet-auth: return the error code to the nvmet_auth_host_hash() callers (git-fixes).
nvme/tcp: Add wq_unbound modparam for nvme_tcp_wq (bsc#1224049).
nvme-tcp: Export the nvme_tcp_wq to sysfs (bsc#1224049).
nvme-tcp: strict pdu pacing to avoid send stalls on TLS (bsc#1221858).
nvmet-fc: abort command when there is no binding (git-fixes).
nvmet-fc: defer cleanup using RCU properly (git-fixes).
nvmet-fc: hold reference on hostport match (git-fixes).
nvmet-fcloop: swap the list_add_tail arguments (git-fixes).
nvmet-fc: release reference on target port (git-fixes).
nvmet: fix ns enable/disable possible hang (git-fixes).
nvmet: fix nvme status code when namespace is disabled (git-fixes).
nvmet: lock config semaphore when accessing DH-HMAC-CHAP key (bsc#1186716).
nvmet-passthru: propagate status from id override functions (git-fixes).
nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() (git-fixes).
nvmet: return DHCHAP status codes from nvmet_setup_auth() (bsc#1186716).
nvmet-tcp: fix nvme tcp ida memory leak (git-fixes).
nvmet-tcp: fix possible memory leak when tearing down a controller (git-fixes).
ocfs2: adjust enabling place for la window (bsc#1219224).
ocfs2: fix DIO failure due to insufficient transaction credits (git-fixes).
ocfs2: fix races between hole punching and AIO+DIO (git-fixes).
ocfs2: fix sparse warnings (bsc#1219224).
ocfs2: improve write IO performance when fragmentation is high (bsc#1219224).
ocfs2: speed up chain-list searching (bsc#1219224).
ocfs2: use coarse time for new created files (git-fixes).
octeontx2-af: Add array index check (git-fixes).
octeontx2-af: Fix devlink params (git-fixes).
octeontx2-af: Fix issue with loading coalesced KPU profiles (git-fixes).
octeontx2-af: Fix NIX SQ mode and BP config (git-fixes).
Octeontx2-af: fix pause frame configuration in GMP mode (git-fixes).
octeontx2-af: Use matching wake_up API variant in CGX command interface (git-fixes).
octeontx2-af: Use separate handlers for interrupts (git-fixes).
octeontx2: Detect the mbox up or down message via register (git-fixes).
octeontx2-pf: check negative error code in otx2_open() (git-fixes).
octeontx2-pf: fix FLOW_DIS_IS_FRAGMENT implementation (git-fixes).
octeontx2-pf: Fix transmit scheduler resource leak (git-fixes).
octeontx2-pf: Send UP messages to VF only when VF is up (git-fixes).
octeontx2-pf: Use default max_active works instead of one (git-fixes).
octeontx2-pf: Wait till detach_resources msg is complete (git-fixes).
of: dynamic: Synchronize of_changeset_destroy() with the devlink removals (git-fixes).
of: module: add buffer overflow check in of_modalias() (git-fixes).
of: module: prevent NULL pointer dereference in vsnprintf() (stable-fixes).
of: property: Add in-ports/out-ports support to of_graph_get_port_parent() (stable-fixes).
of: property: fix typo in io-channels (git-fixes).
of: property: fw_devlink: Fix stupid bug in remote-endpoint parsing (git-fixes).
of: property: Improve finding the consumer of a remote-endpoint property (git-fixes).
of: property: Improve finding the supplier of a remote-endpoint property (git-fixes).
of: unittest: Fix compile in the non-dynamic case (git-fixes).
orangefs: fix out-of-bounds fsid access (git-fixes).
overflow: Allow non-type arg to type_max() and type_min() (stable-fixes).
PCI/AER: Block runtime suspend when handling errors (stable-fixes).
PCI/ASPM: Update save_state when configuration changes (bsc#1226915)
PCI/ASPM: Use RMW accessors for changing LNKCTL (git-fixes).
PCI: Clear Secondary Status errors after enumeration (bsc#1226928)
PCI: Delay after FLR of Solidigm P44 Pro NVMe (stable-fixes).
PCI: Disable D3cold on Asus B1400 PCI-NVMe bridge (stable-fixes).
PCI: Do not wait for disconnected devices when resuming (git-fixes).
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal (git-fixes).
PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports (stable-fixes).
PCI/DPC: Use FIELD_GET() (stable-fixes).
PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host (git-fixes).
PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot (git-fixes).
PCI: dw-rockchip: Fix initial PERST# GPIO value (git-fixes).
PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3 (git-fixes).
PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3 (git-fixes).
PCI: endpoint: Clean up error handling in vpci_scan_bus() (git-fixes).
PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup() (git-fixes).
PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() (git-fixes).
PCI: Execute quirk_enable_clear_retrain_link() earlier (stable-fixes).
PCI: Extend ACS configurability (bsc#1228090).
PCI: Fix resource double counting on remove & rescan (git-fixes).
PCI: Fix typos in docs and comments (stable-fixes).
PCI: hv: Fix ring buffer size calculation (git-fixes).
PCI: Introduce cleanup helpers for device reference counts and locks (stable-fixes).
PCI: keystone: Do not enable BAR 0 for AM654x (git-fixes).
PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() (git-fixes).
PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode() (git-fixes).
PCI: Make link retraining use RMW accessors for changing LNKCTL (git-fixes).
PCI/MSI: Fix UAF in msi_capability_init (git-fixes).
PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports (stable-fixes).
PCI/PM: Drain runtime-idle callbacks before driver removal (stable-fixes).
PCI: qcom: Add support for sa8775p SoC (git-fixes).
PCI: qcom: Disable ASPM L0s for sc8280xp, sa8540p and sa8295p (git-fixes).
PCI: qcom-ep: Disable resources unconditionally during PERST# assert (git-fixes).
PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() (git-fixes).
PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id (git-fixes).
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio (git-fixes).
PCI: rpaphp: Error out on busy status from get-sensor-state (bsc#1223369 ltc#205888).
PCI: Simplify pcie_capability_clear_and_set_word() to ..._clear_word() (stable-fixes).
PCI: switchtec: Add support for PCIe Gen5 devices (stable-fixes).
PCI: switchtec: Use normal comment style (stable-fixes).
PCI: tegra194: Fix probe path for Endpoint mode (git-fixes).
PCI: tegra194: Set EP alignment restriction for inbound ATU (git-fixes).
PCI: vmd: Create domain symlink before pci_bus_add_devices() (bsc#1227363).
peci: linux/peci.h: fix Excess kernel-doc description warning (git-fixes).
perf annotate: Fix annotation_calc_lines() to pass correct address to get_srcline() (git-fixes).
perf annotate: Get rid of duplicate --group option item (git-fixes).
perf auxtrace: Fix multiple use of --itrace option (git-fixes).
perf bench internals inject-build-id: Fix trap divide when collecting just one DSO (git-fixes).
perf bench uprobe: Remove lib64 from libc.so.6 binary path (git-fixes).
perf bpf: Clean up the generated/copied vmlinux.h (git-fixes).
perf daemon: Fix file leak in daemon_session__control (git-fixes).
perf docs: Document bpf event modifier (git-fixes).
perf: Enqueue SIGTRAP always via task_work (bsc#1214683 (PREEMPT_RT prerequisite backports)).
perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample() (git-fixes).
perf expr: Fix 'has_event' function for metric style events (git-fixes).
perf intel-pt: Fix unassigned instruction op (discovered by MemorySanitizer) (git-fixes).
perf jevents: Drop or simplify small integer values (git-fixes).
perf list: fix short description for some cache events (git-fixes).
perf lock contention: Add a missing NULL check (git-fixes).
perf metric: Do not remove scale from counts (git-fixes).
perf: Move irq_work_queue() where the event is prepared (bsc#1214683 (PREEMPT_RT prerequisite backports)).
perf pmu: Count sys and cpuid JSON events separately (git fixes).
perf pmu: Fix a potential memory leak in perf_pmu__lookup() (git-fixes).
perf pmu: Treat the msr pmu as software (git-fixes).
perf print-events: make is_event_supported() more robust (git-fixes).
perf probe: Add missing libgen.h header needed for using basename() (git-fixes).
perf record: Check conflict between '--timestamp-filename' option and pipe mode before recording (git-fixes).
perf record: Fix debug message placement for test consumption (git-fixes).
perf record: Fix possible incorrect free in record__switch_output() (git-fixes).
perf: Remove perf_swevent_get_recursion_context() from perf_pending_task() (bsc#1214683 (PREEMPT_RT prerequisite backports)).
perf report: Avoid SEGV in report__setup_sample_type() (git-fixes).
perf sched timehist: Fix -g/--call-graph option failure (git-fixes).
perf script: Show also errors for --insn-trace option (git-fixes).
perf: Split __perf_pending_irq() out of perf_pending_irq() (bsc#1214683 (PREEMPT_RT prerequisite backports)).
perf srcline: Add missed addr2line closes (git-fixes).
perf stat: Avoid metric-only segv (git-fixes).
perf stat: Do not display metric header for non-leader uncore events (git-fixes).
perf stat: Do not fail on metrics on s390 z/VM systems (git-fixes).
perf symbols: Fix ownership of string in dso__load_vmlinux() (git-fixes).
perf tests: Apply attributes to all events in object code reading test (git-fixes).
perf test shell arm_coresight: Increase buffer size for Coresight basic tests (git-fixes).
perf tests: Make data symbol test wait for perf to start (bsc#1220045).
perf tests: Make 'test data symbol' more robust on Neoverse N1 (git-fixes).
perf tests: Skip data symbol test if buf1 symbol is missing (bsc#1220045).
perf thread: Fixes to thread__new() related to initializing comm (git-fixes).
perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() (git-fixes).
perf top: Uniform the event name for the hybrid machine (git-fixes).
perf top: Use evsel's cpus to replace user_requested_cpus (git-fixes).
perf ui browser: Avoid SEGV on title (git fixes).
perf ui browser: Do not save pointer to stack memory (git-fixes).
perf vendor events amd: Add Zen 4 memory controller events (git-fixes).
perf vendor events amd: Fix Zen 4 cache latency events (git-fixes).
perf/x86/amd/core: Avoid register reset when CPU is dead (git-fixes).
perf/x86/amd/lbr: Discard erroneous branch entries (git-fixes).
perf/x86/amd/lbr: Use freeze based on availability (git-fixes).
perf/x86: Fix out of range data (git-fixes).
perf/x86/intel/ds: Do not clear ->pebs_data_cfg for the last PEBS event (git-fixes).
perf/x86/intel: Expose existence of callback support to KVM (git-fixes).
phy: cadence-torrent: Check return value on register read (git-fixes).
phy: freescale: imx8m-pcie: fix pcie link-up instability (git-fixes).
phy: marvell: a3700-comphy: Fix hardcoded array size (git-fixes).
phy: marvell: a3700-comphy: Fix out of bounds read (git-fixes).
phy: rockchip: naneng-combphy: Fix mux on rk3588 (git-fixes).
phy: rockchip-snps-pcie3: fix bifurcation on rk3588 (git-fixes).
phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits (git-fixes).
phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered (git-fixes).
pinctrl: armada-37xx: remove an unused variable (git-fixes).
pinctrl: baytrail: Fix selecting gpio pinctrl state (git-fixes).
pinctrl: core: fix possible memory leak when pinctrl_enable() fails (git-fixes).
pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() (git-fixes).
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER (git-fixes).
pinctrl: freescale: mxs: Fix refcount of child (git-fixes).
pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback (git-fixes).
pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE (git-fixes).
pinctrl/meson: fix typo in PDM's pin name (git-fixes).
pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T (git-fixes).
pinctrl: qcom: pinctrl-sm7150: Fix sdc1 and ufs special pins regs (git-fixes).
pinctrl: qcom: spmi-gpio: drop broken pm8008 support (git-fixes).
pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs (stable-fixes).
pinctrl: renesas: r8a779g0: Fix CANFD5 suffix (git-fixes).
pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes (git-fixes).
pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes (git-fixes).
pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes (git-fixes).
pinctrl: renesas: r8a779g0: Fix IRQ suffixes (git-fixes).
pinctrl: renesas: r8a779g0: FIX PWM suffixes (git-fixes).
pinctrl: renesas: r8a779g0: Fix TCLK suffixes (git-fixes).
pinctrl: renesas: r8a779g0: Fix TPU suffixes (git-fixes).
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins (git-fixes).
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins (git-fixes).
pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set (git-fixes).
pinctrl: rockchip: use dedicated pinctrl type for RK3328 (git-fixes).
pinctrl: single: fix possible memory leak when pinctrl_enable() fails (git-fixes).
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails (git-fixes).
platform/chrome: cros_ec_debugfs: fix wrong EC message version (git-fixes).
platform/chrome: cros_ec_uart: properly fix race condition (git-fixes).
platform/x86/amd/pmc: Extend Framework 13 quirk to more BIOSes (stable-fixes).
platform/x86: dell-smbios: Fix wrong token data in sysfs (git-fixes).
platform/x86/intel/tpmi: Handle error from tpmi_process_info() (stable-fixes).
platform/x86/intel-uncore-freq: Do not present root domain on error (git-fixes).
platform/x86: ISST: Add Grand Ridge to HPM CPU list (stable-fixes).
platform/x86: ISST: Add Granite Rapids-D to HPM CPU list (stable-fixes).
platform/x86: lg-laptop: Change ACPI device id (stable-fixes).
platform/x86: lg-laptop: Remove LGEX0815 hotkey handling (stable-fixes).
platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB (stable-fixes).
platform/x86: thinkpad_acpi: Take hotkey_mutex during hotkey_exit() (git-fixes).
platform/x86: toshiba_acpi: Add quirk for buttons on Z830 (stable-fixes).
platform/x86: toshiba_acpi: Fix array out-of-bounds access (git-fixes).
platform/x86: toshiba_acpi: Fix quickstart quirk handling (git-fixes).
platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet (stable-fixes).
platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6' tablet (stable-fixes).
platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro (stable-fixes).
platform/x86: wireless-hotkey: Add support for LG Airplane Button (stable-fixes).
platform/x86: x86-android-tablets: Fix acer_b1_750_goodix_gpios name (stable-fixes).
platform/x86: xiaomi-wmi: Fix race condition when reporting key events (git-fixes).
PM / devfreq: Synchronize devfreq_monitor_[start/stop] (stable-fixes).
PM: s2idle: Make sure CPUs will wakeup directly on resume (git-fixes).
pNFS/filelayout: fixup pNfs allocation modes (git-fixes).
Port 'certs: Move RSA self-test data to separate file'.
powerpc/64s/radix/kfence: map __kfence_pool at page granularity (bsc#1223570 ltc#205770).
powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt (bsc#1221645 ltc#205739 bsc#1223191).
powerpc/crypto/chacha-p10: Fix failure on non Power10 (bsc#1218205).
powerpc/eeh: Permanently disable the removed device (bsc#1223991 ltc#205740).
powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks (git-fixes).
powerpc/prom: Add CPU info to hardware description string later (bsc#1215199).
powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869).
powerpc/pseries/lparcfg: drop error message from guest name lookup (bsc#1187716 ltc#193451 git-fixes).
powerpc/pseries: make max polling consistent for longer H_CALLs (bsc#1215199).
powerpc/pseries/vio: Do not return ENODEV if node or compatible missing (bsc#1220783).
powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487).
powerpc/uaccess: Fix build errors seen with GCC 13/14 (bsc#1194869).
powerpc/uaccess: Use YZ asm constraint for ld (bsc#1194869).
power: rt9455: hide unused rt9455_boost_voltage_values (git-fixes).
power: supply: ab8500: Fix error handling when calling iio_read_channel_processed() (git-fixes).
power: supply: cros_usbpd: provide ID table for avoiding fallback match (stable-fixes).
power: supply: ingenic: Fix some error handling paths in ingenic_battery_get_property() (git-fixes).
power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator (git-fixes).
ppdev: Add an error check in register_device (git-fixes).
prctl: generalize PR_SET_MDWE support check to be per-arch (bsc#1225610).
Preparation update to v6.10-rc3-rt5 ((bsc#1214683 (PREEMPT_RT prerequisite backports)).
printk: Add this_cpu_in_panic() (bsc#1225607).
printk: Adjust mapping for 32bit seq macros (bsc#1225607).
printk: Avoid non-panic CPUs writing to ringbuffer (bsc#1225607).
printk: Consolidate console deferred printing (bsc#1225607).
printk: Disable passing console lock owner completely during panic() (bsc#1225607).
printk: Do not take console lock for console_flush_on_panic() (bsc#1225607).
printk: For @suppress_panic_printk check for other CPU in panic (bsc#1225607).
printk: Keep non-panic-CPUs out of console lock (bsc#1225607).
printk: Let no_printk() use _printk() (bsc#1225618).
printk: nbcon: Relocate 32bit seq macros (bsc#1225607).
printk: Reduce console_unblank() usage in unsafe scenarios (bsc#1225607).
printk: Rename abandon_console_lock_in_panic() to other_cpu_in_panic() (bsc#1225607).
printk: ringbuffer: Clarify special lpos values (bsc#1225607).
printk: ringbuffer: Cleanup reader terminology (bsc#1225607).
printk: ringbuffer: Do not skip non-finalized records with prb_next_seq() (bsc#1225607).
printk: ringbuffer: Skip non-finalized records in panic (bsc#1225607).
printk: Update @console_may_schedule in console_trylock_spinning() (bsc#1225616).
printk: Use prb_first_seq() as base for 32bit seq macros (bsc#1225607).
printk: Wait for all reserved records with pr_flush() (bsc#1225607).
proc/kcore: do not try to access unaccepted memory (git-fixes).
pstore: inode: Convert mutex usage to guard(mutex) (stable-fixes).
pstore: inode: Only d_invalidate() is needed (git-fixes).
pstore/zone: Add a null pointer check to the psz_kmsg_read (stable-fixes).
pwm: img: fix pwm clock lookup (git-fixes).
pwm: sti: Prepare removing pwm_chip from driver data (stable-fixes).
pwm: sti: Simplify probe function using devm functions (git-fixes).
pwm: stm32: Always do lazy disabling (git-fixes).
qibfs: fix dentry leak (git-fixes)
r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d (git-fixes).
r8169: skip DASH fw status checks when DASH is disabled (git-fixes).
random: handle creditable entropy from atomic process context (git-fixes).
RAS/AMD/ATL: Fix MI300 bank hash (bsc#1225300).
RAS/AMD/ATL: Use system settings for MI300 DRAM to normalized address translation (bsc#1225300).
RAS/AMD/FMPM: Avoid NULL ptr deref in get_saved_records() (jsc#PED-7619).
RAS/AMD/FMPM: Fix build when debugfs is not enabled (jsc#PED-7619).
RAS/AMD/FMPM: Safely handle saved records of various sizes (jsc#PED-7619).
RDMA/bnxt_re: Fix the max msix vectors macro (git-fixes)
RDMA/cm: add timeout to cm_destroy_id wait (git-fixes)
RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw (git-fixes)
RDMA/cm: Print the old state when cm_destroy_id gets timeout (git-fixes)
RDMA/hns: Add max_ah and cq moderation capacities in query_device() (git-fixes)
RDMA/hns: Fix deadlock on SRQ async events. (git-fixes)
RDMA/hns: Fix GMV table pagesize (git-fixes)
RDMA/hns: Fix return value in hns_roce_map_mr_sg (git-fixes)
RDMA/hns: Fix UAF for cq async event (git-fixes)
RDMA/hns: Modify the print level of CQE error (git-fixes)
RDMA/hns: Use complete parentheses in macros (git-fixes)
RDMA/IPoIB: Fix format truncation compilation errors (git-fixes)
RDMA/mana_ib: Fix bug in creation of dma regions (git-fixes).
RDMA/mana_ib: Ignore optional access flags for MRs (git-fixes).
RDMA/mlx5: Add check for srq max_sge attribute (git-fixes)
RDMA/mlx5: Adding remote atomic access flag to updatable flags (git-fixes)
RDMA/mlx5: Change check for cacheable mkeys (git-fixes)
RDMA/mlx5: Ensure created mkeys always have a populated rb_key (git-fixes)
RDMA/mlx5: Fix port number for counter query in multi-port configuration (git-fixes)
RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init (git-fixes)
RDMA/mlx5: Follow rb_key.ats when creating new mkeys (git-fixes)
RDMA/mlx5: Remove extra unlock on error path (git-fixes)
RDMA/mlx5: Uncacheable mkey has neither rb_key or cache_ent (git-fixes)
RDMA/restrack: Fix potential invalid address access (git-fixes)
RDMA/rxe: Allow good work requests to be executed (git-fixes)
RDMA/rxe: Fix data copy for IB_SEND_INLINE (git-fixes)
RDMA/rxe: Fix incorrect rxe_put in error path (git-fixes)
RDMA/rxe: Fix responder length checking for UD request packets (git-fixes)
RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (git-fixes)
RDMA/rxe: Fix the problem 'mutex_destroy missing' (git-fixes)
README.BRANCH: Remove copy of branch name
Reapply 'drm/qxl: simplify qxl_fence_wait' (stable-fixes).
Refresh ARM (bsc#1214683 (PREEMPT_RT prerequisite backports)).
Refresh kabi workaround ath updates (bsc#1227149#)
Refresh the previous ASoC patch, landed in subsystem tree (bsc#1228269)
regmap: Add regmap_read_bypassed() (git-fixes).
regmap-i2c: Subtract reg size from max_write (stable-fixes).
regmap: kunit: Ensure that changed bytes are actually different (stable-fixes).
regmap: maple: Fix cache corruption in regcache_maple_drop() (git-fixes).
regmap: maple: Fix uninitialized symbol 'ret' warnings (git-fixes).
regulator: bd71815: fix ramp values (git-fixes).
regulator: bd71828: Do not overwrite runtime voltages (git-fixes).
regulator: change devm_regulator_get_enable_optional() stub to return Ok (git-fixes).
regulator: change stubbed devm_regulator_get_enable to return Ok (git-fixes).
regulator: core: fix debugfs creation regression (git-fixes).
regulator: core: Fix modpost error 'regulator_get_regmap' undefined (git-fixes).
regulator: irq_helpers: duplicate IRQ name (stable-fixes).
regulator: mt6360: De-capitalize devicetree regulator subnodes (git-fixes).
regulator: tps65132: Add of_match table (stable-fixes).
regulator: vqmmc-ipq4019: fix module autoloading (stable-fixes).
remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init (git-fixes).
remoteproc: imx_rproc: Skip over memory region when node value is NULL (git-fixes).
remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs (git-fixes).
remoteproc: k3-r5: Fix IPC-only mode detection (git-fixes).
remoteproc: k3-r5: Jump to error handling labels in start/stop errors (git-fixes).
remoteproc: k3-r5: Wait for core0 power-up before powering up core1 (git-fixes).
remoteproc: mediatek: Make sure IPI buffer fits in L2TCM (git-fixes).
remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef (git-fixes).
remoteproc: stm32_rproc: Fix mailbox interrupts queuing (git-fixes).
remoteproc: virtio: Fix wdg cannot recovery remote processor (git-fixes).
Remove NTFSv3 from configs (bsc#1224429) References: bsc#1224429 comment#3 We only support fuse version of the NTFS-3g driver. Disable NTFSv3 from all configs. This was enabled in d016c04d731 ('Bump to 6.4 kernel (jsc#PED-4593)')
Replace with mainline and sort
Revert 'ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default' (stable-fixes).
Revert 'ASoC: SOF: Intel: hda-dai-ops: only allocate/release streams for first CPU DAI' (stable-fixes).
Revert 'ASoC: SOF: Intel: hda-dai-ops: reset device count for SoundWire DAIs' (stable-fixes).
Revert 'build initrd without systemd' (bsc#1195775)'
Revert 'drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()' (stable-fixes).
Revert 'drm/amd/display: Fix sending VSC (+ colorimetry) packets for DP/eDP displays without PSR' (stable-fixes).
Revert 'drm/amdkfd: fix gfx_target_version for certain 11.0.3 devices' (stable-fixes).
Revert 'drm/bridge: tc358767: Set default CLRSIPO count' (stable-fixes).
Revert 'drm/bridge: ti-sn65dsi83: Fix enable error path' (git-fixes).
Revert 'drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()' (stable-fixes).
Revert 'drm/qxl: simplify qxl_fence_wait' (git-fixes).
Revert 'gfs2: fix glock shrinker ref issues' (git-fixes).
Revert 'iommu/amd: Enable PCI/IMS' (git-fixes).
Revert 'iommu/vt-d: Enable PCI/IMS' (git-fixes).
Revert 'leds: led-core: Fix refcount leak in of_led_get()' (git-fixes).
Revert 'net/mlx5: Block entering switchdev mode with ns inconsistency' (git-fixes).
Revert 'net/mlx5e: Check the number of elements before walk TC rhashtable' (git-fixes).
Revert 'PCI/MSI: Provide IMS (Interrupt Message Store) support' (git-fixes).
Revert 'PCI/MSI: Provide pci_ims_alloc/free_irq()' (git-fixes).
Revert 'PCI/MSI: Provide stubs for IMS functions' (git-fixes).
Revert 'selinux: introduce an initial SID for early boot processes' (bsc#1208593) It caused a regression on ALP-current branch, kernel-obs-qa build failed.
Revert 'serial: core: only stop transmit when HW fifo is empty' (git-fixes).
Revert 'usb: cdc-wdm: close race between read and workqueue' (git-fixes).
Revert 'usb: musb: da8xx: Set phy in OTG mode by default' (stable-fixes).
Revert 'usb: phy: generic: Get the vbus supply' (git-fixes).
Revert 'wifi: ath11k: call ath11k_mac_fils_discovery() without condition' (bsc#1227149).
Revert 'wifi: ath12k: use ATH12K_PCI_IRQ_DP_OFFSET for DP IRQ' (bsc#1227149).
Revert 'wifi: iwlwifi: bump FW API to 90 for BZ/SC devices' (bsc#1227149).
ring-buffer: Do not set shortest_full when full target is hit (git-fixes).
ring-buffer: Fix a race between readers and resize checks (git-fixes).
ring-buffer: Fix full_waiters_pending in poll (git-fixes).
ring-buffer: Fix resetting of shortest_full (git-fixes).
ring-buffer: Fix waking up ring buffer readers (git-fixes).
ring-buffer: Make wake once of ring_buffer_wait() more robust (git-fixes).
ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment (git-fixes).
ring-buffer: Use wait_event_interruptible() in ring_buffer_wait() (git-fixes).
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL (git-fixes).
rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212) Some builds do not just create an iso9660 image, but also mount it during build.
rpm/kernel-obs-build.spec.in: Add networking modules for docker (bsc#1226211) docker needs more networking modules, even legacy iptable_nat and _filter.
rpm/kernel-obs-build.spec.in: Include algif_hash, aegis128 and xts modules afgif_hash is needed by some packages (e.g. iwd) for tests, xts is used for LUKS2 volumes by default and aegis128 is useful as AEAD cipher for LUKS2. Wrap the long line to make it readable.
rtc: abx80x: Fix return value of nvmem callback on read (git-fixes).
rtc: cmos: Fix return value of nvmem callbacks (git-fixes).
rtc: interface: Add RTC offset to alarm after fix-up (git-fixes).
rtc: isl1208: Fix return value of nvmem callbacks (git-fixes).
rtc: mt6397: select IRQ_DOMAIN instead of depending on it (git-fixes).
s390/bpf: Emit a barrier for BPF_FETCH instructions (git-fixes bsc#1224792).
s390/cio: Ensure the copied buf is NUL terminated (git-fixes bsc#1223869).
s390/cio: fix tracepoint subchannel type field (git-fixes bsc#1224793).
s390/cpacf: Make use of invalid opcode produce a link error (git-fixes bsc#1227072).
s390/cpacf: Split and rework cpacf query functions (git-fixes bsc#1225133).
s390: Implement __iowrite32_copy() (bsc#1226502)
s390/ipl: Fix incorrect initialization of len fields in nvme reipl block (git-fixes bsc#1225136).
s390/ipl: Fix incorrect initialization of nvme dump block (git-fixes bsc#1225134).
s390/ism: Properly fix receive message buffer allocation (git-fixes bsc#1223590).
s390/mm: Fix clearing storage keys for huge pages (git-fixes bsc#1223871).
s390/mm: Fix storage key clearing for guest huge pages (git-fixes bsc#1223872).
s390/qeth: Fix kernel panic after setting hsuid (git-fixes bsc#1223874).
s390: Stop using weak symbols for __iowrite64_copy() (bsc#1226502)
s390/vdso: Add CFI for RA register to asm macro vdso_func (git-fixes bsc#1223870).
s390/vdso: drop '-fPIC' from LDFLAGS (git-fixes bsc#1223593).
s390/vtime: fix average steal time calculation (git-fixes bsc#1221783).
s390/zcrypt: fix reference counting on zcrypt card objects (git-fixes bsc#1223592).
saa7134: Unchecked i2c_transfer function result fixed (git-fixes).
sched/balancing: Rename newidle_balance() => sched_balance_newidle() (bsc#1222173).
sched/core: Fix incorrect initialization of the 'burst' parameter in cpu_max_write() (bsc#1226791).
sched/debug: Update stale reference to sched_debug.c (bsc#1214683 (PREEMPT_RT prerequisite backports)).
sched/fair: Check root_domain::overload value before update (bsc#1222173).
sched/fair: Use helper functions to access root_domain::overload (bsc#1222173).
sched/psi: Select KERNFS as needed (git-fixes).
sched/topology: Optimize topology_span_sane() (bsc#1225053).
scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn (git-fixes).
scsi: core: Consult supported VPD page list prior to fetching page (git-fixes).
scsi: core: Fix unremoved procfs host directory regression (git-fixes).
scsi: csiostor: Avoid function pointer casts (git-fixes).
scsi: hisi_sas: Modify the deadline for ata_wait_after_reset() (git-fixes).
scsi: libsas: Add a helper sas_get_sas_addr_and_dev_type() (git-fixes).
scsi: libsas: Fix disk not being scanned in after being removed (git-fixes).
scsi: lpfc: Add support for 32 byte CDBs (bsc#1225842).
scsi: lpfc: Change default logging level for unsolicited CT MIB commands (bsc#1225842).
scsi: lpfc: Clear deferred RSCN processing flag when driver is unloading (bsc#1225842).
scsi: lpfc: Copyright updates for 14.4.0.1 patches (bsc#1221777).
scsi: lpfc: Copyright updates for 14.4.0.2 patches (bsc#1225842).
scsi: lpfc: Correct size for cmdwqe/rspwqe for memset() (bsc#1221777).
scsi: lpfc: Correct size for wqe for memset() (bsc#1221777).
scsi: lpfc: Define lpfc_dmabuf type for ctx_buf ptr (bsc#1221777).
scsi: lpfc: Define lpfc_nodelist type for ctx_ndlp ptr (bsc#1221777).
scsi: lpfc: Define types in a union for generic void *context3 ptr (bsc#1221777).
scsi: lpfc: Introduce rrq_list_lock to protect active_rrq_list (bsc#1225842).
scsi: lpfc: Move NPIV's transport unregistration to after resource clean up (bsc#1221777).
scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1221777).
scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling (bsc#1221777 bsc#1217959).
scsi: lpfc: Remove unnecessary log message in queuecommand path (bsc#1221777).
scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port() (bsc#1221777).
scsi: lpfc: Update logging of protection type for T10 DIF I/O (bsc#1225842).
scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic (bsc#1221777).
scsi: lpfc: Update lpfc version to 14.4.0.1 (bsc#1221777).
scsi: lpfc: Update lpfc version to 14.4.0.2 (bsc#1225842).
scsi: lpfc: Use a dedicated lock for ras_fwlog state (bsc#1221777).
scsi: mpt3sas: Prevent sending diag_reset when the controller is ready (git-fixes).
scsi: mylex: Fix sysfs buffer lengths (git-fixes).
scsi: qla2xxx: Change debug message during driver unload (bsc1221816).
scsi: qla2xxx: Delay I/O Abort on PCI error (bsc1221816).
scsi: qla2xxx: Fix command flush on cable pull (bsc1221816).
scsi: qla2xxx: Fix double free of fcport (bsc1221816).
scsi: qla2xxx: Fix double free of the ha->vp_map pointer (bsc1221816).
scsi: qla2xxx: Fix N2N stuck connection (bsc1221816).
scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (git-fixes).
scsi: qla2xxx: NVME|FCP prefer flag not being honored (bsc1221816).
scsi: qla2xxx: Prevent command send on chip reset (bsc1221816).
scsi: qla2xxx: Split FCE|EFT trace control (bsc1221816).
scsi: qla2xxx: Update manufacturer detail (bsc1221816).
scsi: qla2xxx: Update version to 10.02.09.200-k (bsc1221816).
scsi: sd: Unregister device if device_add_disk() failed in sd_probe() (git-fixes).
scsi: sg: Avoid race in error handling & drop bogus warn (git-fixes).
scsi: sg: Avoid sg device teardown race (git-fixes).
scsi: smartpqi: Fix disable_managed_interrupts (git-fixes).
sctp: annotate data-races around sk->sk_wmem_queued (git-fixes).
sdhci-of-dwcmshc: disable PM runtime in dwcmshc_remove() (git-fixes).
selftests/binderfs: use the Makefile's rules, not Make's implicit rules (git-fixes).
selftests/bpf: add edge case backtracking logic test (bsc#1225756).
selftests/bpf: precision tracking test for BPF_NEG and BPF_END (bsc#1225756).
selftests/bpf: test case for callback_depth states pruning logic (bsc#1225903).
selftests/bpf: test if state loops are detected in a tricky case (bsc#1225903).
selftests/bpf: tests for iterating callbacks (bsc#1225903).
selftests/bpf: tests with delayed read/precision makrs in loop body (bsc#1225903).
selftests/bpf: test widening for iterating callbacks (bsc#1225903).
selftests/bpf: track string payload offset as scalar in strobemeta (bsc#1225903).
selftests/bpf: track tcp payload offset as scalar in xdp_synproxy (bsc#1225903).
selftests: default to host arch for LLVM builds (git-fixes).
selftests: fix OOM in msg_zerocopy selftest (git-fixes).
selftests: forwarding: Fix ping failure due to short timeout (git-fixes).
selftests/ftrace: Fix event filter target_func selection (stable-fixes).
selftests/ftrace: Limit length in subsystem-enable tests (git-fixes).
selftests: hsr: Extend the testsuite to also cover HSRv1 (bsc#1214683 (PREEMPT_RT prerequisite backports)).
selftests: hsr: Reorder the testsuite (bsc#1214683 (PREEMPT_RT prerequisite backports)).
selftests: hsr: Use `let' properly (bsc#1214683 (PREEMPT_RT prerequisite backports)).
selftests/kcmp: remove unused open mode (git-fixes).
selftests: kselftest: Fix build failure with NOLIBC (git-fixes).
selftests: kselftest: Mark functions that unconditionally call exit() as __noreturn (git-fixes).
selftests: make order checking verbose in msg_zerocopy selftest (git-fixes).
selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages (git-fixes).
selftests/mm: fix build warnings on ppc64 (stable-fixes).
selftests: mptcp: add ms units for tc-netem delay (stable-fixes).
selftests: net: bridge: increase IGMP/MLD exclude timeout membership interval (git-fixes).
selftests/net: convert test_bridge_neigh_suppress.sh to run it in unique namespace (stable-fixes).
selftests: net: kill smcrouted in the cleanup logic in amt.sh (git-fixes).
selftests: net: move amt to socat for better compatibility (git-fixes).
selftests/pidfd: Fix config for pidfd_setns_test (git-fixes).
selftests/powerpc/dexcr: Add -no-pie to hashchk tests (git-fixes).
selftests/powerpc/papr-vpd: Fix missing variable initialization (jsc#PED-4486 git-fixes).
selftests/resctrl: fix clang build failure: use LOCAL_HDRS (git-fixes).
selftests/sigaltstack: Fix ppc64 GCC build (git-fixes).
selftests: sud_test: return correct emulated syscall value on RISC-V (stable-fixes).
selftests: test_bridge_neigh_suppress.sh: Fix failures due to duplicate MAC (git-fixes).
selftests: timers: Convert posix_timers test to generate KTAP output (stable-fixes).
selftests: timers: Fix abs() warning in posix_timers test (git-fixes).
selftests: timers: Fix posix_timers ksft_print_msg() warning (git-fixes).
selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior (stable-fixes).
selftests/timers/posix_timers: Reimplement check_timer_distribution() (git-fixes).
selftests: vxlan_mdb: Fix failures with old libnet (git-fixes).
selinux: avoid dereference of garbage after mount failure (git-fixes).
selinux: introduce an initial SID for early boot processes (bsc#1208593).
serial: 8250_bcm7271: use default_mux_rate if possible (git-fixes).
serial: 8250_dw: Revert: Do not reclock if already at correct rate (git-fixes).
serial: 8250_exar: Do not remove GPIO device on suspend (git-fixes).
serial: 8520_mtk: Set RTS on shutdown for Rx in-band wakeup (git-fixes).
serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited() (git-fixes).
serial: core: Fix atomicity violation in uart_tiocmget (git-fixes).
serial: core: introduce uart_port_tx_limited_flags() (git-fixes).
serial: core: only stop transmit when HW fifo is empty (git-fixes).
serial: exar: adding missing CTI and Exar PCI ids (stable-fixes).
serial: imx: Introduce timeout when waiting on transmitter empty (stable-fixes).
serial: imx: Raise TX trigger level to 8 (stable-fixes).
serial: kgdboc: Fix NMI-safety problems from keyboard reset code (stable-fixes).
serial: Lock console when calling into driver before registration (git-fixes).
serial: max3100: Fix bitwise types (git-fixes).
serial: max3100: Lock port->lock when calling uart_handle_cts_change() (git-fixes).
serial: max310x: fix NULL pointer dereference in I2C instantiation (git-fixes).
serial: max310x: fix syntax error in IRQ error message (git-fixes).
serial: mxs-auart: add spinlock around changing cts state (git-fixes).
serial: pch: Do not disable interrupts while acquiring lock in ISR (bsc#1214683 (PREEMPT_RT prerequisite backports)).
serial: pch: Do not initialize uart_port's spin_lock (bsc#1214683 (PREEMPT_RT prerequisite backports)).
serial: pch: Invoke handle_rx_to() directly (bsc#1214683 (PREEMPT_RT prerequisite backports)).
serial: pch: Make push_rx() return void (bsc#1214683 (PREEMPT_RT prerequisite backports)).
serial/pmac_zilog: Remove flawed mitigation for rx irq flood (git-fixes).
serial: sc16is7xx: add proper sched.h include for sched_set_fifo() (git-fixes).
serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler (git-fixes).
serial: sh-sci: protect invalidating RXDMA on shutdown (git-fixes).
serial: stm32: Reset .throttled state in .startup() (git-fixes).
SEV: disable SEV-ES DebugSwap by default (git-fixes).
slimbus: core: Remove usage of the deprecated ida_simple_xx() API (git-fixes).
slimbus: qcom-ngd-ctrl: Add timeout for wait operation (git-fixes).
smb3: allow controlling length of time directory entries are cached with dir leases (git-fixes, bsc#1225172).
smb3: allow controlling maximum number of cached directories (git-fixes, bsc#1225172).
smb3: do not start laundromat thread when dir leases disabled (git-fixes, bsc#1225172).
smb: client: do not start laundromat thread on nohandlecache (git-fixes, bsc#1225172).
smb: client: make laundromat a delayed worker (git-fixes, bsc#1225172).
smb: client: prevent new fids from being removed by laundromat (git-fixes, bsc#1225172).
soc: fsl: qbman: Always disable interrupts when taking cgr_lock (git-fixes).
soc: fsl: qbman: Use raw spinlock for cgr_lock (git-fixes).
sock_diag: annotate data-races around sock_diag_handlers[family] (git-fixes).
soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE (git-fixes).
soc: microchip: Fix POLARFIRE_SOC_SYS_CTRL input prompt (stable-fixes).
soc: qcom: pdr: fix parsing of domains lists (git-fixes).
soc: qcom: pdr: protect locator_addr with the main mutex (git-fixes).
soc: qcom: pmic_glink: do not traverse clients list without a lock (git-fixes).
soc: qcom: pmic_glink: Handle the return value of pmic_glink_init (git-fixes).
soc: qcom: pmic_glink: Make client-lock non-sleeping (git-fixes).
soc: qcom: pmic_glink: notify clients about the current state (git-fixes).
soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request (git-fixes).
soc: qcom: rpmh-rsc: Ensure irqs are not disabled by rpmh_rsc_send_data() callers (git-fixes).
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message (stable-fixes).
soc: xilinx: rename cpu_number1 to dummy_cpu_number (git-fixes).
soundwire: amd: fix for wake interrupt handling for clockstop mode (git-fixes).
soundwire: cadence: fix invalid PDI offset (stable-fixes).
speakup: Avoid crash on very long word (git-fixes).
speakup: Fix 8bit characters from direct synth (git-fixes).
speakup: Fix sizeof() vs ARRAY_SIZE() bug (git-fixes).
spi: atmel-quadspi: Add missing check for clk_prepare (git-fixes).
spi: cadence: Ensure data lines set to low during dummy-cycle period (stable-fixes).
spi: Do not mark message DMA mapped when no transfer in it is (git-fixes).
spi: fix null pointer dereference within spi_sync (git-fixes).
spi: imx: Do not expect DMA for i.MX{25,35,50,51,53} cspi devices (stable-fixes).
spi: intel-pci: Add support for Lunar Lake-M SPI serial flash (stable-fixes).
spi: lm70llp: fix links in doc and comments (git-fixes).
spi: lpspi: Avoid potential use-after-free in probe() (git-fixes).
spi: mchp-pci1xxx: Fix a possible null pointer dereference in pci1xxx_spi_probe (git-fixes).
spi: microchip-core: defer asserting chip select until just before write to TX FIFO (git-fixes).
spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer (git-fixes).
spi: microchip-core: fix the issues in the isr (git-fixes).
spi: microchip-core: only disable SPI controller when register value change requires it (git-fixes).
spi: microchip-core-qspi: fix setting spi bus clock rate (git-fixes).
spi: mux: set ctlr->bits_per_word_mask (stable-fixes).
spi: spidev: add correct compatible for Rohm BH2228FV (git-fixes).
spi: spi-fsl-lpspi: remove redundant spi_controller_put call (git-fixes).
spi: spi-microchip-core: Fix the number of chip selects supported (git-fixes).
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler (git-fixes).
spi: stm32: Do not warn about spurious interrupts (git-fixes).
spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 (git-fixes).
spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() (git-fixes).
spi: xilinx: Fix kernel documentation in the xilinx_spi.h (git-fixes).
spmi: hisi-spmi-controller: Do not override device identifier (git-fixes).
ssb: Fix potential NULL pointer dereference in ssb_device_uevent() (stable-fixes).
staging: vc04_services: changen strncpy() to strscpy_pad() (stable-fixes).
staging: vc04_services: fix information leak in create_component() (git-fixes).
staging: vt6655: Remove unused declaration of RFbAL7230SelectChannelPostProcess() (git-fixes).
stmmac: Clear variable when destroying workqueue (git-fixes).
struct acpi_ec kABI workaround (git-fixes).
SUNRPC: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272).
SUNRPC: fix a memleak in gss_import_v2_context (git-fixes).
SUNRPC: Fix gss_free_in_token_pages() (git-fixes).
SUNRPC: Fix loop termination condition in gss_free_in_token_pages() (git-fixes).
sunrpc: fix NFSACL RPC retry on soft mount (git-fixes).
SUNRPC: fix some memleaks in gssx_dec_option_array (git-fixes).
SUNRPC: return proper error from gss_wrap_req_priv (git-fixes).
supported.conf: Add APM X-Gene SoC hardware monitoring driver (bsc#1223265 jsc#PED-8570)
supported.conf: Add support for v4l2-dv-timings (jsc#PED-8644)
supported.conf: mark orangefs as optional We do not support orangefs at all (and it is already marked as such), but since there are no SLE consumers of it, mark it as optional.
supported.conf: mark ufs as unsupported UFS is an unsupported filesystem, mark it as such. We still keep it around (not marking as optional), to accommodate any potential migrations from BSD systems.
supported.conf: mark vdpa modules supported (jsc#PED-8954)
supported.conf: support tcp_dctcp module (jsc#PED-8111)
supported.conf: update for mt76 stuff (bsc#1227149)
swiotlb: extend buffer pre-padding to alloc_align_mask if necessary (bsc#1224331)
swiotlb: Fix alignment checks when both allocation and DMA masks are (bsc#1224331)
swiotlb: Fix double-allocation of slots due to broken alignment (bsc#1224331)
swiotlb: Honour dma_alloc_coherent() alignment in swiotlb_alloc() (bsc#1224331)
swiotlb: use the calculated number of areas (git-fixes).
tcp: Dump bound-only sockets in inet_diag (bsc#1204562).
Temporarily drop KVM patch that caused a regression (bsc#1226158)
thermal: devfreq_cooling: Fix perf state when calculate dfc res_util (git-fixes).
thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data (stable-fixes).
thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data (git-fixes).
thermal/drivers/qcom/lmh: Check for SCM availability at probe (git-fixes).
thermal/drivers/tsens: Fix null pointer dereference (git-fixes).
thermal/of: Assume polling-delay(-passive) 0 when absent (stable-fixes).
thunderbolt: Avoid notify PM core about runtime PM resume (stable-fixes).
thunderbolt: debugfs: Fix margin debugfs node creation condition (git-fixes).
thunderbolt: Do not create DisplayPort tunnels on adapters of the same router (git-fixes).
thunderbolt: Fix wake configurations after device unplug (stable-fixes).
thunderbolt: Introduce tb_path_deactivate_hop() (stable-fixes).
thunderbolt: Introduce tb_port_reset() (stable-fixes).
thunderbolt: Make tb_switch_reset() support Thunderbolt 2, 3 and USB4 routers (stable-fixes).
thunderbolt: Reset only non-USB4 host routers in resume (git-fixes).
tls: break out of main loop when PEEK gets a non-data record (bsc#1221858).
tls: do not skip over different type records from the rx_list (bsc#1221858).
tls: fix peeking with sync+async decryption (bsc#1221858).
tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1221858).
tools/arch/x86/intel_sdsi: Fix maximum meter bundle length (git-fixes).
tools/arch/x86/intel_sdsi: Fix meter_certificate decoding (git-fixes).
tools/arch/x86/intel_sdsi: Fix meter_show display (git-fixes).
tools/latency-collector: Fix -Wformat-security compile warns (git-fixes).
tools/memory-model: Fix bug in lock.cat (git-fixes).
tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs (stable-fixes).
tools/power turbostat: Expand probe_intel_uncore_frequency() (bsc#1221765).
tools/power/turbostat: Fix uncore frequency file string (bsc#1221765).
tools/power turbostat: Remember global max_die_id (stable-fixes).
tools: ynl: do not leak mcast_groups on init error (git-fixes).
tools: ynl: fix handling of multiple mcast groups (git-fixes).
tools: ynl: make sure we always pass yarg to mnl_cb_run (git-fixes).
tpm_tis: Do not flush uninitialized work (git-fixes).
tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer (git-fixes).
tracefs: Add missing lockdown check to tracefs_create_dir() (git-fixes).
tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test (git-fixes).
tracing: Build event generation tests only as modules (git-fixes).
tracing: Have saved_cmdlines arrays all in one allocation (git-fixes).
tracing: hide unused ftrace_event_id_fops (git-fixes).
tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string (git-fixes).
tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() (git-fixes).
tracing: Remove precision vsnprintf() check from print event (git-fixes).
tracing/ring-buffer: Fix wait_on_pipe() race (git-fixes).
tracing: Use .flush() call to wake up readers (git-fixes).
tty: mcf: MCF54418 has 10 UARTS (git-fixes).
tty: n_gsm: fix missing receive state reset after mode switch (git-fixes).
tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (git-fixes).
tty: n_tty: Fix buffer offsets when lookahead is used (git-fixes).
tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT (git-fixes).
tty: vt: fix 20 vs 0x20 typo in EScsiignore (git-fixes).
ubifs: dbg_check_idx_size: Fix kmemleak if loading znode failed (git-fixes).
ubifs: fix sort function prototype (git-fixes).
ubifs: Queue up space reservation tasks if retrying many times (git-fixes).
ubifs: Remove unreachable code in dbg_check_ltab_lnum (git-fixes).
ubifs: Set page uptodate in the correct place (git-fixes).
Update config files: adjust for Arm CONFIG_MT798X_WMAC (bsc#1227149)
Update config files (bsc#1227282). Update the CONFIG_LSM option to include the selinux LSM in the default set of LSMs. The selinux LSM will not get enabled because it is preceded by apparmor, which is the first exclusive LSM. Updating CONFIG_LSM resolves failures that result in the system not booting up when 'security=selinux selinux=1' is passed to the kernel and SELinux policies are installed.
Update config files. Disable N_GSM (jsc#PED-8240).
Update config files for mt76 stuff (bsc#1227149)
Update config files: update for the realtek wifi driver updates (bsc#1227149)
USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k (stable-fixes).
usb: aqc111: stop lying about skb->truesize (git-fixes).
usb: atm: cxacru: fix endpoint checking in cxacru_bind() (git-fixes).
usb: audio-v2: Correct comments for struct uac_clock_selector_descriptor (git-fixes).
usb: cdc-wdm: close race between read and workqueue (git-fixes).
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (git-fixes).
USB: core: Add hub_get() and hub_put() routines (stable-fixes).
USB: core: Fix access violation during port device removal (git-fixes).
USB: core: Fix deadlock in port 'disable' sysfs attribute (stable-fixes).
USB: core: Fix deadlock in usb_deauthorize_interface() (git-fixes).
USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (git-fixes).
usb: Disable USB3 LPM at shutdown (stable-fixes).
usb: dwc2: gadget: Fix exiting from clock gating (git-fixes).
usb: dwc2: gadget: LPM flow fix (git-fixes).
usb: dwc2: host: Fix dereference issue in DDMA completion flow (git-fixes).
usb: dwc2: host: Fix hibernation flow (git-fixes).
usb: dwc2: host: Fix ISOC flow in DDMA mode (git-fixes).
usb: dwc2: host: Fix remote wakeup from hibernation (git-fixes).
usb: dwc3-am62: Disable wakeup at remove (git-fixes).
usb: dwc3-am62: fix module unload/reload behavior (git-fixes).
usb: dwc3-am62: Rename private data (git-fixes).
usb: dwc3: core: Add DWC31 version 2.00a controller (stable-fixes).
usb: dwc3: core: Prevent phy suspend during init (Git-fixes).
usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock (git-fixes).
usb: dwc3: core: Workaround for CSR read timeout (stable-fixes).
usb: dwc3: pci: add support for the Intel Panther Lake (stable-fixes).
usb: dwc3: pci: Do not set 'linux,phy_charger_detect' property on Lenovo Yoga Tab2 1380 (stable-fixes).
usb: dwc3: pci: Drop duplicate ID (git-fixes).
usb: dwc3: Properly set system wakeup (git-fixes).
usb: dwc3: Wait unconditionally after issuing EndXfer command (git-fixes).
usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device (bsc#1220569).
usb: fotg210: Add missing kernel doc description (git-fixes).
usb: gadget: aspeed_udc: fix device address configuration (git-fixes).
usb: gadget: composite: fix OS descriptors w_value logic (git-fixes).
usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() (stable-fixes).
usb: gadget: f_fs: Fix a race condition when processing setup packets (git-fixes).
usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (git-fixes).
usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error (stable-fixes).
usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API (stable-fixes).
usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin (git-fixes).
usb: gadget: printer: fix races against disable (git-fixes).
usb: gadget: printer: SS+ support (stable-fixes).
usb: gadget: u_audio: Clear uac pointer when freed (git-fixes).
usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind (git-fixes).
usb: gadget: uvc: configfs: ensure guid to be valid before set (stable-fixes).
usb: gadget: uvc: mark incomplete frames with UVC_STREAM_ERR (stable-fixes).
usb: gadget: uvc: use correct buffer size when parsing configfs lists (git-fixes).
usb: misc: uss720: check for incompatible versions of the Belkin F5U002 (stable-fixes).
usb: musb: da8xx: fix a resource leak in probe() (git-fixes).
usb: ohci: Prevent missed ohci interrupts (git-fixes).
usb: phy: generic: Get the vbus supply (git-fixes).
USB: serial: add device ID for VeriFone adapter (stable-fixes).
USB: serial: cp210x: add ID for MGP Instruments PDS100 (stable-fixes).
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M (stable-fixes).
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB (stable-fixes).
USB: serial: mos7840: fix crash on resume (git-fixes).
USB: serial: option: add Fibocom FM135-GL variants (stable-fixes).
USB: serial: option: add Fibocom FM350-GL (stable-fixes).
USB: serial: option: add Lonsung U8300/U9300 product (stable-fixes).
USB: serial: option: add MeiG Smart SLM320 product (stable-fixes).
USB: serial: option: add Rolling RW101-GL and RW135-GL support (stable-fixes).
USB: serial: option: add Rolling RW350-GL variants (stable-fixes).
USB: serial: option: add support for Fibocom FM650/FG650 (stable-fixes).
USB: serial: option: add support for Foxconn T99W651 (stable-fixes).
USB: serial: option: add Telit FN912 rmnet compositions (stable-fixes).
USB: serial: option: add Telit FN920C04 rmnet compositions (stable-fixes).
USB: serial: option: add Telit generic core-dump composition (stable-fixes).
USB: serial: option: support Quectel EM060K sub-models (stable-fixes).
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined (stable-fixes).
usb-storage: alauda: Check whether the media is initialized (git-fixes).
usb: typec: Return size of buffer if pd_set operation succeeds (git-fixes).
usb: typec: tcpci: add generic tcpci fallback compatible (stable-fixes).
usb: typec: tcpm: Check for port partner validity before consuming it (git-fixes).
usb: typec: tcpm: clear pd_event queue in PORT_RESET (git-fixes).
usb: typec: tcpm: Correct port source pdo array in pd_set callback (git-fixes).
usb: typec: tcpm: Correct the PDO counting in pd_set (git-fixes).
usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd() (git-fixes).
usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps (git-fixes).
usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state (git-fixes).
usb: typec: tcpm: unregister existing source caps before re-registration (git-fixes).
usb: typec: tipd: fix event checking for tps6598x (git-fixes).
usb: typec: ucsi: Ack also failed Get Error commands (git-fixes).
usb: typec: ucsi: Ack unsupported commands (stable-fixes).
usb: typec: ucsi_acpi: Refactor and fix DELL quirk (git-fixes).
usb: typec: ucsi: always register a link to USB PD device (git-fixes).
usb: typec: ucsi: Check for notifications after init (git-fixes).
usb: typec: ucsi: Clean up UCSI_CABLE_PROP macros (git-fixes).
usb: typec: ucsi: Clear EVENT_PENDING under PPM lock (git-fixes).
usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset (stable-fixes).
usb: typec: ucsi: displayport: Fix potential deadlock (git-fixes).
usb: typec: ucsi: Fix connector check on init (git-fixes).
usb: typec: ucsi: Fix race between typec_switch and role_switch (git-fixes).
usb: typec: ucsi_glink: drop special handling for CCI_BUSY (stable-fixes).
usb: typec: ucsi: glink: fix child node release in probe function (git-fixes).
usb: typec: ucsi: Limit read size on v1.2 (stable-fixes).
usb: typec: ucsi: Never send a lone connector change ack (stable-fixes).
usb: typec: ucsi: simplify partner's PD caps registration (git-fixes).
USB: UAS: return ENODEV when submit urbs fail with device not attached (stable-fixes).
usb: ucsi: stm32: fix command completion handling (git-fixes).
usb: udc: remove warning when queue disabled ep (stable-fixes).
USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected (git-fixes).
usb: xhci: Add error handling in xhci_map_urb_for_dma (git-fixes).
usb: xhci: correct return value in case of STS_HCE (git-fixes).
usb: xhci: Implement xhci_handshake_check_state() helper.
usb: xhci-plat: Do not include xhci.h (stable-fixes).
usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB (stable-fixes).
vboxsf: Avoid an spurious warning if load_nls_xxx() fails (git-fixes).
vboxsf: explicitly deny setlease attempts (stable-fixes).
vdpa/mlx5: Allow CVQ size changes (git-fixes).
vdpa_sim: reset must not run (git-fixes).
veth: try harder when allocating queue memory (git-fixes).
vhost: Add smp_rmb() in vhost_enable_notify() (git-fixes).
vhost: Add smp_rmb() in vhost_vq_avail_empty() (git-fixes).
virtio-blk: Ensure no requests in virtqueues before deleting vqs (git-fixes).
virtio_net: avoid data-races on dev->stats fields (git-fixes).
virtio_net: checksum offloading handling fix (git-fixes).
virtio_net: Do not send RSS key if it is not supported (git-fixes).
virtio: treat alloc_dax() -EOPNOTSUPP failure as non-fatal (bsc#1223944).
VMCI: Fix an error handling path in vmci_guest_probe_device() (git-fixes).
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() (stable-fixes).
vmci: prevent speculation leaks by sanitizing event in event_deliver() (git-fixes).
vmlinux.lds.h: catch .bss..L* sections into BSS') (git-fixes).
vsock/virtio: fix packet delivery to tap device (git-fixes).
watchdog: bd9576: Drop 'always-running' property (git-fixes).
watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger (git-fixes).
watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin (git-fixes).
watchdog: rzg2l_wdt: Check return status of pm_runtime_put() (git-fixes).
watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get() (git-fixes).
watchdog: rzn1: Convert comma to semicolon (git-fixes).
watchdog: sa1100: Fix PTR_ERR_OR_ZERO() vs NULL check in sa1100dog_probe() (git-fixes).
wifi: add HAS_IOPORT dependencies (bsc#1227149).
wifi: ar5523: enable proper endpoint verification (git-fixes).
wifi: ar5523: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath10/11/12k: Use alloc_ordered_workqueue() to create ordered workqueues (bsc#1227149).
wifi: ath10k: add missing wmi_10_4_feature_mask documentation (bsc#1227149).
wifi: ath10k: add support to allow broadcast action frame RX (bsc#1227149).
wifi: ath10k: Annotate struct ath10k_ce_ring with __counted_by (bsc#1227149).
wifi: ath10k: consistently use kstrtoX_from_user() functions (bsc#1227149).
wifi: ath10k: Convert to platform remove callback returning void (bsc#1227149).
wifi: ath10k: correctly document enum wmi_tlv_tx_pause_id (bsc#1227149).
wifi: ath10k: Drop checks that are always false (bsc#1227149).
wifi: ath10k: Drop cleaning of driver data from probe error path and remove (bsc#1227149).
wifi: ath10k: drop HTT_DATA_TX_STATUS_DOWNLOAD_FAIL (bsc#1227149).
wifi: ath10k: Fix a few spelling errors (bsc#1227149).
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() (git-fixes).
wifi: ath10k: Fix enum ath10k_fw_crash_dump_type kernel-doc (bsc#1227149).
wifi: ath10k: Fix htt_data_tx_completion kernel-doc warning (bsc#1227149).
wifi: ath10k: fix htt_q_state_conf & htt_q_state kernel-doc (bsc#1227149).
wifi: ath10k: fix QCOM_RPROC_COMMON dependency (git-fixes).
wifi: ath10k: fix Wvoid-pointer-to-enum-cast warning (bsc#1227149).
wifi: ath10k: improve structure padding (bsc#1227149).
wifi: ath10k: indicate to mac80211 scan complete with aborted flag for ATH10K_SCAN_STARTING state (bsc#1227149).
wifi: ath10k: poll service ready message before failing (git-fixes).
wifi: ath10k: populate board data for WCN3990 (git-fixes).
wifi: ath10k: remove ath10k_htc_record::pauload[] (bsc#1227149).
wifi: ath10k: remove duplicate memset() in 10.4 TDLS peer update (bsc#1227149).
wifi: ath10k: remove struct wmi_pdev_chanlist_update_event (bsc#1227149).
wifi: ath10k: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath10k: Remove unused struct ath10k_htc_frame (bsc#1227149).
wifi: ath10k: remove unused template structs (bsc#1227149).
wifi: ath10k: replace deprecated strncpy with memcpy (bsc#1227149).
wifi: ath10k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: ath10k: simplify __ath10k_htt_tx_txq_recalc() (bsc#1227149).
wifi: ath10k: simplify ath10k_peer_create() (bsc#1227149).
wifi: ath10k: Update Qualcomm Innovation Center, Inc. copyrights (bsc#1227149).
wifi: ath10k: Use DECLARE_FLEX_ARRAY() for ath10k_htc_record (bsc#1227149).
wifi: ath10k: use flexible array in struct wmi_host_mem_chunks (bsc#1227149).
wifi: ath10k: use flexible array in struct wmi_tdls_peer_capabilities (bsc#1227149).
wifi: ath10k: use flexible arrays for WMI start scan TLVs (bsc#1227149).
wifi: ath10k: Use list_count_nodes() (bsc#1227149).
wifi: ath11k: add chip id board name while searching board-2.bin for WCN6855 (bsc#1227149).
wifi: ath11k: Add coldboot calibration support for QCN9074 (bsc#1227149).
wifi: ath11k: add firmware-2.bin support (bsc#1227149).
wifi: ath11k: add handler for WMI_VDEV_SET_TPC_POWER_CMDID (bsc#1227149).
wifi: ath11k: Add HTT stats for PHY reset case (bsc#1227149).
wifi: ath11k: add parse of transmit power envelope element (bsc#1227149).
wifi: ath11k: add parsing of phy bitmap for reg rules (bsc#1227149).
wifi: ath11k: add support for QCA2066 (bsc#1227149).
wifi: ath11k: add support to select 6 GHz regulatory type (bsc#1227149).
wifi: ath11k: add WMI event debug messages (bsc#1227149).
wifi: ath11k: add WMI_TLV_SERVICE_EXT_TPC_REG_SUPPORT service bit (bsc#1227149).
wifi: ath11k: Allow ath11k to boot without caldata in ftm mode (bsc#1227149).
wifi: ath11k: ath11k_debugfs_register(): fix format-truncation warning (bsc#1227149).
wifi: ath11k: avoid forward declaration of ath11k_mac_start_vdev_delay() (bsc#1227149).
wifi: ath11k: call ath11k_mac_fils_discovery() without condition (bsc#1227149).
wifi: ath11k: Consistently use ath11k_vif_to_arvif() (bsc#1227149).
wifi: ath11k: Consolidate WMI peer flags (bsc#1227149).
wifi: ath11k: constify MHI channel and controller configs (bsc#1227149).
wifi: ath11k: Convert to platform remove callback returning void (bsc#1227149).
wifi: ath11k: debug: add ATH11K_DBG_CE (bsc#1227149).
wifi: ath11k: debug: remove unused ATH11K_DBG_ANY (bsc#1227149).
wifi: ath11k: debug: use all upper case in ATH11k_DBG_HAL (bsc#1227149).
wifi: ath11k: decrease MHI channel buffer length to 8KB (bsc#1207948).
wifi: ath11k: document HAL_RX_BUF_RBM_SW4_BM (bsc#1227149).
wifi: ath11k: Do not directly use scan_flags in struct scan_req_params (bsc#1227149).
wifi: ath11k: do not force enable power save on non-running vdevs (git-fixes).
wifi: ath11k: do not use %pK (bsc#1227149).
wifi: ath11k: dp: cleanup debug message (bsc#1227149).
wifi: ath11k: driver settings for MBSSID and EMA (bsc#1227149).
wifi: ath11k: drop NULL pointer check in ath11k_update_per_peer_tx_stats() (bsc#1227149).
wifi: ath11k: drop redundant check in ath11k_dp_rx_mon_dest_process() (bsc#1227149).
wifi: ath11k: EMA beacon support (bsc#1227149).
wifi: ath11k: enable 36 bit mask for stream DMA (bsc#1227149).
wifi: ath11k: factory test mode support (bsc#1227149).
wifi: ath11k: fill parameters for vdev set tpc power WMI command (bsc#1227149).
wifi: ath11k: Fix a few spelling errors (bsc#1227149).
wifi: ath11k: fix a possible dead lock caused by ab->base_lock (bsc#1227149).
wifi: ath11k: Fix ath11k_htc_record flexible record (bsc#1227149).
wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage (bsc#1227149).
wifi: ath11k: fix CAC running state during virtual interface start (bsc#1227149).
wifi: ath11k: fix connection failure due to unexpected peer delete (bsc#1227149).
wifi: ath11k: fix IOMMU errors on buffer rings (bsc#1227149).
wifi: ath11k: fix RCU documentation in ath11k_mac_op_ipv6_changed() (git-fixes).
wifi: ath11k: fix tid bitmap is 0 in peer rx mu stats (bsc#1227149).
wifi: ath11k: fix WCN6750 firmware crash caused by 17 num_vdevs (bsc#1227149).
wifi: ath11k: fix wrong definition of CE ring's base address (git-fixes).
wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers (git-fixes).
wifi: ath11k: fix Wvoid-pointer-to-enum-cast warning (bsc#1227149).
wifi: ath11k: hal: cleanup debug message (bsc#1227149).
wifi: ath11k: htc: cleanup debug messages (bsc#1227149).
wifi: ath11k: initialize eirp_power before use (bsc#1227149).
wifi: ath11k: Introduce and use ath11k_sta_to_arsta() (bsc#1227149).
wifi: ath11k: mac: fix struct ieee80211_sband_iftype_data handling (bsc#1227149).
wifi: ath11k: MBSSID beacon support (bsc#1227149).
wifi: ath11k: MBSSID configuration during vdev create/start (bsc#1227149).
wifi: ath11k: MBSSID parameter configuration in AP mode (bsc#1227149).
wifi: ath11k: mhi: add a warning message for MHI_CB_EE_RDDM crash (bsc#1227149).
wifi: ath11k: move pci.ops registration ahead (bsc#1227149).
wifi: ath11k: move power type check to ASSOC stage when connecting to 6 GHz AP (bsc#1227149).
wifi: ath11k: move references from rsvd2 to info fields (bsc#1227149).
wifi: ath11k: pci: cleanup debug logging (bsc#1227149).
wifi: ath11k: print debug level in debug messages (bsc#1227149).
wifi: ath11k: provide address list if chip supports 2 stations (bsc#1227149).
wifi: ath11k: qmi: refactor ath11k_qmi_m3_load() (bsc#1227149).
wifi: ath11k: Really consistently use ath11k_vif_to_arvif() (bsc#1227149).
wifi: ath11k: refactor ath11k_wmi_tlv_parse_alloc() (bsc#1227149).
wifi: ath11k: refactor setting country code logic (stable-fixes).
wifi: ath11k: refactor vif parameter configurations (bsc#1227149).
wifi: ath11k: Relocate the func ath11k_mac_bitrate_mask_num_ht_rates() and change hweight16 to hweight8 (bsc#1227149).
wifi: ath11k: rely on mac80211 debugfs handling for vif (bsc#1227149).
wifi: ath11k: Remove ath11k_base::bd_api (bsc#1227149).
wifi: ath11k: remove ath11k_htc_record::pauload[] (bsc#1227149).
wifi: ath11k: Remove cal_done check during probe (bsc#1227149).
wifi: ath11k: remove invalid peer create logic (bsc#1227149).
wifi: ath11k: remove manual mask names from debug messages (bsc#1227149).
wifi: ath11k: Remove obsolete struct wmi_peer_flags_map *peer_flags (bsc#1227149).
wifi: ath11k: Remove scan_flags union from struct scan_req_params (bsc#1227149).
wifi: ath11k: Remove struct ath11k::ops (bsc#1227149).
wifi: ath11k: remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath11k: Remove unneeded semicolon (bsc#1227149).
wifi: ath11k: remove unsupported event handlers (bsc#1227149).
wifi: ath11k: Remove unused declarations (bsc#1227149).
wifi: ath11k: remove unused function ath11k_tm_event_wmi() (bsc#1227149).
wifi: ath11k: remove unused members of 'struct ath11k_base' (bsc#1227149).
wifi: ath11k: remove unused scan_events from struct scan_req_params (bsc#1227149).
wifi: ath11k: Remove unused struct ath11k_htc_frame (bsc#1227149).
wifi: ath11k: rename ath11k_start_vdev_delay() (bsc#1227149).
wifi: ath11k: rename MBSSID fields in wmi_vdev_up_cmd (bsc#1227149).
wifi: ath11k: rename the sc naming convention to ab (bsc#1227149).
wifi: ath11k: rename the wmi_sc naming convention to wmi_ab (bsc#1227149).
wifi: ath11k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: ath11k: restore country code during resume (git-fixes).
wifi: ath11k: save max transmit power in vdev start response event from firmware (bsc#1227149).
wifi: ath11k: save power spectral density(PSD) of regulatory rule (bsc#1227149).
wifi: ath11k: Send HT fixed rate in WMI peer fixed param (bsc#1227149).
wifi: ath11k: simplify ath11k_mac_validate_vht_he_fixed_rate_settings() (bsc#1227149).
wifi: ath11k: simplify the code with module_platform_driver (bsc#1227149).
wifi: ath11k: Split coldboot calibration hw_param (bsc#1227149).
wifi: ath11k: store cur_regulatory_info for each radio (bsc#1227149).
wifi: ath11k: support 2 station interfaces (bsc#1227149).
wifi: ath11k: update proper pdev/vdev id for testmode command (bsc#1227149).
wifi: ath11k: Update Qualcomm Innovation Center, Inc. copyrights (bsc#1227149).
wifi: ath11k: update regulatory rules when connect to AP on 6 GHz band for station (bsc#1227149).
wifi: ath11k: update regulatory rules when interface added (bsc#1227149).
wifi: ath11k: Use device_get_match_data() (bsc#1227149).
wifi: ath11k: use kstrtoul_from_user() where appropriate (bsc#1227149).
wifi: ath11k: Use list_count_nodes() (bsc#1227149).
wifi: ath11k: use RCU when accessing struct inet6_dev::ac_list (bsc#1227149).
wifi: ath11k: use select for CRYPTO_MICHAEL_MIC (bsc#1227149).
wifi: ath11k: use WMI_VDEV_SET_TPC_POWER_CMDID when EXT_TPC_REG_SUPPORT for 6 GHz (bsc#1227149).
wifi: ath11k: wmi: add unified command debug messages (bsc#1227149).
wifi: ath11k: wmi: cleanup error handling in ath11k_wmi_send_init_country_cmd() (bsc#1227149).
wifi: ath11k: wmi: use common error handling style (bsc#1227149).
wifi: ath11k: workaround too long expansion sparse warnings (bsc#1227149).
wifi: ath12k: add 320 MHz bandwidth enums (bsc#1227149).
wifi: ath12k: add ath12k_qmi_free_resource() for recovery (bsc#1227149).
wifi: ath12k: add CE and ext IRQ flag to indicate irq_handler (bsc#1227149).
wifi: ath12k: add EHT PHY modes (bsc#1227149).
wifi: ath12k: add fallback board name without variant while searching board-2.bin (bsc#1227149).
wifi: ath12k: add firmware-2.bin support (bsc#1227149).
wifi: ath12k: add handler for scan event WMI_SCAN_EVENT_DEQUEUED (bsc#1227149).
wifi: ath12k: add keep backward compatibility of PHY mode to avoid firmware crash (bsc#1227149).
wifi: ath12k: Add logic to write QRTR node id to scratch (bsc#1227149).
wifi: ath12k: add MAC id support in WBM error path (bsc#1227149).
wifi: ath12k: Add missing qmi_txn_cancel() calls (bsc#1227149).
wifi: ath12k: add MLO header in peer association (bsc#1227149).
wifi: ath12k: add msdu_end structure for WCN7850 (bsc#1227149).
wifi: ath12k: add P2P IE in beacon template (bsc#1227149).
wifi: ath12k: add parsing of phy bitmap for reg rules (bsc#1227149).
wifi: ath12k: add processing for TWT disable event (bsc#1227149).
wifi: ath12k: add processing for TWT enable event (bsc#1227149).
wifi: ath12k: add qmi_cnss_feature_bitmap field to hardware parameters (bsc#1227149).
wifi: ath12k: add QMI PHY capability learn support (bsc#1227149).
wifi: ath12k: add rcu lock for ath12k_wmi_p2p_noa_event() (bsc#1227149).
wifi: ath12k: add read variant from SMBIOS for download board data (bsc#1227149).
wifi: ath12k: add string type to search board data in board-2.bin for WCN7850 (bsc#1227149).
wifi: ath12k: add support for BA1024 (bsc#1227149).
wifi: ath12k: add support for collecting firmware log (bsc#1227149).
wifi: ath12k: add support for hardware rfkill for WCN7850 (bsc#1227149).
wifi: ath12k: add support for peer meta data version (bsc#1227149).
wifi: ath12k: add support one MSI vector (bsc#1227149).
wifi: ath12k: Add support to parse new WMI event for 6 GHz regulatory (bsc#1227149).
wifi: ath12k: add support to search regdb data in board-2.bin for WCN7850 (bsc#1227149).
wifi: ath12k: add wait operation for tx management packets for flush from mac80211 (bsc#1227149).
wifi: ath12k: add WMI support for EHT peer (bsc#1227149).
wifi: ath12k: advertise P2P dev support for WCN7850 (bsc#1227149).
wifi: ath12k: allow specific mgmt frame tx while vdev is not up (bsc#1227149).
wifi: ath12k: ath12k_start_vdev_delay(): convert to use ar (bsc#1227149).
wifi: ath12k: avoid deadlock by change ieee80211_queue_work for regd_update_work (bsc#1227149).
wifi: ath12k: avoid duplicated vdev stop (git-fixes).
wifi: ath12k: avoid explicit HW conversion argument in Rxdma replenish (bsc#1227149).
wifi: ath12k: avoid explicit mac id argument in Rxdma replenish (bsc#1227149).
wifi: ath12k: avoid explicit RBM id argument in Rxdma replenish (bsc#1227149).
wifi: ath12k: avoid repeated hw access from ar (bsc#1227149).
wifi: ath12k: avoid repeated wiphy access from hw (bsc#1227149).
wifi: ath12k: call ath12k_mac_fils_discovery() without condition (bsc#1227149).
wifi: ath12k: change DMA direction while mapping reinjected packets (git-fixes).
wifi: ath12k: change interface combination for P2P mode (bsc#1227149).
wifi: ath12k: change MAC buffer ring size to 2048 (bsc#1227149).
wifi: ath12k: change to initialize recovery variables earlier in ath12k_core_reset() (bsc#1227149).
wifi: ath12k: change to treat alpha code na as world wide regdomain (bsc#1227149).
wifi: ath12k: change to use dynamic memory for channel list of scan (bsc#1227149).
wifi: ath12k: change WLAN_SCAN_PARAMS_MAX_IE_LEN from 256 to 512 (bsc#1227149).
wifi: ath12k: check hardware major version for WCN7850 (bsc#1227149).
wifi: ath12k: check M3 buffer size as well whey trying to reuse it (bsc#1227149).
wifi: ath12k: configure puncturing bitmap (bsc#1227149).
wifi: ath12k: configure RDDM size to MHI for device recovery (bsc#1227149).
wifi: ath12k: Consistently use ath12k_vif_to_arvif() (bsc#1227149).
wifi: ath12k: Consolidate WMI peer flags (bsc#1227149).
wifi: ath12k: Correct 6 GHz frequency value in rx status (git-fixes).
wifi: ath12k: correct the data_type from QMI_OPT_FLAG to QMI_UNSIGNED_1_BYTE for mlo_capable (bsc#1227149).
wifi: ath12k: delete the timer rx_replenish_retry during rmmod (bsc#1227149).
wifi: ath12k: designating channel frequency for ROC scan (bsc#1227149).
wifi: ath12k: disable QMI PHY capability learn in split-phy QCN9274 (bsc#1227149).
wifi: ath12k: do not drop data frames from unassociated stations (bsc#1227149).
wifi: ath12k: Do not drop tx_status in failure case (git-fixes).
wifi: ath12k: do not restore ASPM in case of single MSI vector (bsc#1227149).
wifi: ath12k: Do not use scan_flags from struct ath12k_wmi_scan_req_arg (bsc#1227149).
wifi: ath12k: drop failed transmitted frames from metric calculation (git-fixes).
wifi: ath12k: drop NULL pointer check in ath12k_update_per_peer_tx_stats() (bsc#1227149).
wifi: ath12k: enable 320 MHz bandwidth for 6 GHz band in EHT PHY capability for WCN7850 (bsc#1227149).
wifi: ath12k: enable 802.11 power save mode in station mode (bsc#1227149).
wifi: ath12k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN7850 (bsc#1227149).
wifi: ath12k: Enable Mesh support for QCN9274 (bsc#1227149).
wifi: ath12k: fetch correct pdev id from WMI_SERVICE_READY_EXT_EVENTID (bsc#1227149).
wifi: ath12k: Fix a few spelling errors (bsc#1227149).
wifi: ath12k: fix broken structure wmi_vdev_create_cmd (bsc#1227149).
wifi: ath12k: fix conf_mutex in ath12k_mac_op_unassign_vif_chanctx() (bsc#1227149).
wifi: ath12k: fix debug messages (bsc#1227149).
wifi: ath12k: fix fetching MCBC flag for QCN9274 (bsc#1227149).
wifi: ath12k: fix firmware assert during insmod in memory segment mode (bsc#1227149).
wifi: ath12k: fix firmware crash during reo reinject (git-fixes).
wifi: ath12k: fix invalid m3 buffer address (bsc#1227149).
wifi: ath12k: fix invalid memory access while processing fragmented packets (git-fixes).
wifi: ath12k: fix kernel crash during resume (bsc#1227149).
wifi: ath12k: fix license in p2p.c and p2p.h (bsc#1227149).
wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() (git-fixes).
wifi: ath12k: fix PCI read and write (bsc#1227149).
wifi: ath12k: fix peer metadata parsing (git-fixes).
wifi: ath12k: fix potential wmi_mgmt_tx_queue race condition (bsc#1227149).
wifi: ath12k: fix radar detection in 160 MHz (bsc#1227149).
wifi: ath12k: fix recovery fail while firmware crash when doing channel switch (bsc#1227149).
wifi: ath12k: fix the error handler of rfkill config (bsc#1227149).
wifi: ath12k: fix the issue that the multicast/broadcast indicator is not read correctly for WCN7850 (bsc#1227149).
wifi: ath12k: fix the problem that down grade phy mode operation (bsc#1227149).
wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure (git-fixes).
wifi: ath12k: Fix uninitialized use of ret in ath12k_mac_allocate() (bsc#1227149).
wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan (bsc#1227149).
wifi: ath12k: fix wrong definition of CE ring's base address (git-fixes).
wifi: ath12k: fix wrong definitions of hal_reo_update_rx_queue (bsc#1227149).
wifi: ath12k: get msi_data again after request_irq is called (bsc#1227149).
wifi: ath12k: implement handling of P2P NoA event (bsc#1227149).
wifi: ath12k: implement remain on channel for P2P mode (bsc#1227149).
wifi: ath12k: increase vdev setup timeout (bsc#1227149).
wifi: ath12k: indicate NON MBSSID vdev by default during vdev start (bsc#1227149).
wifi: ath12k: indicate scan complete for scan canceled when scan running (bsc#1227149).
wifi: ath12k: indicate to mac80211 scan complete with aborted flag for ATH12K_SCAN_STARTING state (bsc#1227149).
wifi: ath12k: Introduce and use ath12k_sta_to_arsta() (bsc#1227149).
wifi: ath12k: Introduce the container for mac80211 hw (bsc#1227149).
wifi: ath12k: Make QMI message rules const (bsc#1227149).
wifi: ath12k: move HE capabilities processing to a new function (bsc#1227149).
wifi: ath12k: move peer delete after vdev stop of station for WCN7850 (bsc#1227149).
wifi: ath12k: Optimize the mac80211 hw data access (bsc#1227149).
wifi: ath12k: parse WMI service ready ext2 event (bsc#1227149).
wifi: ath12k: peer assoc for 320 MHz (bsc#1227149).
wifi: ath12k: prepare EHT peer assoc parameters (bsc#1227149).
wifi: ath12k: propagate EHT capabilities to userspace (bsc#1227149).
wifi: ath12k: Read board id to support split-PHY QCN9274 (bsc#1227149).
wifi: ath12k: refactor ath12k_bss_assoc() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_allocate() and ath12k_mac_destroy() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_ampdu_action() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_config() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_configure_filter() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_conf_tx() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_flush() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_start() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_stop() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_op_update_vif_offload() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_register() and ath12k_mac_unregister() (bsc#1227149).
wifi: ath12k: refactor ath12k_mac_setup_channels_rates() (bsc#1227149).
wifi: ath12k: refactor ath12k_wmi_tlv_parse_alloc() (bsc#1227149).
wifi: ath12k: refactor DP Rxdma ring structure (bsc#1227149).
wifi: ath12k: refactor multiple MSI vector implementation (bsc#1227149).
wifi: ath12k: refactor QMI MLO host capability helper function (bsc#1227149).
wifi: ath12k: Refactor the mac80211 hw access from link/radio (bsc#1227149).
wifi: ath12k: refactor the rfkill worker (bsc#1227149).
wifi: ath12k: register EHT mesh capabilities (bsc#1227149).
wifi: ath12k: relax list iteration in ath12k_mac_vif_unref() (bsc#1227149).
wifi: ath12k: relocate ath12k_dp_pdev_pre_alloc() call (bsc#1227149).
wifi: ath12k: Remove ath12k_base::bd_api (bsc#1227149).
wifi: ath12k: remove hal_desc_sz from hw params (bsc#1227149).
wifi: ath12k: Remove obsolete struct wmi_peer_flags_map *peer_flags (bsc#1227149).
wifi: ath12k: remove redundant memset() in ath12k_hal_reo_qdesc_setup() (bsc#1227149).
wifi: ath12k: Remove some dead code (bsc#1227149).
wifi: ath12k: Remove struct ath12k::ops (bsc#1227149).
wifi: ath12k: remove the unused scan_events from ath12k_wmi_scan_req_arg (bsc#1227149).
wifi: ath12k: Remove unnecessary struct qmi_txn initializers (bsc#1227149).
wifi: ath12k: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath12k: remove unused ATH12K_BD_IE_BOARD_EXT (bsc#1227149).
wifi: ath12k: Remove unused declarations (bsc#1227149).
wifi: ath12k: Remove unused scan_flags from struct ath12k_wmi_scan_req_arg (bsc#1227149).
wifi: ath12k: rename HE capabilities setup/copy functions (bsc#1227149).
wifi: ath12k: rename the sc naming convention to ab (bsc#1227149).
wifi: ath12k: rename the wmi_sc naming convention to wmi_ab (bsc#1227149).
wifi: ath12k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: ath12k: send WMI_PEER_REORDER_QUEUE_SETUP_CMDID when ADDBA session starts (bsc#1227149).
wifi: ath12k: Set default beacon mode to burst mode (bsc#1227149).
wifi: ath12k: set IRQ affinity to CPU0 in case of one MSI vector (bsc#1227149).
wifi: ath12k: set PERST pin no pull request for WCN7850 (bsc#1227149).
wifi: ath12k: split hal_ops to support RX TLVs word mask compaction (bsc#1227149).
wifi: ath12k: subscribe required word mask from rx tlv (bsc#1227149).
wifi: ath12k: support default regdb while searching board-2.bin for WCN7850 (bsc#1227149).
wifi: ath12k: trigger station disconnect on hardware restart (bsc#1227149).
wifi: ath12k: use ATH12K_PCI_IRQ_DP_OFFSET for DP IRQ (bsc#1227149).
wifi: ath12k: use correct flag field for 320 MHz channels (bsc#1227149).
wifi: ath12k: Use initializers for QMI message buffers (bsc#1227149).
wifi: ath12k: Use msdu_end to check MCBC (bsc#1227149).
wifi: ath12k: Use pdev_id rather than mac_id to get pdev (bsc#1227149).
wifi: ath12k: use select for CRYPTO_MICHAEL_MIC (bsc#1227149).
wifi: ath12k: WMI support to process EHT capabilities (bsc#1227149).
wifi: ath5k: ath5k_hw_get_median_noise_floor(): use swap() (bsc#1227149).
wifi: ath5k: Convert to platform remove callback returning void (bsc#1227149).
wifi: ath5k: remove phydir check from ath5k_debug_init_device() (bsc#1227149).
wifi: ath5k: Remove redundant dev_err() (bsc#1227149).
wifi: ath5k: remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath5k: remove unused ath5k_eeprom_info::ee_antenna (bsc#1227149).
wifi: ath5k: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: ath6kl: Remove error checking for debugfs_create_dir() (bsc#1227149).
wifi: ath6kl: remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath6kl: replace deprecated strncpy with memcpy (bsc#1227149).
wifi: ath9k: avoid using uninitialized array (bsc#1227149).
wifi: ath9k: clean up function ath9k_hif_usb_resume (bsc#1227149).
wifi: ath9k: consistently use kstrtoX_from_user() functions (bsc#1227149).
wifi: ath9k: Convert to platform remove callback returning void (bsc#1227149).
wifi: ath9k: delete some unused/duplicate macros (bsc#1227149).
wifi: ath9k: fix LNA selection in ath_ant_try_scan() (stable-fixes).
wifi: ath9k: fix parameter check in ath9k_init_debug() (bsc#1227149).
wifi: ath9k_htc: fix format-truncation warning (bsc#1227149).
wifi: ath9k: remove redundant assignment to variable ret (bsc#1227149).
wifi: ath9k: Remove unnecessary ternary operators (bsc#1227149).
wifi: ath9k: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: ath9k: Remove unused declarations (bsc#1227149).
wifi: ath9k: reset survey of current channel after a scan started (bsc#1227149).
wifi: ath9k: simplify ar9003_hw_process_ini() (bsc#1227149).
wifi: ath9k: use u32 for txgain indexes (bsc#1227149).
wifi: ath9k: work around memset overflow warning (bsc#1227149).
wifi: ath: dfs_pattern_detector: Use flex array to simplify code (bsc#1227149).
wifi: ath: remove unused-but-set parameter (bsc#1227149).
wifi: ath: Use is_multicast_ether_addr() to check multicast Ether address (bsc#1227149).
wifi: ath: work around false-positive stringop-overread warning (bsc#1227149).
wifi: atk10k: Do not opencode ath10k_pci_priv() in ath10k_ahb_priv() (bsc#1227149).
wifi: atmel: remove unused ioctl function (bsc#1227149).
wifi: b43: silence sparse warnings (bsc#1227149).
wifi: brcm80211: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro (stable-fixes).
wifi: brcmfmac: add linefeed at end of file (bsc#1227149).
wifi: brcmfmac: add per-vendor feature detection callback (stable-fixes).
wifi: brcmfmac: allow per-vendor event handling (bsc#1227149).
wifi: brcmfmac: Annotate struct brcmf_gscan_config with __counted_by (bsc#1227149).
wifi: brcmfmac: cfg80211: Use WSEC to set SAE password (stable-fixes).
wifi: brcmfmac: Demote vendor-specific attach/detach messages to info (git-fixes).
wifi: brcmfmac: Detect corner error case earlier with log (bsc#1227149).
wifi: brcmfmac: do not cast hidden SSID attribute value to boolean (bsc#1227149).
wifi: brcmfmac: do not pass hidden SSID attribute as value directly (bsc#1227149).
wifi: brcmfmac: export firmware interface functions (bsc#1227149).
wifi: brcmfmac: firmware: Annotate struct brcmf_fw_request with __counted_by (bsc#1227149).
wifi: brcmfmac: fix format-truncation warnings (bsc#1227149).
wifi: brcmfmac: fix gnu_printf warnings (bsc#1227149).
wifi: brcmfmac: fweh: Add __counted_by for struct brcmf_fweh_queue_item and use struct_size() (bsc#1227149).
wifi: brcmfmac: fweh: Fix boot crash on Raspberry Pi 4 (bsc#1227149).
wifi: brcmfmac: move feature overrides before feature_disable (bsc#1227149).
wifi: brcmfmac: pcie: handle randbuf allocation failure (git-fixes).
wifi: brcmsmac: cleanup SCB-related data types (bsc#1227149).
wifi: brcmsmac: fix gnu_printf warnings (bsc#1227149).
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device (git-fixes).
wifi: brcmsmac: phy: Remove unreachable code (bsc#1227149).
wifi: brcmsmac: remove more unused data types (bsc#1227149).
wifi: brcmsmac: remove unused data type (bsc#1227149).
wifi: brcmsmac: replace deprecated strncpy with memcpy (bsc#1227149).
wifi: brcmsmac: silence sparse warnings (bsc#1227149).
wifi: brcmutil: use helper function pktq_empty() instead of open code (bsc#1227149).
wifi: carl9170: add a proper sanity check for endpoints (git-fixes).
wifi: carl9170: re-fix fortified-memset warning (git-fixes).
wifi: carl9170: Remove redundant assignment to pointer super (bsc#1227149).
wifi: carl9170: remove unnecessary (void*) conversions (bsc#1227149).
wifi: cfg80211: add a flag to disable wireless extensions (bsc#1227149).
wifi: cfg80211: add BSS usage reporting (bsc#1227149).
wifi: cfg80211: add local_state_change to deauth trace (bsc#1227149).
wifi: cfg80211: add locked debugfs wrappers (bsc#1227149).
wifi: cfg80211: address several kerneldoc warnings (bsc#1227149).
wifi: cfg80211: add RNR with reporting AP information (bsc#1227149).
wifi: cfg80211: Add support for setting TID to link mapping (bsc#1227149).
wifi: cfg80211: add support for SPP A-MSDUs (bsc#1227149).
wifi: cfg80211: Allow AP/P2PGO to indicate port authorization to peer STA/P2PClient (bsc#1227149).
wifi: cfg80211: allow reg update by driver even if wiphy->regd is set (bsc#1227149).
wifi: cfg80211: annotate iftype_data pointer with sparse (bsc#1227149).
wifi: cfg80211: avoid double free if updating BSS fails (bsc#1227149).
wifi: cfg80211: call reg_call_notifier on beacon hints (bsc#1227149).
wifi: cfg80211: check A-MSDU format more carefully (stable-fixes).
wifi: cfg80211: check RTNL when iterating devices (bsc#1227149).
wifi: cfg80211: check wiphy mutex is held for wdev mutex (bsc#1227149).
wifi: cfg80211: consume both probe response and beacon IEs (bsc#1227149).
wifi: cfg80211: detect stuck ECSA element in probe resp (bsc#1227149).
wifi: cfg80211: ensure cfg80211_bss_update frees IEs on error (bsc#1227149).
wifi: cfg80211: export DFS CAC time and usable state helper functions (bsc#1227149).
wifi: cfg80211: expose nl80211_chan_width_to_mhz for wide sharing (bsc#1227149).
wifi: cfg80211: Extend support for scanning while MLO connected (bsc#1227149).
wifi: cfg80211: fix 6 GHz scan request building (stable-fixes).
wifi: cfg80211: fix CQM for non-range use (bsc#1227149).
wifi: cfg80211: fix header kernel-doc typos (bsc#1227149).
wifi: cfg80211: fix kernel-doc for wiphy_delayed_work_flush() (bsc#1227149).
wifi: cfg80211: fix rdev_dump_mpp() arguments order (stable-fixes).
wifi: cfg80211: fix spelling & punctutation (bsc#1227149).
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class (stable-fixes).
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() (git-fixes).
wifi: cfg80211: Fix typo in documentation (bsc#1227149).
wifi: cfg80211: fully move wiphy work to unbound workqueue (git-fixes).
wifi: cfg80211: generate an ML element for per-STA profiles (bsc#1227149).
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() (git-fixes).
wifi: cfg80211: Handle specific BSSID in 6GHz scanning (bsc#1227149).
wifi: cfg80211: handle UHB AP and STA power type (bsc#1227149).
wifi: cfg80211: hold wiphy lock in cfg80211_any_wiphy_oper_chan() (bsc#1227149).
wifi: cfg80211: hold wiphy mutex for send_interface (bsc#1227149).
wifi: cfg80211: improve documentation for flag fields (bsc#1227149).
wifi: cfg80211: Include operating class 137 in 6GHz band (bsc#1227149).
wifi: cfg80211: introduce cfg80211_ssid_eq() (bsc#1227149).
wifi: cfg80211: Lock wiphy in cfg80211_get_station (git-fixes).
wifi: cfg80211: make read-only array centers_80mhz static const (bsc#1227149).
wifi: cfg80211: make RX assoc data const (bsc#1227149).
wifi: cfg80211: modify prototype for change_beacon (bsc#1227149).
wifi: cfg80211: OWE DH IE handling offload (bsc#1227149).
wifi: cfg80211: pmsr: use correct nla_get_uX functions (git-fixes).
wifi: cfg80211: reg: describe return values in kernel-doc (bsc#1227149).
wifi: cfg80211: reg: fix various kernel-doc issues (bsc#1227149).
wifi: cfg80211: reg: hold wiphy mutex for wdev iteration (bsc#1227149).
wifi: cfg80211: reg: Support P2P operation on DFS channels (bsc#1227149).
wifi: cfg80211: remove scan_width support (bsc#1227149).
wifi: cfg80211: remove wdev mutex (bsc#1227149).
wifi: cfg80211: rename UHB to 6 GHz (bsc#1227149).
wifi: cfg80211: Replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: cfg80211: report per-link errors during association (bsc#1227149).
wifi: cfg80211: report unprotected deauth/disassoc in wowlan (bsc#1227149).
wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (git-fixes).
wifi: cfg80211: save power spectral density(psd) of regulatory rule (bsc#1227149).
wifi: cfg80211: Schedule regulatory check on BSS STA channel change (bsc#1227149).
wifi: cfg80211: set correct param change count in ML element (bsc#1227149).
wifi: cfg80211: sme: hold wiphy lock for wdev iteration (bsc#1227149).
wifi: cfg80211: sort certificates in build (bsc#1227149).
wifi: cfg80211: split struct cfg80211_ap_settings (bsc#1227149).
wifi: cfg80211: Update the default DSCP-to-UP mapping (bsc#1227149).
wifi: cfg80211: validate HE operation element parsing (bsc#1227149).
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (stable-fixes).
wifi: cfg80211: wext: convert return value to kernel-doc (bsc#1227149).
wifi: cfg80211: wext: set ssids=NULL for passive scans (git-fixes).
wifi: cw1200: Avoid processing an invalid TIM IE (bsc#1227149).
wifi: cw1200: Convert to GPIO descriptors (bsc#1227149).
wifi: cw1200: fix __le16 sparse warnings (bsc#1227149).
wifi: cw1200: restore endian swapping (bsc#1227149).
wifi: drivers: Explicitly include correct DT includes (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for ar5523 (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for Broadcom WLAN (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for mt76 drivers (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for p54spi (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for wcn36xx (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for wilc1000 (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for wl1251 and wl12xx (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for wl18xx (bsc#1227149).
wifi: fill in MODULE_DESCRIPTION()s for wlcore (bsc#1227149).
wifi: hostap: Add __counted_by for struct prism2_download_data and use struct_size() (bsc#1227149).
wifi: hostap: fix stringop-truncations GCC warning (bsc#1227149).
wifi: hostap: remove unused ioctl function (bsc#1227149).
wifi: ieee80211: add definitions for negotiated TID to Link map (bsc#1227149).
wifi: ieee80211: add UL-bandwidth definition of trigger frame (bsc#1227149).
wifi: ieee80211: check for NULL in ieee80211_mle_size_ok() (stable-fixes).
wifi: ieee80211: fix ieee80211_mle_basic_sta_prof_size_ok() (git-fixes).
wifi: iwlmei: do not send nic info with invalid mac address (bsc#1227149).
wifi: iwlmei: do not send SAP messages if AMT is disabled (bsc#1227149).
wifi: iwlmei: send driver down SAP message only if wiamt is enabled (bsc#1227149).
wifi: iwlmei: send HOST_GOES_DOWN message even if wiamt is disabled (bsc#1227149).
wifi: iwlmvm: fw: Add new OEM vendor to tas approved list (bsc#1227149).
wifi: iwlwifi: abort scan when rfkill on but device enabled (bsc#1227149).
wifi: iwlwifi: add HONOR to PPAG approved list (bsc#1227149).
wifi: iwlwifi: add mapping of a periphery register crf for WH RF (bsc#1227149).
wifi: iwlwifi: add new RF support for wifi7 (bsc#1227149).
wifi: iwlwifi: add Razer to ppag approved list (bsc#1227149).
wifi: iwlwifi: Add rf_mapping of new wifi7 devices (bsc#1227149).
wifi: iwlwifi: add support for activating UNII-1 in WW via BIOS (bsc#1227149).
wifi: iwlwifi: add support for a wiphy_work rx handler (bsc#1227149).
wifi: iwlwifi: Add support for new 802.11be device (bsc#1227149).
wifi: iwlwifi: add support for new ini region types (bsc#1227149).
wifi: iwlwifi: Add support for PPAG cmd v5 and PPAG revision 3 (bsc#1227149).
wifi: iwlwifi: add support for SNPS DPHYIP region type (bsc#1227149).
wifi: iwlwifi: adjust rx_phyinfo debugfs to MLO (bsc#1227149).
wifi: iwlwifi: always have 'uats_enabled' (bsc#1227149).
wifi: iwlwifi: api: clean up some kernel-doc/typos (bsc#1227149).
wifi: iwlwifi: api: dbg-tlv: fix up kernel-doc (bsc#1227149).
wifi: iwlwifi: api: fix a small upper/lower-case typo (bsc#1227149).
wifi: iwlwifi: api: fix center_freq label in PHY diagram (bsc#1227149).
wifi: iwlwifi: api: fix constant version to match FW (bsc#1227149).
wifi: iwlwifi: api: fix kernel-doc reference (bsc#1227149).
wifi: iwlwifi: bump FW API to 84 for AX/BZ/SC devices (bsc#1227149).
wifi: iwlwifi: bump FW API to 86 for AX/BZ/SC devices (bsc#1227149).
wifi: iwlwifi: bump FW API to 87 for AX/BZ/SC devices (bsc#1227149).
wifi: iwlwifi: bump FW API to 88 for AX/BZ/SC devices (bsc#1227149).
wifi: iwlwifi: cancel session protection only if there is one (bsc#1227149).
wifi: iwlwifi: change link id in time event to s8 (bsc#1227149).
wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() (bsc#1227149).
wifi: iwlwifi: cleanup BT Shared Single Antenna code (bsc#1227149).
wifi: iwlwifi: cleanup sending PER_CHAIN_LIMIT_OFFSET_CMD (bsc#1227149).
wifi: iwlwifi: cleanup uefi variables loading (bsc#1227149).
wifi: iwlwifi: clear link_id in time_event (bsc#1227149).
wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef (git-fixes).
wifi: iwlwifi: dbg-tlv: avoid extra allocation/copy (bsc#1227149).
wifi: iwlwifi: dbg-tlv: use struct_size() for allocation (bsc#1227149).
wifi: iwlwifi: disable 160 MHz based on subsystem device ID (bsc#1227149).
wifi: iwlwifi: disable eSR when BT is active (bsc#1227149).
wifi: iwlwifi: disable multi rx queue for 9000 (bsc#1227149).
wifi: iwlwifi: do not check TAS block list size twice (bsc#1227149).
wifi: iwlwifi: Do not mark DFS channels as NO-IR (bsc#1227149).
wifi: iwlwifi: do not use TRUE/FALSE with bool (bsc#1227149).
wifi: iwlwifi: drop NULL pointer check in iwl_mvm_tzone_set_trip_temp() (bsc#1227149).
wifi: iwlwifi: dvm: remove kernel-doc warnings (bsc#1227149).
wifi: iwlwifi: error-dump: fix kernel-doc issues (bsc#1227149).
wifi: iwlwifi: Extract common prph mac/phy regions data dump logic (bsc#1227149).
wifi: iwlwifi: fail NIC access fast on dead NIC (bsc#1227149).
wifi: iwlwifi: fix #ifdef CONFIG_ACPI check (bsc#1227149).
wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant() (git-fixes).
wifi: iwlwifi: fix opmode start/stop race (bsc#1227149).
wifi: iwlwifi: fix some kernel-doc issues (bsc#1227149).
wifi: iwlwifi: Fix spelling mistake 'SESION' -> 'SESSION' (bsc#1227149).
wifi: iwlwifi: fix system commands group ordering (bsc#1227149).
wifi: iwlwifi: fix the rf step and flavor bits range (bsc#1227149).
wifi: iwlwifi: fw: Add support for UATS table in UHB (bsc#1227149).
wifi: iwlwifi: fw: allow vmalloc for PNVM image (bsc#1227149).
wifi: iwlwifi: fw: dbg: ensure correct config name sizes (bsc#1227149).
wifi: iwlwifi: fw: disable firmware debug asserts (bsc#1227149).
wifi: iwlwifi: fw: do not always use FW dump trig (git-fixes).
wifi: iwlwifi: fw: file: clean up kernel-doc (bsc#1227149).
wifi: iwlwifi: fw: file: do not use [0] for variable arrays (bsc#1227149).
wifi: iwlwifi: fw: fix compiler warning for NULL string print (bsc#1227149).
wifi: iwlwifi: fw: fix compile w/o CONFIG_ACPI (git-fixes).
wifi: iwlwifi: fw: Fix debugfs command sending (bsc#1227149).
wifi: iwlwifi: fw: increase fw_version string size (bsc#1227149).
wifi: iwlwifi: fw: reconstruct the API/CAPA enum number (bsc#1227149).
wifi: iwlwifi: fw: replace deprecated strncpy with strscpy_pad (bsc#1227149).
wifi: iwlwifi: handle per-phy statistics from fw (bsc#1227149).
wifi: iwlwifi: implement can_activate_links callback (bsc#1227149).
wifi: iwlwifi: implement enable/disable for China 2022 regulatory (bsc#1227149).
wifi: iwlwifi: implement GLAI ACPI table loading (bsc#1227149).
wifi: iwlwifi: iwl-fh.h: fix kernel-doc issues (bsc#1227149).
wifi: iwlwifi: iwlmvm: handle unprotected deauth/disassoc in d3 (bsc#1227149).
wifi: iwlwifi: iwl-trans.h: clean up kernel-doc (bsc#1227149).
wifi: iwlwifi: load b0 version of ucode for HR1/HR2 (bsc#1227149).
wifi: iwlwifi: make TB reallocation a debug message (bsc#1227149).
wifi: iwlwifi: make time_events MLO aware (bsc#1227149).
wifi: iwlwifi: mei: return error from register when not built (bsc#1227149).
wifi: iwlwifi: mvm: add a debugfs hook to clear the monitor data (bsc#1227149).
wifi: iwlwifi: mvm: add a debug print when we get a BAR (bsc#1227149).
wifi: iwlwifi: mvm: add a per-link debugfs (bsc#1227149).
wifi: iwlwifi: mvm: add a print when sending RLC command (bsc#1227149).
wifi: iwlwifi: mvm: Add basic link selection logic (bsc#1227149).
wifi: iwlwifi: mvm: add start mac ctdp sum calculation debugfs handler (bsc#1227149).
wifi: iwlwifi: mvm: add support for new wowlan_info_notif (bsc#1227149).
wifi: iwlwifi: mvm: Add support for removing responder TKs (bsc#1227149).
wifi: iwlwifi: mvm: add support for TID to link mapping neg request (bsc#1227149).
wifi: iwlwifi: mvm: add US/Canada MCC to API (bsc#1227149).
wifi: iwlwifi: mvm: advertise MLO only if EHT is enabled (bsc#1227149).
wifi: iwlwifi: mvm: advertise support for protected ranging negotiation (bsc#1227149).
wifi: iwlwifi: mvm: advertise support for SCS traffic description (bsc#1227149).
wifi: iwlwifi: mvm: allocate STA links only for active links (git-fixes).
wifi: iwlwifi: mvm: Allow DFS concurrent operation (bsc#1227149).
wifi: iwlwifi: mvm: always update keys in D3 exit (bsc#1227149).
wifi: iwlwifi: mvm: avoid garbage iPN (bsc#1227149).
wifi: iwlwifi: mvm: calculate EMLSR mode after connection (bsc#1227149).
wifi: iwlwifi: mvm: check AP supports EMLSR (bsc#1227149).
wifi: iwlwifi: mvm: check for iwl_mvm_mld_update_sta() errors (bsc#1227149).
wifi: iwlwifi: mvm: check link more carefully (bsc#1227149).
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids (git-fixes).
wifi: iwlwifi: mvm: check own capabilities for EMLSR (bsc#1227149).
wifi: iwlwifi: mvm: cleanup MLO and non-MLO unification code (bsc#1227149).
wifi: iwlwifi: mvm: combine condition/warning (bsc#1227149).
wifi: iwlwifi: mvm: Configure the link mapping for non-MLD FW (bsc#1227149).
wifi: iwlwifi: mvm: consider having one active link (bsc#1227149).
wifi: iwlwifi: mvm: const-ify chandef pointers (bsc#1227149).
wifi: iwlwifi: mvm: Correctly report TSF data in scan complete (bsc#1227149).
wifi: iwlwifi: mvm: cycle FW link on chanctx removal (bsc#1227149).
wifi: iwlwifi: mvm: d3: avoid intermediate/early mutex unlock (bsc#1227149).
wifi: iwlwifi: mvm: d3: disconnect on GTK rekey failure (bsc#1227149).
wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup (stable-fixes).
wifi: iwlwifi: mvm: d3: implement suspend with MLO (bsc#1227149).
wifi: iwlwifi: mvm: debugfs for fw system stats (bsc#1227149).
wifi: iwlwifi: mvm: Declare support for secure LTF measurement (bsc#1227149).
wifi: iwlwifi: mvm: define RX queue sync timeout as a macro (bsc#1227149).
wifi: iwlwifi: mvm: disable MLO for the time being (bsc#1227149).
wifi: iwlwifi: mvm: disallow puncturing in US/Canada (bsc#1227149).
wifi: iwlwifi: mvm: disconnect long CSA only w/o alternative (bsc#1227149).
wifi: iwlwifi: mvm: disconnect station vifs if recovery failed (bsc#1227149).
wifi: iwlwifi: mvm: do not abort queue sync in CT-kill (bsc#1227149).
wifi: iwlwifi: mvm: do not add dummy phy context (bsc#1227149).
wifi: iwlwifi: mvm: do not always disable EMLSR due to BT coex (bsc#1227149).
wifi: iwlwifi: mvm: do not do duplicate detection for nullfunc packets (bsc#1227149).
wifi: iwlwifi: mvm: do not initialize csa_work twice (git-fixes).
wifi: iwlwifi: mvm: do not limit VLP/AFC to UATS-enabled (git-fixes).
wifi: iwlwifi: mvm: do not read past the mfuart notifcation (git-fixes).
wifi: iwlwifi: mvm: do not send BT_COEX_CI command on new devices (bsc#1227149).
wifi: iwlwifi: mvm: do not send NDPs for new tx devices (bsc#1227149).
wifi: iwlwifi: mvm: do not send STA_DISABLE_TX_CMD for newer firmware (bsc#1227149).
wifi: iwlwifi: mvm: do not send the smart fifo command if not needed (bsc#1227149).
wifi: iwlwifi: mvm: do not set trigger frame padding in AP mode (bsc#1227149).
wifi: iwlwifi: mvm: do not support reduced tx power on ack for new devices (bsc#1227149).
wifi: iwlwifi: mvm: do not wake up rx_sync_waitq upon RFKILL (git-fixes).
wifi: iwlwifi: mvm: Do not warn if valid link pair was not found (bsc#1227149).
wifi: iwlwifi: mvm: Do not warn on invalid link on scan complete (bsc#1227149).
wifi: iwlwifi: mvm: enable FILS DF Tx on non-PSC channel (bsc#1227149).
wifi: iwlwifi: mvm: enable HE TX/RX <242 tone RU on new RFs (bsc#1227149).
wifi: iwlwifi: mvm: expand queue sync warning messages (bsc#1227149).
wifi: iwlwifi: mvm: extend alive timeout to 2 seconds (bsc#1227149).
wifi: iwlwifi: mvm: Extend support for P2P service discovery (bsc#1227149).
wifi: iwlwifi: mvm: fix a battery life regression (bsc#1227149).
wifi: iwlwifi: mvm: fix a crash on 7265 (bsc#1227149).
wifi: iwlwifi: mvm: fix active link counting during recovery (git-fixes).
wifi: iwlwifi: mvm: fix check in iwl_mvm_sta_fw_id_mask (git-fixes).
wifi: iwlwifi: mvm: Fix FTM initiator flags (bsc#1227149).
wifi: iwlwifi: mvm: fix kernel-doc (bsc#1227149).
wifi: iwlwifi: mvm: fix link ID management (bsc#1227149).
wifi: iwlwifi: mvm: fix recovery flow in CSA (bsc#1227149).
wifi: iwlwifi: mvm: fix regdb initialization (bsc#1227149).
wifi: iwlwifi: mvm: fix ROC version check (bsc#1227149).
wifi: iwlwifi: mvm: fix SB CFG check (bsc#1227149).
wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill (stable-fixes).
wifi: iwlwifi: mvm: fix the key PN index (bsc#1227149).
wifi: iwlwifi: mvm: fix the PHY context resolution for p2p device (bsc#1227149).
wifi: iwlwifi: mvm: fix thermal kernel-doc (bsc#1227149).
wifi: iwlwifi: mvm: fix the TXF mapping for BZ devices (bsc#1227149).
wifi: iwlwifi: mvm: Fix unreachable code path (bsc#1227149).
wifi: iwlwifi: mvm: fold the ref++ into iwl_mvm_phy_ctxt_add (bsc#1227149).
wifi: iwlwifi: mvm: guard against invalid STA ID on removal (stable-fixes).
wifi: iwlwifi: mvm: handle BA session teardown in RF-kill (stable-fixes).
wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd (stable-fixes).
wifi: iwlwifi: mvm: handle debugfs names more carefully (bsc#1227149).
wifi: iwlwifi: mvm: handle link-STA allocation in restart (bsc#1227149).
wifi: iwlwifi: mvm: implement new firmware API for statistics (bsc#1227149).
wifi: iwlwifi: mvm: implement ROC version 3 (bsc#1227149).
wifi: iwlwifi: mvm: include link ID when releasing frames (git-fixes).
wifi: iwlwifi: mvm: increase session protection after CSA (bsc#1227149).
wifi: iwlwifi: mvm: init vif works only once (git-fixes).
wifi: iwlwifi: mvm: introduce esr_disable_reason (bsc#1227149).
wifi: iwlwifi: mvm: introduce PHY_CONTEXT_CMD_API_VER_5 (bsc#1227149).
wifi: iwlwifi: mvm: iterate active links for STA queues (bsc#1227149).
wifi: iwlwifi: mvm: Keep connection in case of missed beacons during RX (bsc#1227149).
wifi: iwlwifi: mvm: limit EHT 320 MHz MCS for STEP URM (bsc#1227149).
wifi: iwlwifi: mvm: limit pseudo-D3 to 60 seconds (bsc#1227149).
wifi: iwlwifi: mvm: log dropped frames (bsc#1227149).
wifi: iwlwifi: mvm: log dropped packets due to MIC error (bsc#1227149).
wifi: iwlwifi: mvm: make functions public (bsc#1227149).
wifi: iwlwifi: mvm: make pldr_sync AX210 specific (bsc#1227149).
wifi: iwlwifi: mvm: make 'pldr_sync' mode effective (bsc#1227149).
wifi: iwlwifi: mvm: move BA notif messages before action (bsc#1227149).
wifi: iwlwifi: mvm: move listen interval to constants (bsc#1227149).
wifi: iwlwifi: mvm: move RU alloc B2 placement (bsc#1227149).
wifi: iwlwifi: mvm: offload IGTK in AP if BIGTK is supported (bsc#1227149).
wifi: iwlwifi: mvm: partially support PHY context version 6 (bsc#1227149).
wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF (bsc#1227149).
wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option (stable-fixes).
wifi: iwlwifi: mvm: reduce maximum RX A-MPDU size (bsc#1227149).
wifi: iwlwifi: mvm: refactor duplicate chanctx condition (bsc#1227149).
wifi: iwlwifi: mvm: refactor TX rate handling (bsc#1227149).
wifi: iwlwifi: mvm: remove EHT code from mac80211.c (bsc#1227149).
wifi: iwlwifi: mvm: remove flags for enable/disable beacon filter (bsc#1227149).
wifi: iwlwifi: mvm: remove IWL_MVM_STATUS_NEED_FLUSH_P2P (bsc#1227149).
wifi: iwlwifi: mvm: remove old PASN station when adding a new one (git-fixes).
wifi: iwlwifi: mvm: remove one queue sync on BA session stop (bsc#1227149).
wifi: iwlwifi: mvm: remove set_tim callback for MLD ops (bsc#1227149).
wifi: iwlwifi: mvm: remove stale STA link data during restart (stable-fixes).
wifi: iwlwifi: mvm: Return success if link could not be removed (bsc#1227149).
wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd (git-fixes).
wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 (git-fixes).
wifi: iwlwifi: mvm: rework debugfs handling (bsc#1227149).
wifi: iwlwifi: mvm: rfi: fix potential response leaks (git-fixes).
wifi: iwlwifi: mvm: select STA mask only for active links (git-fixes).
wifi: iwlwifi: mvm: set properly mac header (git-fixes).
wifi: iwlwifi: mvm: show dump even for pldr_sync (bsc#1227149).
wifi: iwlwifi: mvm: show skb_mac_gso_segment() failure reason (bsc#1227149).
wifi: iwlwifi: mvm: simplify the reorder buffer (bsc#1227149).
wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig (bsc#1227149).
wifi: iwlwifi: mvm: support CSA with MLD (bsc#1227149).
wifi: iwlwifi: mvm: support flush on AP interfaces (bsc#1227149).
wifi: iwlwifi: mvm: support injection antenna control (bsc#1227149).
wifi: iwlwifi: mvm: support iwl_dev_tx_power_cmd_v8 (bsc#1227149).
wifi: iwlwifi: mvm: support set_antenna() (bsc#1227149).
wifi: iwlwifi: mvm: support SPP A-MSDUs (bsc#1227149).
wifi: iwlwifi: mvm: unlock mvm if there is no primary link (bsc#1227149).
wifi: iwlwifi: mvm: use correct address 3 in A-MSDU (stable-fixes).
wifi: iwlwifi: mvm: use fast balance scan in case of an active P2P GO (bsc#1227149).
wifi: iwlwifi: mvm: Use the link ID provided in scan request (bsc#1227149).
wifi: iwlwifi: mvm: use the new command to clear the internal buffer (bsc#1227149).
wifi: iwlwifi: mvm: work around A-MSDU size problem (bsc#1227149).
wifi: iwlwifi: no power save during transition to D3 (bsc#1227149).
wifi: iwlwifi: nvm-parse: advertise common packet padding (bsc#1227149).
wifi: iwlwifi: nvm: parse the VLP/AFC bit from regulatory (bsc#1227149).
wifi: iwlwifi: pcie: Add new PCI device id and CNVI (bsc#1227149).
wifi: iwlwifi: pcie: Add the PCI device id for new hardware (stable-fixes).
wifi: iwlwifi: pcie: clean up device removal work (bsc#1227149).
wifi: iwlwifi: pcie: clean up gen1/gen2 TFD unmap (bsc#1227149).
wifi: iwlwifi: pcie: clean up WFPM control bits (bsc#1227149).
wifi: iwlwifi: pcie: do not allow hw-rfkill to stop device on gen2 (bsc#1227149).
wifi: iwlwifi: pcie: dump CSRs before removal (bsc#1227149).
wifi: iwlwifi: pcie: enable TOP fatal error interrupt (bsc#1227149).
wifi: iwlwifi: pcie: fix kernel-doc issues (bsc#1227149).
wifi: iwlwifi: pcie: fix RB status reading (stable-fixes).
wifi: iwlwifi: pcie: get_crf_id() can be void (bsc#1227149).
wifi: iwlwifi: pcie: give up mem read if HW is dead (bsc#1227149).
wifi: iwlwifi: pcie: move gen1 TB handling to header (bsc#1227149).
wifi: iwlwifi: pcie: point invalid TFDs to invalid data (bsc#1227149).
wifi: iwlwifi: pcie: propagate iwl_pcie_gen2_apm_init() error (bsc#1227149).
wifi: iwlwifi: pcie: (re-)assign BAR0 on driver bind (bsc#1227149).
wifi: iwlwifi: pcie: rescan bus if no parent (bsc#1227149).
wifi: iwlwifi: prepare for reading DSM from UEFI (bsc#1227149).
wifi: iwlwifi: prepare for reading PPAG table from UEFI (bsc#1227149).
wifi: iwlwifi: prepare for reading SAR tables from UEFI (bsc#1227149).
wifi: iwlwifi: prepare for reading SPLC from UEFI (bsc#1227149).
wifi: iwlwifi: prepare for reading TAS table from UEFI (bsc#1227149).
wifi: iwlwifi: properly check if link is active (bsc#1227149).
wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK (stable-fixes).
wifi: iwlwifi: queue: fix kernel-doc (bsc#1227149).
wifi: iwlwifi: queue: improve warning for no skb in reclaim (bsc#1227149).
wifi: iwlwifi: queue: move iwl_txq_gen2_set_tb() up (bsc#1227149).
wifi: iwlwifi: read DSM func 2 for specific RF types (bsc#1227149).
wifi: iwlwifi: read DSM functions from UEFI (bsc#1227149).
wifi: iwlwifi: read ECKV table from UEFI (bsc#1227149).
wifi: iwlwifi: read mac step from aux register (bsc#1227149).
wifi: iwlwifi: read PPAG table from UEFI (bsc#1227149).
wifi: iwlwifi: read SAR tables from UEFI (bsc#1227149).
wifi: iwlwifi: read SPLC from UEFI (bsc#1227149).
wifi: iwlwifi: read txq->read_ptr under lock (stable-fixes).
wifi: iwlwifi: read WRDD table from UEFI (bsc#1227149).
wifi: iwlwifi: read WTAS table from UEFI (bsc#1227149).
wifi: iwlwifi: reconfigure TLC during HW restart (git-fixes).
wifi: iwlwifi: refactor RX tracing (bsc#1227149).
wifi: iwlwifi: remove async command callback (bsc#1227149).
wifi: iwlwifi: remove dead-code (bsc#1227149).
wifi: iwlwifi: remove 'def_rx_queue' struct member (bsc#1227149).
wifi: iwlwifi: remove extra kernel-doc (bsc#1227149).
wifi: iwlwifi: remove Gl A-step remnants (bsc#1227149).
wifi: iwlwifi: remove memory check for LMAC error address (bsc#1227149).
wifi: iwlwifi: remove retry loops in start (bsc#1227149).
wifi: iwlwifi: remove unused function prototype (bsc#1227149).
wifi: iwlwifi: remove WARN from read_mem32() (bsc#1227149).
wifi: iwlwifi: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: iwlwifi: return negative -EINVAL instead of positive EINVAL (bsc#1227149).
wifi: iwlwifi: rfi: use a single DSM function for all RFI configurations (bsc#1227149).
wifi: iwlwifi: send EDT table to FW (bsc#1227149).
wifi: iwlwifi: separate TAS 'read-from-BIOS' and 'send-to-FW' flows (bsc#1227149).
wifi: iwlwifi: simplify getting DSM from ACPI (bsc#1227149).
wifi: iwlwifi: skip affinity setting on non-SMP (bsc#1227149).
wifi: iwlwifi: skip opmode start retries on dead transport (bsc#1227149).
wifi: iwlwifi: small cleanups in PPAG table flows (bsc#1227149).
wifi: iwlwifi: support link command version 2 (bsc#1227149).
wifi: iwlwifi: support link_id in SESSION_PROTECTION cmd (bsc#1227149).
wifi: iwlwifi: support link id in SESSION_PROTECTION_NOTIF (bsc#1227149).
wifi: iwlwifi: take send-DSM-to-FW flows out of ACPI ifdef (bsc#1227149).
wifi: iwlwifi: take SGOM and UATS code out of ACPI ifdef (bsc#1227149).
wifi: iwlwifi: trace full frames with TX status request (bsc#1227149).
wifi: iwlwifi: update context info structure definitions (bsc#1227149).
wifi: iwlwifi: Use request_module_nowait (bsc#1227149).
wifi: iwlwifi: use system_unbound_wq for debug dump (bsc#1227149).
wifi: iwlwifi: validate PPAG table when sent to FW (bsc#1227149).
wifi: lib80211: remove unused variables iv32 and iv16 (bsc#1227149).
wifi: libertas: add missing calls to cancel_work_sync() (bsc#1227149).
wifi: libertas: cleanup SDIO reset (bsc#1227149).
wifi: libertas: Follow renaming of SPI 'master' to 'controller' (bsc#1227149).
wifi: libertas: handle possible spu_write_u16() errors (bsc#1227149).
wifi: libertas: prefer kstrtoX() for simple integer conversions (bsc#1227149).
wifi: libertas: simplify list operations in free_if_spi_card() (bsc#1227149).
wifi: libertas: use convenient lists to manage SDIO packets (bsc#1227149).
wifi: mac80211: add a driver callback to add vif debugfs (bsc#1227149).
wifi: mac80211: add a driver callback to check active_links (bsc#1227149).
wifi: mac80211: add a flag to disallow puncturing (bsc#1227149).
wifi: mac80211: add back SPDX identifier (bsc#1227149).
wifi: mac80211: Add __counted_by for struct ieee802_11_elems and use struct_size() (bsc#1227149).
wifi: mac80211: add ieee80211_tdls_sta_link_id() (stable-fixes).
wifi: mac80211: additions to change_beacon() (bsc#1227149).
wifi: mac80211: add link id to ieee80211_gtk_rekey_add() (bsc#1227149).
wifi: mac80211: add link id to mgd_prepare_tx() (bsc#1227149).
wifi: mac80211: add more ops assertions (bsc#1227149).
wifi: mac80211: add more warnings about inserting sta info (bsc#1227149).
wifi: mac80211: add/remove driver debugfs entries as appropriate (bsc#1227149).
wifi: mac80211: address some kerneldoc warnings (bsc#1227149).
wifi: mac80211: add support for mld in ieee80211_chswitch_done (bsc#1227149).
wifi: mac80211: add support for parsing TID to Link mapping element (bsc#1227149).
wifi: mac80211: add support for SPP A-MSDUs (bsc#1227149).
wifi: mac80211: allow 64-bit radiotap timestamps (bsc#1227149).
wifi: mac80211: allow for_each_sta_active_link() under RCU (bsc#1227149).
wifi: mac80211: apply mcast rate only if interface is up (stable-fixes).
wifi: mac80211: Avoid address calculations via out of bounds array indexing (stable-fixes).
wifi: mac80211: cancel multi-link reconf work on disconnect (git-fixes).
wifi: mac80211: chanctx emulation set CHANGE_CHANNEL when in_reconfig (git-fixes).
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (stable-fixes).
wifi: mac80211: check EHT/TTLM action frame length (bsc#1227149).
wifi: mac80211: Check if we had first beacon with relevant links (bsc#1227149).
wifi: mac80211: check wiphy mutex in ops (bsc#1227149).
wifi: mac80211: cleanup airtime arithmetic with ieee80211_sta_keep_active() (bsc#1227149).
wifi: mac80211: clean up assignments to pointer cache (stable-fixes).
wifi: mac80211: cleanup auth_data only if association continues (bsc#1227149).
wifi: mac80211: convert A-MPDU work to wiphy work (bsc#1227149).
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element (git-fixes).
wifi: mac80211: correctly set active links upon TTLM (bsc#1227149).
wifi: mac80211: correcty limit wider BW TDLS STAs (git-fixes).
wifi: mac80211: debugfs: lock wiphy instead of RTNL (bsc#1227149).
wifi: mac80211: describe return values in kernel-doc (bsc#1227149).
wifi: mac80211: disable softirqs for queued frame handling (git-fixes).
wifi: mac80211: do not connect to an AP while it's in a CSA process (bsc#1227149).
wifi: mac80211: Do not force off-channel for management Tx with MLO (bsc#1227149).
wifi: mac80211: Do not include crypto/algapi.h (bsc#1227149).
wifi: mac80211: do not re-add debugfs entries during resume (bsc#1227149).
wifi: mac80211: do not select link ID if not provided in scan request (bsc#1227149).
wifi: mac80211: do not set ESS capab bit in assoc request (bsc#1227149).
wifi: mac80211: do not use rate mask for scanning (stable-fixes).
wifi: mac80211: drop robust action frames before assoc (bsc#1227149).
wifi: mac80211: drop spurious WARN_ON() in ieee80211_ibss_csa_beacon() (bsc#1227149).
wifi: mac80211: ensure beacon is non-S1G prior to extracting the beacon timestamp field (stable-fixes).
wifi: mac80211: ethtool: always hold wiphy mutex (bsc#1227149).
wifi: mac80211: ethtool: hold wiphy mutex (bsc#1227149).
wifi: mac80211: expand __ieee80211_data_to_8023() status (bsc#1227149).
wifi: mac80211: Extend support for scanning while MLO connected (bsc#1227149).
wifi: mac80211: extend wiphy lock in interface removal (bsc#1227149).
wifi: mac80211: fix advertised TTLM scheduling (bsc#1227149).
wifi: mac80211: fix a expired vs. cancel race in roc (bsc#1227149).
wifi: mac80211: fix another key installation error path (bsc#1227149).
wifi: mac80211: fix BA session teardown race (bsc#1227149).
wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP (bsc#1227149).
wifi: mac80211: fix change_address deadlock during unregister (bsc#1227149).
wifi: mac80211: fix channel switch link data (bsc#1227149).
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() (git-fixes).
wifi: mac80211: fix driver debugfs for vif type change (bsc#1227149).
wifi: mac80211: fix error path key leak (bsc#1227149).
wifi: mac80211: fixes in FILS discovery updates (bsc#1227149).
wifi: mac80211: fix header kernel-doc typos (bsc#1227149).
wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc (stable-fixes).
wifi: mac80211: fix ieee80211_drop_unencrypted_mgmt return type/value (bsc#1227149).
wifi: mac80211: fix monitor channel with chanctx emulation (bsc#1227149).
wifi: mac80211: fix potential key leak (bsc#1227149).
wifi: mac80211: fix prep_connection error path (stable-fixes).
wifi: mac80211: Fix SMPS handling in the context of MLO (bsc#1227149).
wifi: mac80211: fix SMPS status handling (bsc#1227149).
wifi: mac80211: fix spelling typo in comment (bsc#1227149).
wifi: mac80211: fix TXQ error path and cleanup (bsc#1227149).
wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() (stable-fixes).
wifi: mac80211: fix unaligned le16 access (git-fixes).
wifi: mac80211: fix unsolicited broadcast probe config (bsc#1227149).
wifi: mac80211: fix various kernel-doc issues (bsc#1227149).
wifi: mac80211: flush STA queues on unauthorization (bsc#1227149).
wifi: mac80211: flush wiphy work where appropriate (bsc#1227149).
wifi: mac80211: handle debugfs when switching to/from MLO (bsc#1227149).
wifi: mac80211: handle tasklet frames before stopping (stable-fixes).
wifi: mac80211: hold wiphy_lock around concurrency checks (bsc#1227149).
wifi: mac80211: hold wiphy lock in netdev/link debugfs (bsc#1227149).
wifi: mac80211_hwsim: init peer measurement result (git-fixes).
wifi: mac80211: improve CSA/ECSA connection refusal (bsc#1227149).
wifi: mac80211: initialize SMPS mode correctly (bsc#1227149).
wifi: mac80211: lock wiphy for aggregation debugfs (bsc#1227149).
wifi: mac80211: lock wiphy in IP address notifier (bsc#1227149).
wifi: mac80211: make mgd_protect_tdls_discover MLO-aware (bsc#1227149).
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects (git-fixes).
wifi: mac80211: mesh: fix some kdoc warnings (bsc#1227149).
wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata (stable-fixes).
wifi: mac80211: mesh: Remove unused function declaration mesh_ids_set_default() (bsc#1227149).
wifi: mac80211: move color change finalize to wiphy work (bsc#1227149).
wifi: mac80211: move CSA finalize to wiphy work (bsc#1227149).
wifi: mac80211: move DFS CAC work to wiphy work (bsc#1227149).
wifi: mac80211: move dynamic PS to wiphy work (bsc#1227149).
wifi: mac80211: move filter reconfig to wiphy work (bsc#1227149).
wifi: mac80211: move key tailroom work to wiphy work (bsc#1227149).
wifi: mac80211: move link activation work to wiphy work (bsc#1227149).
wifi: mac80211: move monitor work to wiphy work (bsc#1227149).
wifi: mac80211: move TDLS work to wiphy work (bsc#1227149).
wifi: mac80211: move tspec work to wiphy work (bsc#1227149).
wifi: mac80211: Notify the low level driver on change in MLO valid links (bsc#1227149).
wifi: mac80211: Print local link address during authentication (bsc#1227149).
wifi: mac80211: process and save negotiated TID to Link mapping request (bsc#1227149).
wifi: mac80211: purge TX queues in flush_queues flow (bsc#1227149).
wifi: mac80211: Recalc offload when monitor stop (git-fixes).
wifi: mac80211: reduce iflist_mtx (bsc#1227149).
wifi: mac80211: reject MLO channel configuration if not supported (bsc#1227149).
wifi: mac80211: relax RCU check in for_each_vif_active_link() (bsc#1227149).
wifi: mac80211: remove ampdu_mlme.mtx (bsc#1227149).
wifi: mac80211: remove chanctx_mtx (bsc#1227149).
wifi: mac80211: remove key_mtx (bsc#1227149).
wifi: mac80211: remove link before AP (git-fixes).
wifi: mac80211: remove local->mtx (bsc#1227149).
wifi: mac80211: remove redundant ML element check (bsc#1227149).
wifi: mac80211: remove RX_DROP_UNUSABLE (bsc#1227149).
wifi: mac80211: remove shifted rate support (bsc#1227149).
wifi: mac80211: remove sta_mtx (bsc#1227149).
wifi: mac80211: remove unnecessary struct forward declaration (bsc#1227149).
wifi: mac80211: Remove unused function declarations (bsc#1227149).
wifi: mac80211: Rename and update IEEE80211_VIF_DISABLE_SMPS_OVERRIDE (bsc#1227149).
wifi: mac80211: rename ieee80211_tx_status() to ieee80211_tx_status_skb() (bsc#1227149).
wifi: mac80211: rename struct cfg80211_rx_assoc_resp to cfg80211_rx_assoc_resp_data (bsc#1227149).
wifi: mac80211: Replace ENOTSUPP with EOPNOTSUPP (bsc#1227149).
wifi: mac80211: report per-link error during association (bsc#1227149).
wifi: mac80211: reset negotiated TTLM on disconnect (git-fixes).
wifi: mac80211: rework ack_frame_id handling a bit (bsc#1227149).
wifi: mac80211: rework RX timestamp flags (bsc#1227149).
wifi: mac80211: rx.c: fix sentence grammar (bsc#1227149).
wifi: mac80211: Sanity check tx bitrate if not provided by driver (bsc#1227149).
wifi: mac80211: Schedule regulatory channels check on bandwith change (bsc#1227149).
wifi: mac80211: set wiphy for virtual monitors (bsc#1227149).
wifi: mac80211: simplify non-chanctx drivers (bsc#1227149).
wifi: mac80211: Skip association timeout update after comeback rejection (bsc#1227149).
wifi: mac80211: split ieee80211_drop_unencrypted_mgmt() return value (bsc#1227149).
wifi: mac80211: sta_info.c: fix sentence grammar (bsc#1227149).
wifi: mac80211: support antenna control in injection (bsc#1227149).
wifi: mac80211: support handling of advertised TID-to-link mapping (bsc#1227149).
wifi: mac80211: take MBSSID/EHT data also from probe resp (bsc#1227149).
wifi: mac80211: take wiphy lock for MAC addr change (bsc#1227149).
wifi: mac80211: tx: clarify conditions in if statement (bsc#1227149).
wifi: mac80211: update beacon counters per link basis (bsc#1227149).
wifi: mac80211: update some locking documentation (bsc#1227149).
wifi: mac80211: update the rx_chains after set_antenna() (bsc#1227149).
wifi: mac80211: use bandwidth indication element for CSA (bsc#1227149).
wifi: mac80211: use deflink and fix typo in link ID check (bsc#1227149).
wifi: mac80211: use wiphy locked debugfs for sdata/link (bsc#1227149).
wifi: mac80211: use wiphy locked debugfs helpers for agg_status (bsc#1227149).
wifi: mt7601u: delete dead code checking debugfs returns (bsc#1227149).
wifi: mt7601u: replace strlcpy() with strscpy() (bsc#1227149).
wifi: mt76: add ability to explicitly forbid LED registration with DT (bsc#1227149).
wifi: mt76: add DMA mapping error check in mt76_alloc_txwi() (bsc#1227149).
wifi: mt76: add support for providing eeprom in nvmem cells (bsc#1227149).
wifi: mt76: add tx_nss histogram to ethtool stats (bsc#1227149).
wifi: mt76: Annotate struct mt76_rx_tid with __counted_by (bsc#1227149).
wifi: mt76: change txpower init to per-phy (bsc#1227149).
wifi: mt76: check sta rx control frame to multibss capability (bsc#1227149).
wifi: mt76: check txs format before getting skb by pid (bsc#1227149).
wifi: mt76: check vif type before reporting cca and csa (bsc#1227149).
wifi: mt76: connac: add beacon duplicate TX mode support for mt7996 (bsc#1227149).
wifi: mt76: connac: add beacon protection support for mt7996 (bsc#1227149).
wifi: mt76: connac: add connac3 mac library (bsc#1227149).
wifi: mt76: connac: add data field in struct tlv (bsc#1227149).
wifi: mt76: connac: add eht support for phy mode config (bsc#1227149).
wifi: mt76: connac: add eht support for tx power (bsc#1227149).
wifi: mt76: connac: add firmware support for mt7992 (bsc#1227149).
wifi: mt76: connac: add MBSSID support for mt7996 (bsc#1227149).
wifi: mt76: connac: add more unified command IDs (bsc#1227149).
wifi: mt76: connac: add more unified event IDs (bsc#1227149).
wifi: mt76: connac: add new definition of tx descriptor (bsc#1227149).
wifi: mt76: connac: add support for dsp firmware download (bsc#1227149).
wifi: mt76: connac: add support to set ifs time by mcu command (bsc#1227149).
wifi: mt76: connac: add thermal protection support for mt7996 (bsc#1227149).
wifi: mt76: connac: check for null before dereferencing (bsc#1227149).
wifi: mt76: connac: export functions for mt7925 (bsc#1227149).
wifi: mt76: connac: introduce helper for mt7925 chipset (bsc#1227149).
wifi: mt76: connac: set correct muar_idx for mt799x chipsets (bsc#1227149).
wifi: mt76: connac: set fixed_bw bit in TX descriptor for fixed rate frames (bsc#1227149).
wifi: mt76: connac: use muar idx 0xe for non-mt799x as well (bsc#1227149).
wifi: mt76: Convert to platform remove callback returning void (bsc#1227149).
wifi: mt76: disable HW AMSDU when using fixed rate (bsc#1227149).
wifi: mt76: dma: introduce __mt76_dma_queue_reset utility routine (bsc#1227149).
wifi: mt76: enable UNII-4 channel 177 support (bsc#1227149).
wifi: mt76: fix race condition related to checking tx queue fill status (bsc#1227149).
wifi: mt76: fix the issue of missing txpwr settings from ch153 to ch177 (bsc#1227149).
wifi: mt76: fix typo in mt76_get_of_eeprom_from_nvmem function (bsc#1227149).
wifi: mt76: increase MT_QFLAG_WED_TYPE size (bsc#1227149).
wifi: mt76: introduce mt76_queue_is_wed_tx_free utility routine (bsc#1227149).
wifi: mt76: introduce wed pointer in mt76_queue (bsc#1227149).
wifi: mt76: limit support of precal loading for mt7915 to MTD only (bsc#1227149).
wifi: mt76: make mt76_get_of_eeprom static again (bsc#1227149).
wifi: mt76: mmio: move mt76_mmio_wed_{init,release}_rx_buf in common code (bsc#1227149).
wifi: mt76: move ampdu_state in mt76_wcid (bsc#1227149).
wifi: mt76: move mt76_mmio_wed_offload_{enable,disable} in common code (bsc#1227149).
wifi: mt76: move mt76_net_setup_tc in common code (bsc#1227149).
wifi: mt76: move rate info in mt76_vif (bsc#1227149).
wifi: mt76: move wed reset common code in mt76 module (bsc#1227149).
wifi: mt76: mt7603: add missing register initialization for MT7628 (bsc#1227149).
wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset (git-fixes).
wifi: mt76: mt7603: disable A-MSDU tx support on MT7628 (bsc#1227149).
wifi: mt76: mt7603: fix beacon interval after disabling a single vif (bsc#1227149).
wifi: mt76: mt7603: fix tx filter/flush function (bsc#1227149).
wifi: mt76: mt7603: fix tx queue of loopback packets (git-fixes).
wifi: mt76: mt7603: rely on shared poll_list field (bsc#1227149).
wifi: mt76: mt7603: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149).
wifi: mt76: mt7615: add missing chanctx ops (bsc#1227149).
wifi: mt76: mt7615: enable BSS_CHANGED_MU_GROUPS support (bsc#1227149).
wifi: mt76: mt7615: rely on shared poll_list field (bsc#1227149).
wifi: mt76: mt7615: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149).
wifi: mt76: mt76_connac3: move lmac queue enumeration in mt76_connac3_mac.h (bsc#1227149).
wifi: mt76: mt76x02: fix return value check in mt76x02_mac_process_rx (bsc#1227149).
wifi: mt76: mt76x2u: add netgear wdna3100v3 to device table (bsc#1227149).
wifi: mt76: mt7915: accumulate mu-mimo ofdma muru stats (bsc#1227149).
wifi: mt76: mt7915: add locking for accessing mapped registers (bsc#1227149).
wifi: mt76: mt7915: add missing chanctx ops (bsc#1227149).
wifi: mt76: mt7915: add support for MT7981 (bsc#1227149).
wifi: mt76: mt7915 add tc offloading support (bsc#1227149).
wifi: mt76: mt7915: also MT7981 is 3T3R but nss2 on 5 GHz band (bsc#1227149).
wifi: mt76: mt7915: disable WFDMA Tx/Rx during SER recovery (bsc#1227149).
wifi: mt76: mt7915: drop return in mt7915_sta_statistics (bsc#1227149).
wifi: mt76: mt7915: fix EEPROM offset of TSSI flag on MT7981 (bsc#1227149).
wifi: mt76: mt7915: fix error recovery with WED enabled (bsc#1227149).
wifi: mt76: mt7915: fix monitor mode issues (bsc#1227149).
wifi: mt76: mt7915: move mib_stats structure in mt76.h (bsc#1227149).
wifi: mt76: mt7915: move poll_list in mt76_wcid (bsc#1227149).
wifi: mt76: mt7915: move sta_poll_list and sta_poll_lock in mt76_dev (bsc#1227149).
wifi: mt76: mt7915: report tx retries/failed counts for non-WED path (bsc#1227149).
wifi: mt76: mt7915: update mpdu density capability (bsc#1227149).
wifi: mt76: mt7915: update mt798x_wmac_adie_patch_7976 (bsc#1227149).
wifi: mt76: mt7915: workaround too long expansion sparse warnings (git-fixes).
wifi: mt76: mt7921: add 6GHz power type support for clc (bsc#1227149).
wifi: mt76: mt7921: convert acpisar and clc pointers to void (bsc#1227149).
wifi: mt76: mt7921: enable set txpower for UNII-4 (bsc#1227149).
wifi: mt76: mt7921e: report tx retries/failed counts in tx free event (bsc#1227149).
wifi: mt76: mt7921: fix 6GHz disabled by the missing default CLC config (bsc#1227149).
wifi: mt76: mt7921: fix a potential association failure upon resuming (bsc#1227149).
wifi: mt76: mt7921: fix CLC command timeout when suspend/resume (bsc#1227149).
wifi: mt76: mt7921: fix kernel panic by accessing invalid 6GHz channel info (bsc#1227149).
wifi: mt76: mt7921: fix suspend issue on MediaTek COB platform (bsc#1227149).
wifi: mt76: mt7921: fix the unfinished command of regd_notifier before suspend (bsc#1227149).
wifi: mt76: mt7921: fix wrong 6Ghz power type (bsc#1227149).
wifi: mt76: mt7921: get regulatory information from the clc event (bsc#1227149).
wifi: mt76: mt7921: get rid of MT7921_RESET_TIMEOUT marco (bsc#1227149).
wifi: mt76: mt7921: make mt7921_mac_sta_poll static (bsc#1227149).
wifi: mt76: mt7921: move acpi_sar code in mt792x-lib module (bsc#1227149).
wifi: mt76: mt7921: move common register definition in mt792x_regs.h (bsc#1227149).
wifi: mt76: mt7921: move connac nic capability handling to mt7921 (bsc#1227149).
wifi: mt76: mt7921: move debugfs shared code in mt792x-lib module (bsc#1227149).
wifi: mt76: mt7921: move dma shared code in mt792x-lib module (bsc#1227149).
wifi: mt76: mt7921: move hif_ops macro in mt792x.h (bsc#1227149).
wifi: mt76: mt7921: move init shared code in mt792x-lib module (bsc#1227149).
wifi: mt76: mt7921: move mac shared code in mt792x-lib module (bsc#1227149).
wifi: mt76: mt7921: move mt7921_dma_init in pci.c (bsc#1227149).
wifi: mt76: mt7921: move mt7921u_disconnect mt792x-lib (bsc#1227149).
wifi: mt76: mt7921: move mt792x_hw_dev in mt792x.h (bsc#1227149).
wifi: mt76: mt7921: move mt792x_mutex_{acquire/release} in mt792x.h (bsc#1227149).
wifi: mt76: mt7921: move runtime-pm pci code in mt792x-lib (bsc#1227149).
wifi: mt76: mt7921: move shared runtime-pm code on mt792x-lib (bsc#1227149).
wifi: mt76: mt7921: reduce the size of MCU firmware download Rx queue (bsc#1227149).
wifi: mt76: mt7921: rely on mib_stats shared definition (bsc#1227149).
wifi: mt76: mt7921: rely on shared poll_list field (bsc#1227149).
wifi: mt76: mt7921: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149).
wifi: mt76: mt7921: remove macro duplication in regs.h (bsc#1227149).
wifi: mt76: mt7921: rename mt7921_dev in mt792x_dev (bsc#1227149).
wifi: mt76: mt7921: rename mt7921_hif_ops in mt792x_hif_ops (bsc#1227149).
wifi: mt76: mt7921: rename mt7921_phy in mt792x_phy (bsc#1227149).
wifi: mt76: mt7921: rename mt7921_sta in mt792x_sta (bsc#1227149).
wifi: mt76: mt7921: rename mt7921_vif in mt792x_vif (bsc#1227149).
wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (stable-fixes).
wifi: mt76: mt7921: support 5.9/6GHz channel config in acpi (bsc#1227149).
wifi: mt76: mt7921: Support temp sensor (bsc#1227149).
wifi: mt76: mt7921: update the channel usage when the regd domain changed (bsc#1227149).
wifi: mt76: mt7925: add flow to avoid chip bt function fail (bsc#1227149).
wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips (bsc#1227149).
wifi: mt76: mt7925: add support to set ifs time by mcu command (bsc#1227149).
wifi: mt76: mt7925e: fix use-after-free in free_irq() (bsc#1227149).
wifi: mt76: mt7925: ensure 4-byte alignment for suspend & wow command (bsc#1227149).
wifi: mt76: mt7925: fix connect to 80211b mode fail in 2Ghz band (bsc#1227149).
wifi: mt76: mt7925: fix fw download fail (bsc#1227149).
wifi: mt76: mt7925: fix mcu query command fail (bsc#1227149).
wifi: mt76: mt7925: fix SAP no beacon issue in 5Ghz and 6Ghz band (bsc#1227149).
wifi: mt76: mt7925: fix the wrong data type for scan command (bsc#1227149).
wifi: mt76: mt7925: fix the wrong header translation config (bsc#1227149).
wifi: mt76: mt7925: fix typo in mt7925_init_he_caps (bsc#1227149).
wifi: mt76: mt7925: fix wmm queue mapping (bsc#1227149).
wifi: mt76: mt7925: fix WoW failed in encrypted mode (bsc#1227149).
wifi: mt76: mt7925: remove iftype from mt7925_init_eht_caps signature (bsc#1227149).
wifi: mt76: mt7925: support temperature sensor (bsc#1227149).
wifi: mt76: mt7925: update PCIe DMA settings (bsc#1227149).
wifi: mt76: mt792x: add the illegal value check for mtcl table of acpi (bsc#1227149).
wifi: mt76: mt792x: fix ethtool warning (bsc#1227149).
wifi: mt76: mt792x: introduce mt792x_irq_map (bsc#1227149).
wifi: mt76: mt792x: introduce mt792x-lib module (bsc#1227149).
wifi: mt76: mt792x: introduce mt792x-usb module (bsc#1227149).
wifi: mt76: mt792x: move more dma shared code in mt792x_dma (bsc#1227149).
wifi: mt76: mt792x: move mt7921_load_firmware in mt792x-lib module (bsc#1227149).
wifi: mt76: mt792x: move MT7921_PM_TIMEOUT and MT7921_HW_SCAN_TIMEOUT in common code (bsc#1227149).
wifi: mt76: mt792x: move mt7921_skb_add_usb_sdio_hdr in mt792x module (bsc#1227149).
wifi: mt76: mt792x: move shared structure definition in mt792x.h (bsc#1227149).
wifi: mt76: mt792x: move some common usb code in mt792x module (bsc#1227149).
wifi: mt76: mt792x: support mt7925 chip init (bsc#1227149).
wifi: mt76: mt792xu: enable dmashdl support (bsc#1227149).
wifi: mt76: mt792x: update the country list of EU for ACPI SAR (bsc#1227149).
wifi: mt76: mt7996: add DMA support for mt7992 (bsc#1227149).
wifi: mt76: mt7996: add locking for accessing mapped registers (stable-fixes).
wifi: mt76: mt7996: Add mcu commands for getting sta tx statistic (bsc#1227149).
wifi: mt76: mt7996: add muru support (bsc#1227149).
wifi: mt76: mt7996: add sanity checks for background radar trigger (stable-fixes).
wifi: mt76: mt7996: add support for variants with auxiliary RX path (bsc#1227149).
wifi: mt76: mt7996: add thermal sensor device support (bsc#1227149).
wifi: mt76: mt7996: add txpower setting support (bsc#1227149).
wifi: mt76: mt7996: add TX statistics for EHT mode in debugfs (bsc#1227149).
wifi: mt76: mt7996: adjust interface num and wtbl size for mt7992 (bsc#1227149).
wifi: mt76: mt7996: adjust WFDMA settings to improve performance (bsc#1227149).
wifi: mt76: mt7996: align the format of fixed rate command (bsc#1227149).
wifi: mt76: mt7996: check txs format before getting skb by pid (bsc#1227149).
wifi: mt76: mt7996: disable AMSDU for non-data frames (stable-fixes).
wifi: mt76: mt7996: disable WFDMA Tx/Rx during SER recovery (bsc#1227149).
wifi: mt76: mt7996: drop return in mt7996_sta_statistics (bsc#1227149).
wifi: mt76: mt7996: enable BSS_CHANGED_MU_GROUPS support (bsc#1227149).
wifi: mt76: mt7996: enable PPDU-TxS to host (bsc#1227149).
wifi: mt76: mt7996: enable VHT extended NSS BW feature (bsc#1227149).
wifi: mt76: mt7996: ensure 4-byte alignment for beacon commands (bsc#1227149).
wifi: mt76: mt7996: fix alignment of sta info event (bsc#1227149).
wifi: mt76: mt7996: fix fortify warning (bsc#1227149).
wifi: mt76: mt7996: fix fw loading timeout (bsc#1227149).
wifi: mt76: mt7996: fix mt7996_mcu_all_sta_info_event struct packing (bsc#1227149).
wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature (bsc#1227149).
wifi: mt76: mt7996: fix size of txpower MCU command (bsc#1227149).
wifi: mt76: mt7996: fix uninitialized variable in mt7996_irq_tasklet() (bsc#1227149).
wifi: mt76: mt7996: fix uninitialized variable in parsing txfree (bsc#1227149).
wifi: mt76: mt7996: get tx_retries and tx_failed from txfree (bsc#1227149).
wifi: mt76: mt7996: handle IEEE80211_RC_SMPS_CHANGED (bsc#1227149).
wifi: mt76: mt7996: increase tx token size (bsc#1227149).
wifi: mt76: mt7996: introduce mt7996_band_valid() (bsc#1227149).
wifi: mt76: mt7996: mark GCMP IGTK unsupported (bsc#1227149).
wifi: mt76: mt7996: move radio ctrl commands to proper functions (bsc#1227149).
wifi: mt76: mt7996: only set vif teardown cmds at remove interface (bsc#1227149).
wifi: mt76: mt7996: rely on mib_stats shared definition (bsc#1227149).
wifi: mt76: mt7996: rely on shared poll_list field (bsc#1227149).
wifi: mt76: mt7996: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149).
wifi: mt76: mt7996: remove periodic MPDU TXS request (bsc#1227149).
wifi: mt76: mt7996: remove TXS queue setting (bsc#1227149).
wifi: mt76: mt7996: rework ampdu params setting (bsc#1227149).
wifi: mt76: mt7996: rework register offsets for mt7992 (bsc#1227149).
wifi: mt76: mt7996: set DMA mask to 36 bits for boards with more than 4GB of RAM (bsc#1227149).
wifi: mt76: mt7996: support more options for mt7996_set_bitrate_mask() (bsc#1227149).
wifi: mt76: mt7996: support mt7992 eeprom loading (bsc#1227149).
wifi: mt76: mt7996: support per-band LED control (bsc#1227149).
wifi: mt76: mt7996: switch to mcu command for TX GI report (bsc#1227149).
wifi: mt76: mt7996: Use DECLARE_FLEX_ARRAY() and fix -Warray-bounds warnings (bsc#1227149).
wifi: mt76: mt7996: use u16 for val field in mt7996_mcu_set_rro signature (bsc#1227149).
wifi: mt76: permit to load precal from NVMEM cell for mt7915 (bsc#1227149).
wifi: mt76: permit to use alternative cell name to eeprom NVMEM load (bsc#1227149).
wifi: mt76: reduce spin_lock_bh held up in mt76_dma_rx_cleanup (bsc#1227149).
wifi: mt76: Remove redundant assignment to variable tidno (bsc#1227149).
wifi: mt76: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: mt76: replace skb_put with skb_put_zero (stable-fixes).
wifi: mt76: Replace strlcpy() with strscpy() (bsc#1227149).
wifi: mt76: report non-binding skb tx rate when WED is active (bsc#1227149).
wifi: mt76: set page_pool napi pointer for mmio devices (bsc#1227149).
wifi: mt76: split get_of_eeprom in subfunction (bsc#1227149).
wifi: mt76: usb: create a dedicated queue for psd traffic (bsc#1227149).
wifi: mt76: usb: store usb endpoint in mt76_queue (bsc#1227149).
wifi: mt76: use atomic iface iteration for pre-TBTT work (bsc#1227149).
wifi: mt76: use chainmask for power delta calculation (bsc#1227149).
wifi: mt76: Use PTR_ERR_OR_ZERO() to simplify code (bsc#1227149).
wifi: mwifiex: cleanup adapter data (bsc#1227149).
wifi: mwifiex: cleanup private data structures (bsc#1227149).
wifi: mwifiex: cleanup struct mwifiex_sdio_mpa_rx (bsc#1227149).
wifi: mwifiex: drop BUG_ON from TX paths (bsc#1227149).
wifi: mwifiex: Drop unused headers (bsc#1227149).
wifi: mwifiex: fix comment typos in SDIO module (bsc#1227149).
wifi: mwifiex: Fix interface type change (git-fixes).
wifi: mwifiex: followup PCIE and related cleanups (bsc#1227149).
wifi: mwifiex: handle possible mwifiex_write_reg() errors (bsc#1227149).
wifi: mwifiex: handle possible sscanf() errors (bsc#1227149).
wifi: mwifiex: mwifiex_process_sleep_confirm_resp(): remove unused priv variable (bsc#1227149).
wifi: mwifiex: prefer strscpy() over strlcpy() (bsc#1227149).
wifi: mwifiex: Refactor 1-element array into flexible array in struct mwifiex_ie_types_chan_list_param_set (bsc#1227149).
wifi: mwifiex: Replace one-element array with flexible-array member in struct mwifiex_ie_types_rxba_sync (bsc#1227149).
wifi: mwifiex: Set WIPHY_FLAG_NETNS_OK flag (bsc#1227149).
wifi: mwifiex: simplify PCIE write operations (bsc#1227149).
wifi: mwifiex: use cfg80211_ssid_eq() instead of mwifiex_ssid_cmp() (bsc#1227149).
wifi: mwifiex: Use default @max_active for workqueues (bsc#1227149).
wifi: mwifiex: Use helpers to check multicast addresses (bsc#1227149).
wifi: mwifiex: use is_zero_ether_addr() instead of ether_addr_equal() (bsc#1227149).
wifi: mwifiex: use kstrtoX_from_user() in debugfs handlers (bsc#1227149).
wifi: mwifiex: Use list_count_nodes() (bsc#1227149).
wifi: mwifiex: use MODULE_FIRMWARE to add firmware files metadata (bsc#1227149).
wifi: mwl8k: initialize cmd->addr[] properly (git-fixes).
wifi: nl80211: additions to NL80211_CMD_SET_BEACON (bsc#1227149).
wifi: nl80211: allow reporting wakeup for unprot deauth/disassoc (bsc#1227149).
wifi: nl80211: Avoid address calculations via out of bounds array indexing (git-fixes).
wifi: nl80211: do not free NULL coalescing rule (git-fixes).
wifi: nl80211: Extend del pmksa support for SAE and OWE security (bsc#1227149).
wifi: nl80211: fixes to FILS discovery updates (bsc#1227149).
wifi: nl80211: refactor nl80211_send_mlme_event() arguments (bsc#1227149).
wifi: nl80211: Remove unused declaration nl80211_pmsr_dump_results() (bsc#1227149).
wifi: p54: Add missing MODULE_FIRMWARE macro (bsc#1227149).
wifi: p54: Annotate struct p54_cal_database with __counted_by (bsc#1227149).
wifi: p54: fix GCC format truncation warning with wiphy->fw_version (bsc#1227149).
wifi: plfxlc: Drop unused include (bsc#1227149).
wifi: radiotap: add bandwidth definition of EHT U-SIG (bsc#1227149).
wifi: remove unused argument of ieee80211_get_tdls_action() (bsc#1227149).
wifi: rsi: fix restricted __le32 degrades to integer sparse warnings (bsc#1227149).
wifi: rsi: rsi_91x_coex: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_debugfs: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_hal: Remove unnecessary conversions (bsc#1227149).
wifi: rsi: rsi_91x_mac80211: Remove unnecessary conversions (bsc#1227149).
wifi: rsi: rsi_91x_main: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_sdio_ops: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_sdio: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_usb_ops: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rsi: rsi_91x_usb: Remove unnecessary (void*) conversions (bsc#1227149).
wifi: rt2x00: correct MAC_SYS_CTRL register RX mask in R-Calibration (bsc#1227149).
wifi: rt2x00: disable RTS threshold for rt2800 by default (bsc#1227149).
wifi: rt2x00: fix MT7620 low RSSI issue (bsc#1227149).
wifi: rt2x00: fix rt2800 watchdog function (bsc#1227149).
wifi: rt2x00: fix the typo in comments (bsc#1227149).
wifi: rt2x00: improve MT7620 register initialization (bsc#1227149).
wifi: rt2x00: introduce DMA busy check watchdog for rt2800 (bsc#1227149).
wifi: rt2x00: limit MT7620 TX power based on eeprom calibration (bsc#1227149).
wifi: rt2x00: make watchdog param per device (bsc#1227149).
wifi: rt2x00: remove redundant check if u8 array element is less than zero (bsc#1227149).
wifi: rt2x00: remove useless code in rt2x00queue_create_tx_descriptor() (bsc#1227149).
wifi: rt2x00: rework MT7620 channel config function (bsc#1227149).
wifi: rt2x00: rework MT7620 PA/LNA RF calibration (bsc#1227149).
wifi: rt2x00: silence sparse warnings (bsc#1227149).
wifi: rt2x00: Simplify bool conversion (bsc#1227149).
wifi: rt2x00: simplify rt2x00crypto_rx_insert_iv() (bsc#1227149).
wifi: rtl8xxxu: 8188e: convert usage of priv->vif to priv->vifs[0] (bsc#1227149).
wifi: rtl8xxxu: 8188f: Limit TX power index (git-fixes).
wifi: rtl8xxxu: Actually use macid in rtl8xxxu_gen2_report_connect (bsc#1227149).
wifi: rtl8xxxu: Add a description about the device ID 0x7392:0xb722 (bsc#1227149).
wifi: rtl8xxxu: Add beacon functions (bsc#1227149).
wifi: rtl8xxxu: add hw crypto support for AP mode (bsc#1227149).
wifi: rtl8xxxu: add macids for STA mode (bsc#1227149).
wifi: rtl8xxxu: add missing number of sec cam entries for all variants (bsc#1227149).
wifi: rtl8xxxu: Add parameter force to rtl8xxxu_refresh_rate_mask (bsc#1227149).
wifi: rtl8xxxu: Add parameter macid to update_rate_mask (bsc#1227149).
wifi: rtl8xxxu: Add parameter role to report_connect (bsc#1227149).
wifi: rtl8xxxu: Add set_tim() callback (bsc#1227149).
wifi: rtl8xxxu: Add sta_add() and sta_remove() callbacks (bsc#1227149).
wifi: rtl8xxxu: Add start_ap() callback (bsc#1227149).
wifi: rtl8xxxu: Add TP-Link TL-WN823N V2 (bsc#1227149).
wifi: rtl8xxxu: Allow creating interface in AP mode (bsc#1227149).
wifi: rtl8xxxu: Allow setting rts threshold to -1 (bsc#1227149).
wifi: rtl8xxxu: check vif before using in rtl8xxxu_tx() (bsc#1227149).
wifi: rtl8xxxu: Clean up filter configuration (bsc#1227149).
wifi: rtl8xxxu: convert EN_DESC_ID of TX descriptor to le32 type (bsc#1227149).
wifi: rtl8xxxu: Declare AP mode support for 8188f (bsc#1227149).
wifi: rtl8xxxu: declare concurrent mode support for 8188f (bsc#1227149).
wifi: rtl8xxxu: do not parse CFO, if both interfaces are connected in STA mode (bsc#1227149).
wifi: rtl8xxxu: Enable AP mode for RTL8192EU (bsc#1227149).
wifi: rtl8xxxu: Enable AP mode for RTL8192FU (bsc#1227149).
wifi: rtl8xxxu: Enable AP mode for RTL8710BU (RTL8188GU) (bsc#1227149).
wifi: rtl8xxxu: Enable AP mode for RTL8723BU (bsc#1227149).
wifi: rtl8xxxu: enable channel switch support (bsc#1227149).
wifi: rtl8xxxu: Enable hw seq for mgmt/non-QoS data frames (bsc#1227149).
wifi: rtl8xxxu: enable MFP support with security flag of RX descriptor (bsc#1227149).
wifi: rtl8xxxu: extend check for matching bssid to both interfaces (bsc#1227149).
wifi: rtl8xxxu: extend wifi connected check to both interfaces (bsc#1227149).
wifi: rtl8xxxu: fix error messages (bsc#1227149).
wifi: rtl8xxxu: Fix LED control code of RTL8192FU (bsc#1227149).
wifi: rtl8xxxu: fix mixed declarations in rtl8xxxu_set_aifs() (bsc#1227149).
wifi: rtl8xxxu: Fix off by one initial RTS rate (bsc#1227149).
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU (stable-fixes).
wifi: rtl8xxxu: make instances of iface limit and combination to be static const (bsc#1227149).
wifi: rtl8xxxu: make supporting AP mode only on port 0 transparent (bsc#1227149).
wifi: rtl8xxxu: mark TOTOLINK N150UA V5/N150UA-B as tested (bsc#1227149).
wifi: rtl8xxxu: prepare supporting two virtual interfaces (bsc#1227149).
wifi: rtl8xxxu: Put the macid in txdesc (bsc#1227149).
wifi: rtl8xxxu: remove assignment of priv->vif in rtl8xxxu_bss_info_changed() (bsc#1227149).
wifi: rtl8xxxu: remove obsolete priv->vif (bsc#1227149).
wifi: rtl8xxxu: Remove usage of ieee80211_get_tx_rate() (bsc#1227149).
wifi: rtl8xxxu: Remove usage of tx_info->control.rates[0].flags (bsc#1227149).
wifi: rtl8xxxu: Rename some registers (bsc#1227149).
wifi: rtl8xxxu: rtl8xxxu_rx_complete(): remove unnecessary return (bsc#1227149).
wifi: rtl8xxxu: Select correct queue for beacon frames (bsc#1227149).
wifi: rtl8xxxu: Set maximum number of supported stations (bsc#1227149).
wifi: rtl8xxxu: support multiple interface in start_ap() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in {add,remove}_interface() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in bss_info_changed() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in configure_filter() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in set_aifs() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in update_beacon_work_callback() (bsc#1227149).
wifi: rtl8xxxu: support multiple interfaces in watchdog_callback() (bsc#1227149).
wifi: rtl8xxxu: Support new chip RTL8192FU (bsc#1227149).
wifi: rtl8xxxu: support setting bssid register for multiple interfaces (bsc#1227149).
wifi: rtl8xxxu: support setting linktype for both interfaces (bsc#1227149).
wifi: rtl8xxxu: support setting mac address register for both interfaces (bsc#1227149).
wifi: rtl8xxxu: Support USB RX aggregation for the newer chips (bsc#1227149).
wifi: rtl8xxxu: update rate mask per sta (bsc#1227149).
wifi: rtlwifi: cleanup few rtlxxx_tx_fill_desc() routines (bsc#1227149).
wifi: rtlwifi: cleanup few rtlxxxx_set_hw_reg() routines (bsc#1227149).
wifi: rtlwifi: cleanup struct rtl_hal (bsc#1227149).
wifi: rtlwifi: cleanup struct rtl_phy (bsc#1227149).
wifi: rtlwifi: cleanup struct rtl_ps_ctl (bsc#1227149).
wifi: rtlwifi: cleanup USB interface (bsc#1227149).
wifi: rtlwifi: Convert to use PCIe capability accessors (bsc#1227149).
wifi: rtlwifi: drop chk_switch_dmdp() from HAL interface (bsc#1227149).
wifi: rtlwifi: drop fill_fake_txdesc() from HAL interface (bsc#1227149).
wifi: rtlwifi: drop pre_fill_tx_bd_desc() from HAL interface (bsc#1227149).
wifi: rtlwifi: drop unused const_amdpci_aspm (bsc#1227149).
wifi: rtlwifi: Ignore IEEE80211_CONF_CHANGE_RETRY_LIMITS (bsc#1227149).
wifi: rtlwifi: Remove bridge vendor/device ids (bsc#1227149).
wifi: rtlwifi: remove misused flag from HAL data (bsc#1227149).
wifi: rtlwifi: Remove rtl_intf_ops.read_efuse_byte (bsc#1227149).
wifi: rtlwifi: remove unreachable code in rtl92d_dm_check_edca_turbo() (bsc#1227149).
wifi: rtlwifi: remove unused dualmac control leftovers (bsc#1227149).
wifi: rtlwifi: Remove unused PCI related defines and struct (bsc#1227149).
wifi: rtlwifi: remove unused timer and related code (bsc#1227149).
wifi: rtlwifi: rtl8192cu: Fix 2T2R chip type detection (bsc#1227149).
wifi: rtlwifi: rtl8192cu: Fix TX aggregation (bsc#1227149).
wifi: rtlwifi: rtl8192de: Do not read register in _rtl92de_query_rxphystatus (bsc#1227149).
wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power (stable-fixes).
wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path (stable-fixes).
wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE (stable-fixes).
wifi: rtlwifi: rtl8723: Remove unused function rtl8723_cmd_send_packet() (bsc#1227149).
wifi: rtlwifi: rtl8821ae: Access full PMCS reg and use pci_regs.h (bsc#1227149).
wifi: rtlwifi: rtl8821ae: Add pdev into _rtl8821ae_clear_pci_pme_status() (bsc#1227149).
wifi: rtlwifi: rtl8821ae: phy: remove some useless code (bsc#1227149).
wifi: rtlwifi: rtl8821ae: phy: using calculate_bit_shift() (bsc#1227149).
wifi: rtlwifi: rtl8821ae: Remove unnecessary PME_Status bit set (bsc#1227149).
wifi: rtlwifi: rtl8821ae: Reverse PM Capability exists check (bsc#1227149).
wifi: rtlwifi: rtl8821ae: Use pci_find_capability() (bsc#1227149).
wifi: rtlwifi: rtl92ee_dm_dynamic_primary_cca_check(): fix typo in function name (bsc#1227149).
wifi: rtlwifi: rtl_usb: Store the endpoint addresses (bsc#1227149).
wifi: rtlwifi: rtl_usb: Use sync register writes (bsc#1227149).
wifi: rtlwifi: set initial values for unexpected cases of USB endpoint priority (bsc#1227149).
wifi: rtlwifi: simplify LED management (bsc#1227149).
wifi: rtlwifi: simplify rtl_action_proc() and rtl_tx_agg_start() (bsc#1227149).
wifi: rtlwifi: simplify TX command fill callbacks (bsc#1227149).
wifi: rtlwifi: Speed up firmware loading for USB (bsc#1227149).
wifi: rtlwifi: use convenient list_count_nodes() (bsc#1227149).
wifi: rtlwifi: use eth_broadcast_addr() to assign broadcast address (bsc#1227149).
wifi: rtlwifi: use helper function rtl_get_hdr() (bsc#1227149).
wifi: rtlwifi: use unsigned long for bt_coexist_8723 timestamp (bsc#1227149).
wifi: rtlwifi: use unsigned long for rtl_bssid_entry timestamp (bsc#1227149).
wifi: rtw88: 8821c: tweak CCK TX filter setting for SRRC regulation (bsc#1227149).
wifi: rtw88: 8821cu: Fix connection failure (stable-fixes).
wifi: rtw88: 8821c: update TX power limit to V67 (bsc#1227149).
wifi: rtw88: 8822ce: refine power parameters for RFE type 5 (bsc#1227149).
wifi: rtw88: 8822c: update TX power limit to V70 (bsc#1227149).
wifi: rtw88: add missing unwind goto for __rtw_download_firmware() (bsc#1227149).
wifi: rtw88: Add missing VID/PIDs for 8811CU and 8821CU (stable-fixes).
wifi: rtw88: Add support for the SDIO based RTL8723DS chipset (bsc#1227149).
wifi: rtw88: debug: add to check if debug mask is enabled (bsc#1227149).
wifi: rtw88: debug: remove wrapper of rtw_dbg() (bsc#1227149).
wifi: rtw88: dump firmware debug information in abnormal state (bsc#1227149).
wifi: rtw88: Fix action frame transmission fail before association (bsc#1227149).
wifi: rtw88: Fix AP mode incorrect DTIM behavior (bsc#1227149).
wifi: rtw88: fix incorrect error codes in rtw_debugfs_copy_from_user (bsc#1227149).
wifi: rtw88: fix incorrect error codes in rtw_debugfs_set_* (bsc#1227149).
wifi: rtw88: fix not entering PS mode after AP stops (bsc#1227149).
wifi: rtw88: fix typo rtw8822cu_probe (bsc#1227149).
wifi: rtw88: process VO packets without workqueue to avoid PTK rekey failed (bsc#1227149).
wifi: rtw88: refine register based H2C command (bsc#1227149).
wifi: rtw88: regd: configure QATAR and UK (bsc#1227149).
wifi: rtw88: regd: update regulatory map to R64-R42 (bsc#1227149).
wifi: rtw88: remove unused and set but unused leftovers (bsc#1227149).
wifi: rtw88: remove unused USB bulkout size set (bsc#1227149).
wifi: rtw88: rtw8723d: Implement RTL8723DS (SDIO) efuse parsing (bsc#1227149).
wifi: rtw88: simplify __rtw_tx_work() (bsc#1227149).
wifi: rtw88: simplify vif iterators (bsc#1227149).
wifi: rtw88: Skip high queue in hci_flush (bsc#1227149).
wifi: rtw88: Stop high queue during scan (bsc#1227149).
wifi: rtw88: use cfg80211_ssid_eq() instead of rtw_ssid_equal() (bsc#1227149).
wifi: rtw88: use kstrtoX_from_user() in debugfs handlers (bsc#1227149).
wifi: rtw88: Use random MAC when efuse MAC invalid (bsc#1227149).
wifi: rtw88: use struct instead of macros to set TX desc (bsc#1227149).
wifi: rtw89: 52c: rfk: disable DPK during MCC (bsc#1227149).
wifi: rtw89: 52c: rfk: refine MCC channel info notification (bsc#1227149).
wifi: rtw89: 8851b: add 8851B basic chip_info (bsc#1227149).
wifi: rtw89: 8851b: add 8851be to Makefile and Kconfig (bsc#1227149).
wifi: rtw89: 8851b: add basic power on function (bsc#1227149).
wifi: rtw89: 8851b: add BT coexistence support function (bsc#1227149).
wifi: rtw89: 8851b: add DLE mem and HFC quota (bsc#1227149).
wifi: rtw89: 8851b: add MAC configurations to chip_info (bsc#1227149).
wifi: rtw89: 8851b: add NCTL post table (bsc#1227149).
wifi: rtw89: 8851b: add RF configurations (bsc#1227149).
wifi: rtw89: 8851b: add set channel function (bsc#1227149).
wifi: rtw89: 8851b: add set_channel_rf() (bsc#1227149).
wifi: rtw89: 8851b: add support WoWLAN to 8851B (bsc#1227149).
wifi: rtw89: 8851b: add to parse efuse content (bsc#1227149).
wifi: rtw89: 8851b: add to read efuse version to recognize hardware version B (bsc#1227149).
wifi: rtw89: 8851b: add TX power related functions (bsc#1227149).
wifi: rtw89: 8851b: configure CRASH_TRIGGER feature for 8851B (bsc#1227149).
wifi: rtw89: 8851b: configure GPIO according to RFE type (bsc#1227149).
wifi: rtw89: 8851b: configure to force 1 TX power value (bsc#1227149).
wifi: rtw89: 8851be: add 8851BE PCI entry and fill PCI capabilities (bsc#1227149).
wifi: rtw89: 8851b: enable hw_scan support (bsc#1227149).
wifi: rtw89: 8851b: fill BB related capabilities to chip_info (bsc#1227149).
wifi: rtw89: 8851b: rfk: add AACK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add DACK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add DPK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add IQK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add LCK track (bsc#1227149).
wifi: rtw89: 8851b: rfk: add RCK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add RX DCK (bsc#1227149).
wifi: rtw89: 8851b: rfk: add TSSI (bsc#1227149).
wifi: rtw89: 8851b: rfk: Fix spelling mistake KIP_RESOTRE -> KIP_RESTORE (bsc#1227149).
wifi: rtw89: 8851b: rfk: update IQK to version 0x8 (bsc#1227149).
wifi: rtw89: 8851b: update RF radio A parameters to R28 (bsc#1227149).
wifi: rtw89: 8851b: update TX power tables to R28 (bsc#1227149).
wifi: rtw89: 8851b: update TX power tables to R34 (bsc#1227149).
wifi: rtw89: 8851b: update TX power tables to R37 (bsc#1227149).
wifi: rtw89: 8852b: fix definition of KIP register number (git-fixes).
wifi: rtw89: 8852b: update TX power tables to R35 (bsc#1227149).
wifi: rtw89: 8852b: update TX power tables to R36 (bsc#1227149).
wifi: rtw89: 8852c: add quirk to set PCI BER for certain platforms (bsc#1227149).
wifi: rtw89: 8852c: declare to support two chanctx (bsc#1227149).
wifi: rtw89: 8852c: Fix TSSI causes transmit power inaccuracy (bsc#1227149).
wifi: rtw89: 8852c: read RX gain offset from efuse for 6GHz channels (bsc#1227149).
wifi: rtw89: 8852c: Update bandedge parameters for better performance (bsc#1227149).
wifi: rtw89: 8852c: update RF radio A/B parameters to R63 (bsc#1227149).
wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (1 of 3) (bsc#1227149).
wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (2 of 3) (bsc#1227149).
wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (3 of 3) (bsc#1227149).
wifi: rtw89: 8852c: update TX power tables to R67 (bsc#1227149).
wifi: rtw89: 8922a: add 8922A basic chip info (bsc#1227149).
wifi: rtw89: 8922a: add BTG functions to assist BT coexistence to control TX/RX (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops::bb_preinit to enable BB before downloading firmware (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops::cfg_txrx_path (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops::{enable,disable}_bb_rf (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops related to BB init (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops::rfk_hw_init (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops::rfk_init_late to do initial RF calibrations later (bsc#1227149).
wifi: rtw89: 8922a: add chip_ops to get thermal value (bsc#1227149).
wifi: rtw89: 8922a: add coexistence helpers of SW grant (bsc#1227149).
wifi: rtw89: 8922a: add helper of set_channel (bsc#1227149).
wifi: rtw89: 8922a: add ieee80211_ops::hw_scan (bsc#1227149).
wifi: rtw89: 8922a: add more fields to beacon H2C command to support multi-links (bsc#1227149).
wifi: rtw89: 8922a: add NCTL pre-settings for WiFi 7 chips (bsc#1227149).
wifi: rtw89: 8922a: add power on/off functions (bsc#1227149).
wifi: rtw89: 8922a: add register definitions of H2C, C2H, page, RRSR and EDCCA (bsc#1227149).
wifi: rtw89: 8922a: add RF read/write v2 (bsc#1227149).
wifi: rtw89: 8922a: add SER IMR tables (bsc#1227149).
wifi: rtw89: 8922a: add set_channel BB part (bsc#1227149).
wifi: rtw89: 8922a: add set_channel MAC part (bsc#1227149).
wifi: rtw89: 8922a: add set_channel RF part (bsc#1227149).
wifi: rtw89: 8922a: add TX power related ops (bsc#1227149).
wifi: rtw89: 8922a: configure CRASH_TRIGGER FW feature (bsc#1227149).
wifi: rtw89: 8922a: correct register definition and merge IO for ctrl_nbtg_bt_tx() (bsc#1227149).
wifi: rtw89: 8922a: declare to support two chanctx (bsc#1227149).
wifi: rtw89: 8922a: dump MAC registers when SER occurs (bsc#1227149).
wifi: rtw89: 8922ae: add 8922AE PCI entry and basic info (bsc#1227149).
wifi: rtw89: 8922ae: add v2 interrupt handlers for 8922AE (bsc#1227149).
wifi: rtw89: 8922a: extend and add quota number (bsc#1227149).
wifi: rtw89: 8922a: hook handlers of TX/RX descriptors to chip_ops (bsc#1227149).
wifi: rtw89: 8922a: implement AP mode related reg for BE generation (bsc#1227149).
wifi: rtw89: 8922a: implement {stop,resume}_sch_tx and cfg_ppdu (bsc#1227149).
wifi: rtw89: 8922a: read efuse content from physical map (bsc#1227149).
wifi: rtw89: 8922a: read efuse content via efuse map struct from logic map (bsc#1227149).
wifi: rtw89: 8922a: rfk: implement chip_ops to call RF calibrations (bsc#1227149).
wifi: rtw89: 8922a: set chip_ops FEM and GPIO to NULL (bsc#1227149).
wifi: rtw89: 8922a: set memory heap address for secure firmware (bsc#1227149).
wifi: rtw89: 8922a: set RX gain along with set_channel operation (bsc#1227149).
wifi: rtw89: 8922a: update BA CAM number to 24 (bsc#1227149).
wifi: rtw89: 8922a: update the register used in DIG and the DIG flow (bsc#1227149).
wifi: rtw89: acpi: process 6 GHz band policy from DSM (bsc#1227149).
wifi: rtw89: add C2H event handlers of RFK log and report (bsc#1227149).
wifi: rtw89: add C2H RA event V1 to support WiFi 7 chips (bsc#1227149).
wifi: rtw89: add CFO XTAL registers field to support 8851B (bsc#1227149).
wifi: rtw89: add chip_info::chip_gen to determine chip generation (bsc#1227149).
wifi: rtw89: add chip_info::txwd_info size to generalize TX WD submit (bsc#1227149).
wifi: rtw89: add chip_ops::h2c_ba_cam() to configure BA CAM (bsc#1227149).
wifi: rtw89: add chip_ops::query_rxdesc() and rxd_len as helpers to support newer chips (bsc#1227149).
wifi: rtw89: add chip_ops::update_beacon to abstract update beacon operation (bsc#1227149).
wifi: rtw89: add DBCC H2C to notify firmware the status (bsc#1227149).
wifi: rtw89: add EHT capabilities for WiFi 7 chips (bsc#1227149).
wifi: rtw89: add EHT radiotap in monitor mode (bsc#1227149).
wifi: rtw89: Add EHT rate mask as parameters of RA H2C command (bsc#1227149).
wifi: rtw89: add EVM and SNR statistics to debugfs (bsc#1227149).
wifi: rtw89: add EVM for antenna diversity (bsc#1227149).
wifi: rtw89: add firmware H2C command of BA CAM V1 (bsc#1227149).
wifi: rtw89: add firmware parser for v1 format (bsc#1227149).
wifi: rtw89: add firmware suit for BB MCU 0/1 (bsc#1227149).
wifi: rtw89: add function prototype for coex request duration (bsc#1227149).
wifi: rtw89: add H2C command to download beacon frame for WiFi 7 chips (bsc#1227149).
wifi: rtw89: add H2C RA command V1 to support WiFi 7 chips (bsc#1227149).
wifi: rtw89: add mac_gen pointer to access mac port registers (bsc#1227149).
wifi: rtw89: add mlo_dbcc_mode for WiFi 7 chips (bsc#1227149).
wifi: rtw89: add new H2C command to pause/sleep transmitting by MAC ID (bsc#1227149).
wifi: rtw89: add new H2C for PS mode in 802.11be chip (bsc#1227149).
wifi: rtw89: add reserved size as factor of DLE used size (bsc#1227149).
wifi: rtw89: add RSSI based antenna diversity (bsc#1227149).
wifi: rtw89: add RSSI statistics for the case of antenna diversity to debugfs (bsc#1227149).
wifi: rtw89: add subband index of primary channel to struct rtw89_chan (bsc#1227149).
wifi: rtw89: add to display hardware rates v1 histogram in debugfs (bsc#1227149).
wifi: rtw89: add to fill TX descriptor for firmware command v2 (bsc#1227149).
wifi: rtw89: add to fill TX descriptor v2 (bsc#1227149).
wifi: rtw89: add to parse firmware elements of BB and RF tables (bsc#1227149).
wifi: rtw89: add to query RX descriptor format v2 (bsc#1227149).
wifi: rtw89: add tx_wake notify for 8851B (bsc#1227149).
wifi: rtw89: add wait/completion for abort scan (bsc#1227149).
wifi: rtw89: add XTAL SI for WiFi 7 chips (bsc#1227149).
wifi: rtw89: adjust init_he_cap() to add EHT cap into iftype_data (bsc#1227149).
wifi: rtw89: advertise missing extended scan feature (bsc#1227149).
wifi: rtw89: avoid stringop-overflow warning (bsc#1227149).
wifi: rtw89: call rtw89_chan_get() by vif chanctx if aware of vif (bsc#1227149).
wifi: rtw89: chan: add sub-entity swap function to cover replacing (bsc#1227149).
wifi: rtw89: change naming of BA CAM from V1 to V0_EXT (bsc#1227149).
wifi: rtw89: change qutoa to DBCC by default for WiFi 7 chips (bsc#1227149).
wifi: rtw89: change supported bandwidths of chip_info to bit mask (bsc#1227149).
wifi: rtw89: chan: MCC take reconfig into account (bsc#1227149).
wifi: rtw89: chan: move handling from add/remove to assign/unassign for MLO (bsc#1227149).
wifi: rtw89: chan: support MCC on Wi-Fi 7 chips (bsc#1227149).
wifi: rtw89: chan: tweak bitmap recalc ahead before MLO (bsc#1227149).
wifi: rtw89: chan: tweak weight recalc ahead before MLO (bsc#1227149).
wifi: rtw89: cleanup firmware elements parsing (bsc#1227149).
wifi: rtw89: cleanup private data structures (bsc#1227149).
wifi: rtw89: cleanup rtw89_iqk_info and related code (bsc#1227149).
wifi: rtw89: coex: add annotation __counted_by() for struct rtw89_btc_btf_set_slot_table (bsc#1227149).
wifi: rtw89: coex: add annotation __counted_by() to struct rtw89_btc_btf_set_mon_reg (bsc#1227149).
wifi: rtw89: coex: Add Bluetooth RSSI level information (bsc#1227149).
wifi: rtw89: coex: add BTC ctrl_info version 7 and related logic (bsc#1227149).
wifi: rtw89: coex: Add coexistence policy to decrease WiFi packet CRC-ERR (bsc#1227149).
wifi: rtw89: coex: add init_info H2C command format version 7 (bsc#1227149).
wifi: rtw89: coex: Add Pre-AGC control to enhance Wi-Fi RX performance (bsc#1227149).
wifi: rtw89: coex: add return value to ensure H2C command is success or not (bsc#1227149).
wifi: rtw89: coex: fix configuration for shared antenna for 8922A (bsc#1227149).
wifi: rtw89: coex: Fix wrong Wi-Fi role info and FDDT parameter members (bsc#1227149).
wifi: rtw89: coex: Record down Wi-Fi initial mode information (bsc#1227149).
wifi: rtw89: coex: Reorder H2C command index to align with firmware (bsc#1227149).
wifi: rtw89: coex: Set Bluetooth scan low-priority when Wi-Fi link/scan (bsc#1227149).
wifi: rtw89: coex: Still show hardware grant signal info even Wi-Fi is PS (bsc#1227149).
wifi: rtw89: coex: To improve Wi-Fi performance while BT is idle (bsc#1227149).
wifi: rtw89: coex: Translate antenna configuration from ID to string (bsc#1227149).
wifi: rtw89: coex: Update BTG control related logic (bsc#1227149).
wifi: rtw89: coex: Update coexistence policy for Wi-Fi LPS (bsc#1227149).
wifi: rtw89: coex: Update RF parameter control setting logic (bsc#1227149).
wifi: rtw89: coex: use struct assignment to replace memcpy() to append TDMA content (bsc#1227149).
wifi: rtw89: coex: When Bluetooth not available do not set power/gain (bsc#1227149).
wifi: rtw89: configure PPDU max user by chip (bsc#1227149).
wifi: rtw89: consider RX info for WiFi 7 chips (bsc#1227149).
wifi: rtw89: consolidate registers of mac port to struct (bsc#1227149).
wifi: rtw89: correct aSIFSTime for 6GHz band (stable-fixes).
wifi: rtw89: correct PHY register offset for PHY-1 (bsc#1227149).
wifi: rtw89: correct the DCFO tracking flow to improve CFO compensation (bsc#1227149).
wifi: rtw89: debug: add debugfs entry to disable dynamic mechanism (bsc#1227149).
wifi: rtw89: debug: add FW log component for scan (bsc#1227149).
wifi: rtw89: debug: add to check if debug mask is enabled (bsc#1227149).
wifi: rtw89: debug: remove wrapper of rtw89_debug() (bsc#1227149).
wifi: rtw89: debug: show txpwr table according to chip gen (bsc#1227149).
wifi: rtw89: debug: txpwr table access only valid page according to chip (bsc#1227149).
wifi: rtw89: debug: txpwr table supports Wi-Fi 7 chips (bsc#1227149).
wifi: rtw89: declare EXT NSS BW of VHT capability (bsc#1227149).
wifi: rtw89: declare MCC in interface combination (bsc#1227149).
wifi: rtw89: define hardware rate v1 for WiFi 7 chips (bsc#1227149).
wifi: rtw89: differentiate narrow_bw_ru_dis setting according to chip gen (bsc#1227149).
wifi: rtw89: disable RTS when broadcast/multicast (bsc#1227149).
wifi: rtw89: download firmware with five times retry (bsc#1227149).
wifi: rtw89: drop TIMING_BEACON_ONLY and sync beacon TSF by self (bsc#1227149).
wifi: rtw89: enlarge supported length of read_reg debugfs entry (bsc#1227149).
wifi: rtw89: extend PHY status parser to support WiFi 7 chips (bsc#1227149).
wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() (git-fixes).
wifi: rtw89: fix a width vs precision bug (bsc#1227149).
wifi: rtw89: Fix clang -Wimplicit-fallthrough in rtw89_query_sar() (bsc#1227149).
wifi: rtw89: fix disabling concurrent mode TX hang issue (bsc#1227149).
wifi: rtw89: fix HW scan not aborting properly (git-fixes).
wifi: rtw89: fix HW scan timeout due to TSF sync issue (bsc#1227149).
wifi: rtw89: fix misbehavior of TX beacon in concurrent mode (bsc#1227149).
wifi: rtw89: fix not entering PS mode after AP stops (bsc#1227149).
wifi: rtw89: fix null pointer access when abort scan (stable-fixes).
wifi: rtw89: fix spelling typo of IQK debug messages (bsc#1227149).
wifi: rtw89: fix typo of rtw89_fw_h2c_mcc_macid_bitmap() (bsc#1227149).
wifi: rtw89: fw: add checking type for variant type of firmware (bsc#1227149).
wifi: rtw89: fw: add chip_ops to update CMAC table to associated station (bsc#1227149).
wifi: rtw89: fw: add definition of H2C command and C2H event for MRC series (bsc#1227149).
wifi: rtw89: fw: add H2C command to reset CMAC table for WiFi 7 (bsc#1227149).
wifi: rtw89: fw: add H2C command to reset DMAC table for WiFi 7 (bsc#1227149).
wifi: rtw89: fw: add H2C command to update security CAM v2 (bsc#1227149).
wifi: rtw89: fw: add version field to BB MCU firmware element (bsc#1227149).
wifi: rtw89: fw: consider checksum length of security data (bsc#1227149).
wifi: rtw89: fw: download firmware with key data for secure boot (bsc#1227149).
wifi: rtw89: fw: extend JOIN H2C command to support WiFi 7 chips (bsc#1227149).
wifi: rtw89: fw: extend program counter dump for Wi-Fi 7 chip (bsc#1227149).
wifi: rtw89: fw: fill CMAC table to associated station for WiFi 7 chips (bsc#1227149).
wifi: rtw89: fw: generalize download firmware flow by mac_gen pointers (bsc#1227149).
wifi: rtw89: fw: implement MRC H2C command functions (bsc#1227149).
wifi: rtw89: fw: implement supported functions of download firmware for WiFi 7 chips (bsc#1227149).
wifi: rtw89: fw: load TX power track tables from fw_element (bsc#1227149).
wifi: rtw89: fw: move polling function of firmware path ready to an individual function (bsc#1227149).
wifi: rtw89: fw: parse secure section from firmware file (bsc#1227149).
wifi: rtw89: fw: propagate an argument include_bb for BB MCU firmware (bsc#1227149).
wifi: rtw89: fw: read firmware secure information from efuse (bsc#1227149).
wifi: rtw89: fw: refine download flow to support variant firmware suits (bsc#1227149).
wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband (bsc#1227149).
wifi: rtw89: fw: update TX AMPDU parameter to CMAC table (bsc#1227149).
wifi: rtw89: fw: use struct to fill BA CAM H2C commands (bsc#1227149).
wifi: rtw89: fw: use struct to fill JOIN H2C command (bsc#1227149).
wifi: rtw89: get data rate mode/NSS/MCS v1 from RX descriptor (bsc#1227149).
wifi: rtw89: indicate TX power by rate table inside RFE parameter (bsc#1227149).
wifi: rtw89: indicate TX shape table inside RFE parameter (bsc#1227149).
wifi: rtw89: initialize antenna for antenna diversity (bsc#1227149).
wifi: rtw89: initialize multi-channel handling (bsc#1227149).
wifi: rtw89: introduce infrastructure of firmware elements (bsc#1227149).
wifi: rtw89: introduce realtek ACPI DSM method (bsc#1227149).
wifi: rtw89: Introduce Time Averaged SAR (TAS) feature (bsc#1227149).
wifi: rtw89: introduce v1 format of firmware header (bsc#1227149).
wifi: rtw89: load BB parameters to PHY-1 (bsc#1227149).
wifi: rtw89: load RFK log format string from firmware file (bsc#1227149).
wifi: rtw89: load TX power by rate when RFE parms setup (bsc#1227149).
wifi: rtw89: load TX power related tables from FW elements (bsc#1227149).
wifi: rtw89: mac: add coexistence helpers {cfg/get}_plt (bsc#1227149).
wifi: rtw89: mac: add feature_init to initialize BA CAM V1 (bsc#1227149).
wifi: rtw89: mac: add flags to check if CMAC and DMAC are enabled (bsc#1227149).
wifi: rtw89: mac: add mac_gen_def::band1_offset to map MAC band1 register address (bsc#1227149).
wifi: rtw89: mac: add registers of MU-EDCA parameters for WiFi 7 chips (bsc#1227149).
wifi: rtw89: mac: add suffix _ax to MAC functions (bsc#1227149).
wifi: rtw89: mac: add sys_init and filter option for WiFi 7 chips (bsc#1227149).
wifi: rtw89: mac: add to access efuse for WiFi 7 chips (bsc#1227149).
wifi: rtw89: mac: add to get DLE reserved quota (bsc#1227149).
wifi: rtw89: mac: check queue empty according to chip gen (bsc#1227149).
wifi: rtw89: mac: correct MUEDCA setting for MAC-1 (bsc#1227149).
wifi: rtw89: mac: define internal memory address for WiFi 7 chip (bsc#1227149).
wifi: rtw89: mac: define register address of rx_filter to generalize code (bsc#1227149).
wifi: rtw89: mac: do bf_monitor only if WiFi 6 chips (bsc#1227149).
wifi: rtw89: mac: Fix spelling mistakes 'notfify' -> 'notify' (bsc#1227149).
wifi: rtw89: mac: functions to configure hardware engine and quota for WiFi 7 chips (bsc#1227149).
wifi: rtw89: mac: generalize code to indirectly access WiFi internal memory (bsc#1227149).
wifi: rtw89: mac: generalize register of MU-EDCA switch according to chip gen (bsc#1227149).
wifi: rtw89: mac: get TX power control register according to chip gen (bsc#1227149).
wifi: rtw89: mac: handle C2H receive/done ACK in interrupt context (bsc#1227149).
wifi: rtw89: mac: implement MRC C2H event handling (bsc#1227149).
wifi: rtw89: mac: implement to configure TX/RX engines for WiFi 7 chips (bsc#1227149).
wifi: rtw89: mac: move code related to hardware engine to individual functions (bsc#1227149).
wifi: rtw89: mac: refine SER setting during WiFi CPU power on (bsc#1227149).
wifi: rtw89: mac: reset PHY-1 hardware when going to enable/disable (bsc#1227149).
wifi: rtw89: mac: return held quota of DLE when changing MAC-1 (bsc#1227149).
wifi: rtw89: mac: set bf_assoc capabilities according to chip gen (bsc#1227149).
wifi: rtw89: mac: set bfee_ctrl() according to chip gen (bsc#1227149).
wifi: rtw89: mac: update RTS threshold according to chip gen (bsc#1227149).
wifi: rtw89: mac: use mac_gen pointer to access about efuse (bsc#1227149).
wifi: rtw89: mac: use pointer to access functions of hardware engine and quota (bsc#1227149).
wifi: rtw89: mcc: consider and determine BT duration (bsc#1227149).
wifi: rtw89: mcc: deal with beacon NoA if GO exists (bsc#1227149).
wifi: rtw89: mcc: deal with BT slot change (bsc#1227149).
wifi: rtw89: mcc: deal with P2P PS change (bsc#1227149).
wifi: rtw89: mcc: decide pattern and calculate parameters (bsc#1227149).
wifi: rtw89: mcc: fill fundamental configurations (bsc#1227149).
wifi: rtw89: mcc: fix NoA start time when GO is auxiliary (bsc#1227149).
wifi: rtw89: mcc: initialize start flow (bsc#1227149).
wifi: rtw89: mcc: track beacon offset and update when needed (bsc#1227149).
wifi: rtw89: mcc: trigger FW to start/stop MCC (bsc#1227149).
wifi: rtw89: mcc: update role bitmap when changed (bsc#1227149).
wifi: rtw89: modify the register setting and the flow of CFO tracking (bsc#1227149).
wifi: rtw89: move software DCFO compensation setting to proper position (bsc#1227149).
wifi: rtw89: only reset BB/RF for existing WiFi 6 chips while starting up (bsc#1227149).
wifi: rtw89: packet offload wait for FW response (bsc#1227149).
wifi: rtw89: parse and print out RFK log from C2H events (bsc#1227149).
wifi: rtw89: parse EHT information from RX descriptor and PPDU status packet (bsc#1227149).
wifi: rtw89: parse TX EHT rate selected by firmware from RA C2H report (bsc#1227149).
wifi: rtw89: pause/proceed MCC for ROC and HW scan (bsc#1227149).
wifi: rtw89: pci: add LTR v2 for WiFi 7 chip (bsc#1227149).
wifi: rtw89: pci: add new RX ring design to determine full RX ring efficiently (bsc#1227149).
wifi: rtw89: pci: add PCI generation information to pci_info for each chip (bsc#1227149).
wifi: rtw89: pci: add pre_deinit to be called after probe complete (bsc#1227149).
wifi: rtw89: pci: correct interrupt mitigation register for 8852CE (bsc#1227149).
wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of firmware command (git-fixes).
wifi: rtw89: pci: define PCI ring address for WiFi 7 chips (bsc#1227149).
wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX descriptor (stable-fixes).
wifi: rtw89: pci: fix interrupt enable mask for HALT C2H of RTL8851B (bsc#1227149).
wifi: rtw89: pci: generalize code of PCI control DMA IO for WiFi 7 (bsc#1227149).
wifi: rtw89: pci: generalize interrupt status bits of interrupt handlers (bsc#1227149).
wifi: rtw89: pci: implement PCI CLK/ASPM/L1SS for WiFi 7 chips (bsc#1227149).
wifi: rtw89: pci: implement PCI mac_post_init for WiFi 7 chips (bsc#1227149).
wifi: rtw89: pci: implement PCI mac_pre_init for WiFi 7 chips (bsc#1227149).
wifi: rtw89: pci: interrupt v2 refine IMR for SER (bsc#1227149).
wifi: rtw89: pci: reset BDRAM according to chip gen (bsc#1227149).
wifi: rtw89: pci: stop/start DMA for level 1 recovery according to chip gen (bsc#1227149).
wifi: rtw89: pci: update interrupt mitigation register for 8922AE (bsc#1227149).
wifi: rtw89: pci: update SER timer unit and timeout time (bsc#1227149).
wifi: rtw89: pci: use DBI function for 8852AE/8852BE/8851BE (bsc#1227149).
wifi: rtw89: pci: use gen_def pointer to configure mac_{pre,post}_init and clear PCI ring index (bsc#1227149).
wifi: rtw89: pci: validate RX tag for RXQ and RPQ (bsc#1227149).
wifi: rtw89: phy: add BB wrapper of TX power for WiFi 7 chips (bsc#1227149).
wifi: rtw89: phy: add parser to support RX gain dynamic setting flow (bsc#1227149).
wifi: rtw89: phy: add phy_gen_def::cr_base to support WiFi 7 chips (bsc#1227149).
wifi: rtw89: phy: change naming related BT coexistence functions (bsc#1227149).
wifi: rtw89: phy: dynamically adjust EDCCA threshold (bsc#1227149).
wifi: rtw89: phy: extend TX power common stuffs for Wi-Fi 7 chips (bsc#1227149).
wifi: rtw89: phy: generalize valid bit of BSS color (bsc#1227149).
wifi: rtw89: phy: ignore special data from BB parameter file (bsc#1227149).
wifi: rtw89: phy: modify register setting of ENV_MNTR, PHYSTS and DIG (bsc#1227149).
wifi: rtw89: phy: move bb_gain_info used by WiFi 6 chips to union (bsc#1227149).
wifi: rtw89: phy: print out RFK log with formatted string (bsc#1227149).
wifi: rtw89: phy: rate pattern handles HW rate by chip gen (bsc#1227149).
wifi: rtw89: phy: refine helpers used for raw TX power (bsc#1227149).
wifi: rtw89: phy: set channel_info for WiFi 7 chips (bsc#1227149).
wifi: rtw89: phy: set TX power by rate according to chip gen (bsc#1227149).
wifi: rtw89: phy: set TX power limit according to chip gen (bsc#1227149).
wifi: rtw89: phy: set TX power offset according to chip gen (bsc#1227149).
wifi: rtw89: phy: set TX power RU limit according to chip gen (bsc#1227149).
wifi: rtw89: prepare scan leaf functions for wifi 7 ICs (bsc#1227149).
wifi: rtw89: process regulatory for 6 GHz power type (bsc#1227149).
wifi: rtw89: provide functions to configure NoA for beacon update (bsc#1227149).
wifi: rtw89: recognize log format from firmware file (bsc#1227149).
wifi: rtw89: reference quota mode when setting Tx power (bsc#1227149).
wifi: rtw89: Refine active scan behavior in 6 GHz (bsc#1227149).
wifi: rtw89: refine add_chan H2C command to encode_bits (bsc#1227149).
wifi: rtw89: refine bandwidth 160MHz uplink OFDMA performance (bsc#1227149).
wifi: rtw89: refine clearing supported bands to check 2/5 GHz first (bsc#1227149).
wifi: rtw89: refine element naming used by queue empty check (bsc#1227149).
wifi: rtw89: refine H2C command that pause transmitting by MAC ID (bsc#1227149).
wifi: rtw89: refine hardware scan C2H events (bsc#1227149).
wifi: rtw89: refine packet offload delete flow of 6 GHz probe (bsc#1227149).
wifi: rtw89: refine packet offload handling under SER (bsc#1227149).
wifi: rtw89: refine remain on channel flow to improve P2P connection (bsc#1227149).
wifi: rtw89: refine rtw89_correct_cck_chan() by rtw89_hw_to_nl80211_band() (bsc#1227149).
wifi: rtw89: refine uplink trigger based control mechanism (bsc#1227149).
wifi: rtw89: regd: configure Thailand in regulation type (bsc#1227149).
wifi: rtw89: regd: handle policy of 6 GHz according to BIOS (bsc#1227149).
wifi: rtw89: regd: judge 6 GHz according to chip and BIOS (bsc#1227149).
wifi: rtw89: regd: judge UNII-4 according to BIOS and chip (bsc#1227149).
wifi: rtw89: regd: update regulatory map to R64-R40 (bsc#1227149).
wifi: rtw89: regd: update regulatory map to R64-R43 (bsc#1227149).
wifi: rtw89: regd: update regulatory map to R65-R44 (bsc#1227149).
wifi: rtw89: release bit in rtw89_fw_h2c_del_pkt_offload() (bsc#1227149).
wifi: rtw89: return failure if needed firmware elements are not recognized (bsc#1227149).
wifi: rtw89: rfk: add a completion to wait RF calibration report from C2H event (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger DACK (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger DPK (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger IQK (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger RX DCK (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger TSSI (bsc#1227149).
wifi: rtw89: rfk: add H2C command to trigger TXGAPK (bsc#1227149).
wifi: rtw89: rfk: disable driver tracking during MCC (bsc#1227149).
wifi: rtw89: rfk: send channel information to firmware for RF calibrations (bsc#1227149).
wifi: rtw89: sar: let caller decide the center frequency to query (bsc#1227149).
wifi: rtw89: scan offload wait for FW done ACK (bsc#1227149).
wifi: rtw89: ser: L1 add pre-M0 and post-M0 states (bsc#1227149).
wifi: rtw89: ser: reset total_sta_assoc and tdls_peer when L2 (bsc#1227149).
wifi: rtw89: set capability of TX antenna diversity (bsc#1227149).
wifi: rtw89: Set default CQM config if not present (bsc#1227149).
wifi: rtw89: set entry size of address CAM to H2C field by chip (bsc#1227149).
wifi: rtw89: set TX power without precondition during setting channel (bsc#1227149).
wifi: rtw89: show EHT rate in debugfs (bsc#1227149).
wifi: rtw89: support firmware log with formatted text (bsc#1227149).
wifi: rtw89: support U-NII-4 channels on 5GHz band (bsc#1227149).
wifi: rtw89: suppress the log for specific SER called CMDPSR_FRZTO (bsc#1227149).
wifi: rtw89: tweak H2C TX waiting function for SER (bsc#1227149).
wifi: rtw89: TX power stuffs replace confusing naming of _max with _num (bsc#1227149).
wifi: rtw89: update DMA function with different generation (bsc#1227149).
wifi: rtw89: Update EHT PHY beamforming capability (bsc#1227149).
wifi: rtw89: update ps_state register for chips with different generation (bsc#1227149).
wifi: rtw89: update scan C2H messages for wifi 7 IC (bsc#1227149).
wifi: rtw89: update suspend/resume for different generation (bsc#1227149).
wifi: rtw89: use chip_info::small_fifo_size to choose debug_mask (bsc#1227149).
wifi: rtw89: use flexible array member in rtw89_btc_btf_tlv (bsc#1227149).
wifi: rtw89: use PLCP information to match BSS_COLOR and AID (bsc#1227149).
wifi: rtw89: use struct and le32_get_bits() to access received PHY status IEs (bsc#1227149).
wifi: rtw89: use struct and le32_get_bits() to access RX descriptor (bsc#1227149).
wifi: rtw89: use struct and le32_get_bits to access RX info (bsc#1227149).
wifi: rtw89: use struct rtw89_phy_sts_ie0 instead of macro to access PHY IE0 status (bsc#1227149).
wifi: rtw89: use struct to access firmware C2H event header (bsc#1227149).
wifi: rtw89: use struct to access RA report (bsc#1227149).
wifi: rtw89: use struct to access register-based H2C/C2H (bsc#1227149).
wifi: rtw89: use struct to fill H2C command to download beacon frame (bsc#1227149).
wifi: rtw89: use struct to parse firmware header (bsc#1227149).
wifi: rtw89: use struct to set RA H2C command (bsc#1227149).
wifi: rtw89: wow: move release offload packet earlier for WoWLAN mode (bsc#1227149).
wifi: rtw89: wow: refine WoWLAN flows of HCI interrupts and low power mode (bsc#1227149).
wifi: rtw89: wow: set security engine options for 802.11ax chips only (bsc#1227149).
wifi: rtw89: wow: update config mac function with different generation (bsc#1227149).
wifi: rtw89: wow: update WoWLAN reason register for different chips (bsc#1227149).
wifi: rtw89: wow: update WoWLAN status register for different generation (bsc#1227149).
wifi: ti: wlcore: sdio: Drop unused include (bsc#1227149).
wifi: virt_wifi: avoid reporting connection success with wrong SSID (git-fixes).
wifi: virt_wifi: do not use strlen() in const context (git-fixes).
wifi: wcn36xx: Annotate struct wcn36xx_hal_ind_msg with __counted_by (bsc#1227149).
wifi: wcn36xx: Convert to platform remove callback returning void (bsc#1227149).
wifi: wcn36xx: remove unnecessary (void*) conversions (bsc#1227149).
wifi: wext: avoid extra calls to strlen() in ieee80211_bss() (bsc#1227149).
wifi: wfx: allow to send frames during ROC (bsc#1227149).
wifi: wfx: fix power_save setting when AP is stopped (bsc#1227149).
wifi: wfx: implement wfx_remain_on_channel() (bsc#1227149).
wifi: wfx: introduce hif_scan_uniq() (bsc#1227149).
wifi: wfx: move wfx_skb_*() out of the header file (bsc#1227149).
wifi: wfx: relocate wfx_rate_mask_to_hw() (bsc#1227149).
wifi: wfx: scan_lock is global to the device (bsc#1227149).
wifi: wfx: simplify exclusion between scan and Rx filters (bsc#1227149).
wifi: wfx: Use devm_kmemdup to replace devm_kmalloc + memcpy (bsc#1227149).
wifi: wil6210: fw: Replace zero-length arrays with DECLARE_FLEX_ARRAY() helper (bsc#1227149).
wifi: wil6210: wmi: Replace zero-length array with DECLARE_FLEX_ARRAY() helper (bsc#1227149).
wifi: wilc1000: add back-off algorithm to balance tx queue packets (bsc#1227149).
wifi: wilc1000: add missing read critical sections around vif list traversal (bsc#1227149).
wifi: wilc1000: add SPI commands retry mechanism (bsc#1227149).
wifi: wilc1000: always release SDIO host in wilc_sdio_cmd53() (bsc#1227149).
wifi: wilc1000: cleanup struct wilc_conn_info (bsc#1227149).
wifi: wilc1000: correct CRC7 calculation (bsc#1227149).
wifi: wilc1000: fix declarations ordering (bsc#1227149).
wifi: wilc1000: fix driver_handler when committing initial configuration (bsc#1227149).
wifi: wilc1000: fix ies_len type in connect path (git-fixes).
wifi: wilc1000: fix incorrect power down sequence (bsc#1227149).
wifi: wilc1000: Increase ASSOC response buffer (bsc#1227149).
wifi: wilc1000: remove AKM suite be32 conversion for external auth request (bsc#1227149).
wifi: wilc1000: remove setting msg.spi (bsc#1227149).
wifi: wilc1000: Remove unused declarations (bsc#1227149).
wifi: wilc1000: remove use of has_thrpt_enh3 flag (bsc#1227149).
wifi: wilc1000: set preamble size to auto as default in wilc_init_fw_config() (bsc#1227149).
wifi: wilc1000: simplify remain on channel support (bsc#1227149).
wifi: wilc1000: simplify wilc_scan() (bsc#1227149).
wifi: wilc1000: split deeply nested RCU list traversal in dedicated helper (bsc#1227149).
wifi: wilc1000: use SRCU instead of RCU for vif list traversal (bsc#1227149).
wifi: wilc1000: validate chip id during bus probe (bsc#1227149).
wifi: wl1251: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: wl18xx: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: wlcore: boot: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: wlcore: main: replace deprecated strncpy with strscpy (bsc#1227149).
wifi: wlcore: sdio: Rate limit wl12xx_sdio_raw_{read,write}() failures warns (bsc#1227149).
wifi: wlcore: sdio: Use module_sdio_driver macro to simplify the code (bsc#1227149).
wifi: zd1211rw: fix typo 'tranmits' (bsc#1227149).
wifi: zd1211rw: remove __nocast from zd_addr_t (bsc#1227149).
wifi: zd1211rw: silence sparse warnings (bsc#1227149).
wireguard: netlink: access device through ctx instead of peer (git-fixes).
wireguard: netlink: check for dangling peer via is_dead instead of empty list (git-fixes).
wireguard: receive: annotate data-race around receiving_counter.counter (git-fixes).
wlcore: spi: Remove redundant of_match_ptr() (bsc#1227149).
Workaround broken chacha crypto fallback (bsc#1218205).
work around gcc bugs with 'asm goto' with outputs (git-fixes).
X.509: Fix the parser of extended key usage for length (bsc#1218820).
x86/amd_nb: Check for invalid SMN reads (git-fixes).
x86/apic: Force native_apic_mem_read() to use the MOV instruction (git-fixes).
x86/asm: Fix build of UML with KASAN (git-fixes).
x86/asm: Remove the __iomem annotation of movdir64b()'s dst argument (git-fixes).
x86/bhi: Avoid warning in #DB handler due to BHI mitigation :(git-fixes).
x86/boot: Ignore NMIs during very early boot (git-fixes).
x86/bugs: Fix BHI retpoline check (git-fixes).
x86/bugs: Fix the SRSO mitigation on Zen3/4 (git-fixes).
x86/bugs: Remove default case for fully switched enums (git-fixes).
x86/calldepth: Rename __x86_return_skl() to call_depth_return_thunk() (git-fixes).
x86/coco: Require seeding RNG with RDRAND on CoCo systems (git-fixes).
x86/cpu: Add model number for Intel Arrow Lake mobile processor (git-fixes).
x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (git-fixes).
x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ (git-fixes).
x86/cpu: Provide default cache line size if not enumerated (git-fixes).
x86/csum: clean up `csum_partial' further (git-fixes).
x86/csum: Fix clang -Wuninitialized in csum_partial() (git-fixes).
x86/csum: Improve performance of csum_partial (git-fixes).
x86/csum: Remove unnecessary odd handling (git-fixes).
x86/efistub: Add missing boot_params for mixed mode compat entry (git-fixes).
x86/efistub: Call mixed mode boot services on the firmware's stack (git-fixes).
x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup (git-fixes).
x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD (git-fixes).
x86/head/64: Move the __head definition to <asm/init.h> (git-fixes).
x86/hyperv: Allow 15-bit APIC IDs for VTL platforms (git-fixes).
x86/hyperv: Use per cpu initial stack for vtl context (git-fixes).
x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS (git-fixes).
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map (git-fixes).
x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS (git-fixes).
x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT (git-fixes).
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y (git-fixes).
x86/kexec: Fix bug with call depth tracking (git-fixes).
x86/kvm/Kconfig: Have KVM_AMD_SEV select ARCH_HAS_CC_PLATFORM (git-fixes).
x86/mce: Dynamically size space for machine check records (bsc#1222241).
x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() (git-fixes).
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel (git-fixes).
x86/nmi: Drop unused declaration of proc_nmi_enabled() (git-fixes).
x86/nmi: Fix the inverse 'in NMI handler' check (git-fixes).
x86/nospec: Refactor UNTRAIN_RET[_*] (git-fixes).
x86/pm: Work around false positive kmemleak report in msr_build_context() (git-fixes).
x86/purgatory: Switch to the position-independent small code model (git-fixes).
x86/resctrl: Read supported bandwidth sources from CPUID (git-fixes).
x86/resctrl: Remove redundant variable in mbm_config_write_domain() (git-fixes).
x86/rethunk: Use SYM_CODE_START[_LOCAL]_NOALIGN macros (git-fixes).
x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk (git-fixes).
x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO (git-fixes).
x86/sev: Fix position dependent variable references in startup code (git-fixes).
x86/shstk: Make return uprobe work with shadow stack (git-fixes).
x86/speculation, objtool: Use absolute relocations for annotations (git-fixes).
x86/srso: Disentangle rethunk-dependent options (git-fixes).
x86/srso: Fix unret validation dependencies (git-fixes).
x86/srso: Improve i-cache locality for alias mitigation (git-fixes).
x86/srso: Print actual mitigation if requested mitigation isn't possible (git-fixes).
x86/srso: Remove 'pred_cmd' label (git-fixes).
x86/srso: Unexport untraining functions (git-fixes).
x86: Stop using weak symbols for __iowrite32_copy() (bsc#1226502)
x86/tdx: Preserve shared bit on mprotect() (git-fixes).
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962).
x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking (git-fixes).
x86/xen: Add some null pointer checking to smp.c (git-fixes).
x86/xen: attempt to inflate the memory balloon on PVH (git-fixes).
xdp, bonding: Fix feature flags when there are no slave devs anymore (git-fixes).
xen/events: drop xen_allocate_irqs_dynamic() (git-fixes).
xen/events: fix error code in xen_bind_pirq_msi_to_irq() (git-fixes).
xen/events: increment refcnt only if event channel is refcounted (git-fixes).
xen/events: modify internal [un]bind interfaces (git-fixes).
xen/events: reduce externally visible helper functions (git-fixes).
xen/events: remove some simple helpers from events_base.c (git-fixes).
xen: evtchn: Allow shared registration of IRQ handers (git-fixes).
xen/evtchn: avoid WARN() when unbinding an event channel (git-fixes).
xen-netfront: Add missing skb_mark_for_recycle (git-fixes).
xen/x86: add extra pages to unpopulated-alloc if available (git-fixes).
xfs: Add cond_resched to block unmap range and reflink remap path (bsc#1228211).
xfs: add lock protection when remove perag from radix tree (git-fixes).
xfs: allow extent free intents to be retried (git-fixes).
xfs: fix perag leak when growfs fails (git-fixes).
xfs: force all buffers to be written during btree bulk load (git-fixes).
xfs: make xchk_iget safer in the presence of corrupt inode btrees (git-fixes).
xfs: pass the xfs_defer_pending object to iop_recover (git-fixes).
xfs: recompute growfsrtfree transaction reservation while growing rt volume (git-fixes).
xfs: transfer recovered intent item ownership in ->iop_recover (git-fixes).
xfs: use roundup_pow_of_two instead of ffs during xlog_find_tail (git-fixes).
xfs: use xfs_defer_pending objects to recover intent items (git-fixes).
xhci: add helper that checks for unhandled events on a event ring (git-fixes).
xhci: always resume roothubs if xHC was reset during resume (stable-fixes).
xhci: Apply broken streams quirk to Etron EJ188 xHCI host (stable-fixes).
xhci: Apply reset resume quirk to Etron EJ188 xHCI host (stable-fixes).
xhci: Handle TD clearing for multiple streams case (git-fixes).
xhci: remove unnecessary event_ring_deq parameter from xhci_handle_event() (git-fixes).
xhci: Set correct transferred length for cancelled bulk transfers (stable-fixes).
xhci: simplify event ring dequeue tracking for transfer events (git-fixes).
xsk: Add truesize to skb_add_rx_frag() (bsc#1214683 (PREEMPT_RT prerequisite backports)).

Список пакетов

SUSE Linux Enterprise Live Patching 15 SP6

kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6

cluster-md-kmp-rt-6.4.0-150600.10.5.1

dlm-kmp-rt-6.4.0-150600.10.5.1

gfs2-kmp-rt-6.4.0-150600.10.5.1

kernel-devel-rt-6.4.0-150600.10.5.1

kernel-rt-6.4.0-150600.10.5.1

kernel-rt-devel-6.4.0-150600.10.5.1

kernel-rt_debug-6.4.0-150600.10.5.1

kernel-rt_debug-devel-6.4.0-150600.10.5.1

kernel-source-rt-6.4.0-150600.10.5.1

kernel-syms-rt-6.4.0-150600.10.5.1

ocfs2-kmp-rt-6.4.0-150600.10.5.1

openSUSE Leap 15.6

cluster-md-kmp-rt-6.4.0-150600.10.5.1

dlm-kmp-rt-6.4.0-150600.10.5.1

gfs2-kmp-rt-6.4.0-150600.10.5.1

kernel-devel-rt-6.4.0-150600.10.5.1

kernel-rt-6.4.0-150600.10.5.1

kernel-rt-devel-6.4.0-150600.10.5.1

kernel-rt-extra-6.4.0-150600.10.5.1

kernel-rt-livepatch-devel-6.4.0-150600.10.5.1

kernel-rt-optional-6.4.0-150600.10.5.1

kernel-rt-vdso-6.4.0-150600.10.5.1

kernel-rt_debug-6.4.0-150600.10.5.1

kernel-rt_debug-devel-6.4.0-150600.10.5.1

kernel-rt_debug-livepatch-devel-6.4.0-150600.10.5.1

kernel-rt_debug-vdso-6.4.0-150600.10.5.1

kernel-source-rt-6.4.0-150600.10.5.1

kernel-syms-rt-6.4.0-150600.10.5.1

kselftests-kmp-rt-6.4.0-150600.10.5.1

ocfs2-kmp-rt-6.4.0-150600.10.5.1

reiserfs-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20242973-1/
Link for SUSE-SU-2024:2973-1
https://lists.suse.com/pipermail/sle-security-updates/2024-August/019280.html
E-Mail link for SUSE-SU-2024:2973-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1012628
SUSE Bug 1012628
https://bugzilla.suse.com/1065729
SUSE Bug 1065729
https://bugzilla.suse.com/1181674
SUSE Bug 1181674
https://bugzilla.suse.com/1186716
SUSE Bug 1186716
https://bugzilla.suse.com/1187716
SUSE Bug 1187716
https://bugzilla.suse.com/1193599
SUSE Bug 1193599
https://bugzilla.suse.com/1194869
SUSE Bug 1194869
https://bugzilla.suse.com/1195775
SUSE Bug 1195775
https://bugzilla.suse.com/1204562
SUSE Bug 1204562
https://bugzilla.suse.com/1207948
SUSE Bug 1207948
https://bugzilla.suse.com/1208593
SUSE Bug 1208593
https://bugzilla.suse.com/1209657
SUSE Bug 1209657
https://bugzilla.suse.com/1209834
SUSE Bug 1209834
https://bugzilla.suse.com/1213573
SUSE Bug 1213573
https://bugzilla.suse.com/1214683
SUSE Bug 1214683
https://bugzilla.suse.com/1214852
SUSE Bug 1214852
https://bugzilla.suse.com/1215199
SUSE Bug 1215199

Описание

In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Don't overflow in peek() When we started spreading new inode numbers throughout most of the 64 bit inode space, that triggered some corner case bugs, in particular some integer overflows related to the radix tree code. Oops.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47432.html
CVE-2021-47432
https://bugzilla.suse.com/1225391
SUSE Bug 1225391

Описание

In the Linux kernel, the following vulnerability has been resolved: media: lgdt3306a: Add a check against null-pointer-def The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030] <TASK> [ 29.613201] dump_stack_lvl+0x56/0x6f [ 29.613496] ? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x52/0x310 [ 29.616339] i2c_device_probe+0x951/0xa90

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48772.html
CVE-2022-48772
https://bugzilla.suse.com/1226976
SUSE Bug 1226976

Описание

A deadlock flaw was found in the Linux kernel's BPF subsystem. This flaw allows a local user to potentially crash the system.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-0160.html
CVE-2023-0160
https://bugzilla.suse.com/1209657
SUSE Bug 1209657

Описание

Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-38417.html
CVE-2023-38417
https://bugzilla.suse.com/1225600
SUSE Bug 1225600

Описание

Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-47210.html
CVE-2023-47210
https://bugzilla.suse.com/1225601
SUSE Bug 1225601

Описание

An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-51780.html
CVE-2023-51780
https://bugzilla.suse.com/1218730
SUSE Bug 1218730
https://bugzilla.suse.com/1218733
SUSE Bug 1218733
https://bugzilla.suse.com/1220191
SUSE Bug 1220191
https://bugzilla.suse.com/1221578
SUSE Bug 1221578
https://bugzilla.suse.com/1221598
SUSE Bug 1221598
https://bugzilla.suse.com/1224298
SUSE Bug 1224298
https://bugzilla.suse.com/1224878
SUSE Bug 1224878

Описание

In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily : mss = mss * partial_segs; 65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result. Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52435.html
CVE-2023-52435
https://bugzilla.suse.com/1220138
SUSE Bug 1220138

Описание

In the Linux kernel, the following vulnerability has been resolved: block: add check that partition length needs to be aligned with block size Before calling add partition or resize partition, there is no check on whether the length is aligned with the logical block size. If the logical block size of the disk is larger than 512 bytes, then the partition size maybe not the multiple of the logical block size, and when the last sector is read, bio_truncate() will adjust the bio size, resulting in an IO error if the size of the read command is smaller than the logical block size.If integrity data is supported, this will also result in a null pointer dereference when calling bio_integrity_free.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52458.html
CVE-2023-52458
https://bugzilla.suse.com/1220428
SUSE Bug 1220428

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: rsa - add a check for allocation failure Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52472.html
CVE-2023-52472
https://bugzilla.suse.com/1220427
SUSE Bug 1220427
https://bugzilla.suse.com/1220430
SUSE Bug 1220430

Описание

In the Linux kernel, the following vulnerability has been resolved: tee: amdtee: fix use-after-free vulnerability in amdtee_close_session There is a potential race condition in amdtee_close_session that may cause use-after-free in amdtee_open_session. For instance, if a session has refcount == 1, and one thread tries to free this session via: kref_put(&sess->refcount, destroy_session); the reference count will get decremented, and the next step would be to call destroy_session(). However, if in another thread, amdtee_open_session() is called before destroy_session() has completed execution, alloc_session() may return 'sess' that will be freed up later in destroy_session() leading to use-after-free in amdtee_open_session. To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52503.html
CVE-2023-52503
https://bugzilla.suse.com/1220915
SUSE Bug 1220915

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init When the mpi_ec_ctx structure is initialized, some fields are not cleared, causing a crash when referencing the field when the structure was released. Initially, this issue was ignored because memory for mpi_ec_ctx is allocated with the __GFP_ZERO flag. For example, this error will be triggered when calculating the Za value for SM2 separately.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52616.html
CVE-2023-52616
https://bugzilla.suse.com/1221612
SUSE Bug 1221612

Описание

In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlikely string overflow Since "dev_search_path" can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into "full_path" since it was also PATH_MAX sized. The W=1 builds were reporting this warning: drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra': drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~ In function 'rnbd_srv_get_full_path', inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096 616 | snprintf(full_path, PATH_MAX, "%s/%s", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 | dev_search_path, dev_name); | ~~~~~~~~~~~~~~~~~~~~~~~~~~ To fix this, unconditionally check for truncation (as was already done for the case where "%SESSNAME%" was present).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52618.html
CVE-2023-52618
https://bugzilla.suse.com/1221615
SUSE Bug 1221615

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid online resizing failures due to oversized flex bg When we online resize an ext4 filesystem with a oversized flexbg_size, mkfs.ext4 -F -G 67108864 $dev -b 4096 100M mount $dev $dir resize2fs $dev 16G the following WARN_ON is triggered: ================================================================== WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550 Modules linked in: sg(E) CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314 RIP: 0010:__alloc_pages+0x411/0x550 Call Trace: <TASK> __kmalloc_large_node+0xa2/0x200 __kmalloc+0x16e/0x290 ext4_resize_fs+0x481/0xd80 __ext4_ioctl+0x1616/0x1d90 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0xf0/0x150 do_syscall_64+0x3b/0x90 ================================================================== This is because flexbg_size is too large and the size of the new_group_data array to be allocated exceeds MAX_ORDER. Currently, the minimum value of MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding maximum number of groups that can be allocated is: (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ~ 21845 And the value that is down-aligned to the power of 2 is 16384. Therefore, this value is defined as MAX_RESIZE_BG, and the number of groups added each time does not exceed this value during resizing, and is added multiple times to complete the online resizing. The difference is that the metadata in a flex_bg may be more dispersed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52622.html
CVE-2023-52622
https://bugzilla.suse.com/1222080
SUSE Bug 1222080

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix an NULL dereference bug The issue here is when this is called from ntfs_load_attr_list(). The "size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow on a 64bit systems but on 32bit systems the "+ 1023" can overflow and the result is zero. This means that the kmalloc will succeed by returning the ZERO_SIZE_PTR and then the memcpy() will crash with an Oops on the next line.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52631.html
CVE-2023-52631
https://bugzilla.suse.com/1222264
SUSE Bug 1222264

Описание

In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfreq_monitor_[start/stop] There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from cancel_delayed_work_sync() and followed by expire_timers() can be seen from the traces[1]. while true do echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor done It looks to be issue with devfreq driver where device_monitor_[start/stop] need to synchronized so that delayed work should get corrupted while it is either being queued or running or being cancelled. Let's use polling flag and devfreq lock to synchronize the queueing the timer instance twice and work data being corrupted. [1] ... .. <idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428 <idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c <idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428 kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227 vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532 vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428 xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428 [2] 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a [ 9436.261664][ C4] Mem abort info: [ 9436.261666][ C4] ESR = 0x96000044 [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits [ 9436.261671][ C4] SET = 0, FnV = 0 [ 9436.261673][ C4] EA = 0, S1PTW = 0 [ 9436.261675][ C4] Data abort info: [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 [ 9436.261680][ C4] CM = 0, WnR = 1 [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 ... [ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) [ 9436.262161][ C4] pc : expire_timers+0x9c/0x438 [ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438 [ 9436.262168][ C4] sp : ffffffc010023dd0 [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52635.html
CVE-2023-52635
https://bugzilla.suse.com/1222294
SUSE Bug 1222294

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix oob in ntfs_listxattr The length of name cannot exceed the space occupied by ea.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52640.html
CVE-2023-52640
https://bugzilla.suse.com/1222301
SUSE Bug 1222301

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame() It is preferable to exit through the out: label because internal debugging functions are located there.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52641.html
CVE-2023-52641
https://bugzilla.suse.com/1222303
SUSE Bug 1222303

Описание

In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix race conditions with genpd If the power domains are registered first with genpd and *after that* the driver attempts to power them on in the probe sequence, then it is possible that a race condition occurs if genpd tries to power them on in the same time. The same is valid for powering them off before unregistering them from genpd. Attempt to fix race conditions by first removing the domains from genpd and *after that* powering down domains. Also first power up the domains and *after that* register them to genpd.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52645.html
CVE-2023-52645
https://bugzilla.suse.com/1223033
SUSE Bug 1223033

Описание

In the Linux kernel, the following vulnerability has been resolved: NTB: fix possible name leak in ntb_register_device() If device_register() fails in ntb_register_device(), the device name allocated by dev_set_name() should be freed. As per the comment in device_register(), callers should use put_device() to give up the reference in the error path. So fix this by calling put_device() in the error path so that the name can be freed in kobject_cleanup(). As a result of this, put_device() in the error path of ntb_register_device() is removed and the actual error is returned. [mani: reworded commit message]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52652.html
CVE-2023-52652
https://bugzilla.suse.com/1223686
SUSE Bug 1223686

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix a memleak in gss_import_v2_context The ctx->mech_used.data allocated by kmemdup is not freed in neither gss_import_v2_context nor it only caller gss_krb5_import_sec_context, which frees ctx on error. Thus, this patch reform the last call of gss_import_v2_context to the gss_krb5_import_ctx_v2, preventing the memleak while keepping the return formation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52653.html
CVE-2023-52653
https://bugzilla.suse.com/1223712
SUSE Bug 1223712

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring: drop any code related to SCM_RIGHTS This is dead code after we dropped support for passing io_uring fds over SCM_RIGHTS, get rid of it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52656.html
CVE-2023-52656
https://bugzilla.suse.com/1224187
SUSE Bug 1224187

Описание

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/pm: resolve reboot exception for si oland" This reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86. This causes hangs on SI when DC is enabled and errors on driver reboot and power off cycles.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52657.html
CVE-2023-52657
https://bugzilla.suse.com/1224722
SUSE Bug 1224722

Описание

In the Linux kernel, the following vulnerability has been resolved: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b. The revert is required due to the suspicion it is not good for anything and cause crash.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52658.html
CVE-2023-52658
https://bugzilla.suse.com/1224719
SUSE Bug 1224719

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type On 64-bit platforms, the pfn_to_kaddr() macro requires that the input value is 64 bits in order to ensure that valid address bits don't get lost when shifting that input by PAGE_SHIFT to calculate the physical address to provide a virtual address for. One such example is in pvalidate_pages() (used by SEV-SNP guests), where the GFN in the struct used for page-state change requests is a 40-bit bit-field, so attempts to pass this GFN field directly into pfn_to_kaddr() ends up causing guest crashes when dealing with addresses above the 1TB range due to the above. Fix this issue with SEV-SNP guests, as well as any similar cases that might cause issues in current/future code, by using an inline function, instead of a macro, so that the input is implicitly cast to the expected 64-bit input type prior to performing the shift operation. While it might be argued that the issue is on the caller side, other archs/macros have taken similar approaches to deal with instances like this, such as ARM explicitly casting the input to phys_addr_t: e48866647b48 ("ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()") A C inline function is even better though. [ mingo: Refined the changelog some more & added __always_inline. ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52659.html
CVE-2023-52659
https://bugzilla.suse.com/1224442
SUSE Bug 1224442

Описание

In the Linux kernel, the following vulnerability has been resolved: media: rkisp1: Fix IRQ handling due to shared interrupts The driver requests the interrupts as IRQF_SHARED, so the interrupt handlers can be called at any time. If such a call happens while the ISP is powered down, the SoC will hang as the driver tries to access the ISP registers. This can be reproduced even without the platform sharing the IRQ line: Enable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will hang. Fix this by adding a new field, 'irqs_enabled', which is used to bail out from the interrupt handler when the ISP is not operational.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52660.html
CVE-2023-52660
https://bugzilla.suse.com/1224443
SUSE Bug 1224443

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe() If clk_get_sys(..., "pll_d2_out0") fails, the clk_get_sys() call must be undone. Add the missing clk_put and a new 'put_pll_d_out0' label in the error handling path, and use it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52661.html
CVE-2023-52661
https://bugzilla.suse.com/1224445
SUSE Bug 1224445

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node When ida_alloc_max fails, resources allocated before should be freed, including *res allocated by kmalloc and ttm_resource_init.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52662.html
CVE-2023-52662
https://bugzilla.suse.com/1224449
SUSE Bug 1224449

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe() Driver uses kasprintf() to initialize fw_{code,data}_bin members of struct acp_dev_data, but kfree() is never called to deallocate the memory, which results in a memory leak. Fix the issue by switching to devm_kasprintf(). Additionally, ensure the allocation was successful by checking the pointer validity.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52663.html
CVE-2023-52663
https://bugzilla.suse.com/1224630
SUSE Bug 1224630

Описание

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error. Ring pointer was used as an indicator of failure, but this is not correct since only ring data is allocated/deallocated. Ring itself is an array member. Changing ring allocation functions to return error code directly. This simplifies error handling and eliminates aq_ring_free on higher layer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52664.html
CVE-2023-52664
https://bugzilla.suse.com/1224747
SUSE Bug 1224747

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a potential double-free in fs_any_create_groups When kcalloc() for ft->g succeeds but kvzalloc() for in fails, fs_any_create_groups() will free ft->g. However, its caller fs_any_create_table() will free ft->g again through calling mlx5e_destroy_flow_table(), which will lead to a double-free. Fix this by setting ft->g to NULL in fs_any_create_groups().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52667.html
CVE-2023-52667
https://bugzilla.suse.com/1224603
SUSE Bug 1224603

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer overread in CTR mode When processing the last block, the s390 ctr code will always read a whole block, even if there isn't a whole block of data left. Fix this by using the actual length left and copy it into a buffer first for processing.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52669.html
CVE-2023-52669
https://bugzilla.suse.com/1224637
SUSE Bug 1224637

Описание

In the Linux kernel, the following vulnerability has been resolved: rpmsg: virtio: Free driver_override when rpmsg_remove() Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52670.html
CVE-2023-52670
https://bugzilla.suse.com/1224696
SUSE Bug 1224696

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix hang/underflow when transitioning to ODM4:1 [Why] Under some circumstances, disabling an OPTC and attempting to reclaim its OPP(s) for a different OPTC could cause a hang/underflow due to OPPs not being properly disconnected from the disabled OPTC. [How] Ensure that all OPPs are unassigned from an OPTC when it gets disabled.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52671.html
CVE-2023-52671
https://bugzilla.suse.com/1224729
SUSE Bug 1224729

Описание

In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write. Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue. [Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52672.html
CVE-2023-52672
https://bugzilla.suse.com/1224614
SUSE Bug 1224614

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix a debugfs null pointer error [WHY & HOW] Check whether get_subvp_en() callback exists before calling it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52673.html
CVE-2023-52673
https://bugzilla.suse.com/1224741
SUSE Bug 1224741

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put() Ensure the value passed to scarlett2_mixer_ctl_put() is between 0 and SCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside scarlett2_mixer_values[].

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52674.html
CVE-2023-52674
https://bugzilla.suse.com/1224727
SUSE Bug 1224727

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52675.html
CVE-2023-52675
https://bugzilla.suse.com/1224504
SUSE Bug 1224504

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Guard stack limits against 32bit overflow This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52676.html
CVE-2023-52676
https://bugzilla.suse.com/1224730
SUSE Bug 1224730
https://bugzilla.suse.com/1226336
SUSE Bug 1226336

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c Before using list_first_entry, make sure to check that list is not empty, if list is empty return -ENODATA. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1347 kfd_create_indirect_link_prop() warn: can 'gpu_link' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1428 kfd_add_peer_prop() warn: can 'iolink1' even be NULL? drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1433 kfd_add_peer_prop() warn: can 'iolink2' even be NULL?

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52678.html
CVE-2023-52678
https://bugzilla.suse.com/1224617
SUSE Bug 1224617

Описание

In the Linux kernel, the following vulnerability has been resolved: of: Fix double free in of_parse_phandle_with_args_map In of_parse_phandle_with_args_map() the inner loop that iterates through the map entries calls of_node_put(new) to free the reference acquired by the previous iteration of the inner loop. This assumes that the value of "new" is NULL on the first iteration of the inner loop. Make sure that this is true in all iterations of the outer loop by setting "new" to NULL after its value is assigned to "cur". Extend the unittest to detect the double free and add an additional test case that actually triggers this path.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52679.html
CVE-2023-52679
https://bugzilla.suse.com/1224508
SUSE Bug 1224508

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing error checks to *_ctl_get() The *_ctl_get() functions which call scarlett2_update_*() were not checking the return value. Fix to check the return value and pass to the caller.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52680.html
CVE-2023-52680
https://bugzilla.suse.com/1224608
SUSE Bug 1224608

Описание

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Free s_fs_info on unmount Now that we allocate a s_fs_info struct on fs context creation, we should ensure that we free it again when the superblock goes away.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52681.html
CVE-2023-52681
https://bugzilla.suse.com/1224505
SUSE Bug 1224505

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: LPIT: Avoid u32 multiplication overflow In lpit_update_residency() there is a possibility of overflow in multiplication, if tsc_khz is large enough (> UINT_MAX/1000). Change multiplication to mul_u32_u32(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52683.html
CVE-2023-52683
https://bugzilla.suse.com/1224627
SUSE Bug 1224627

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52685.html
CVE-2023-52685
https://bugzilla.suse.com/1224728
SUSE Bug 1224728

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_event_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52686.html
CVE-2023-52686
https://bugzilla.suse.com/1224682
SUSE Bug 1224682

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: safexcel - Add error handling for dma_map_sg() calls Macro dma_map_sg() may return 0 on error. This patch enables checks in case of the macro failure and ensures unmapping of previously mapped buffers with dma_unmap_sg(). Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52687.html
CVE-2023-52687
https://bugzilla.suse.com/1224501
SUSE Bug 1224501

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check to scom_debug_init_one() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Add a null pointer check, and release 'ent' to avoid memory leaks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52690.html
CVE-2023-52690
https://bugzilla.suse.com/1224611
SUSE Bug 1224611

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix a double-free in si_dpm_init When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52691.html
CVE-2023-52691
https://bugzilla.suse.com/1224607
SUSE Bug 1224607

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config() scarlett2_usb_set_config() calls scarlett2_usb_get() but was not checking the result. Return the error if it fails rather than continuing with an invalid value.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52692.html
CVE-2023-52692
https://bugzilla.suse.com/1224628
SUSE Bug 1224628

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: video: check for error while searching for backlight device parent If acpi_get_parent() called in acpi_video_dev_register_backlight() fails, for example, because acpi_ut_acquire_mutex() fails inside acpi_get_parent), this can lead to incorrect (uninitialized) acpi_parent handle being passed to acpi_get_pci_dev() for detecting the parent pci device. Check acpi_get_parent() result and set parent device only in case of success. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52693.html
CVE-2023-52693
https://bugzilla.suse.com/1224686
SUSE Bug 1224686

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function With tpd12s015_remove() marked with __exit this function is discarded when the driver is compiled as a built-in. The result is that when the driver unbinds there is no cleanup done which results in resource leakage or worse.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52694.html
CVE-2023-52694
https://bugzilla.suse.com/1224598
SUSE Bug 1224598

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check writeback connectors in create_validate_stream_for_sink [WHY & HOW] This is to check connector type to avoid unhandled null pointer for writeback connectors.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52695.html
CVE-2023-52695
https://bugzilla.suse.com/1224506
SUSE Bug 1224506

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_powercap_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52696.html
CVE-2023-52696
https://bugzilla.suse.com/1224601
SUSE Bug 1224601

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL sof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of them use the same dai name. For example, rt712 and rt713 both use "rt712-sdca-aif1" and sof_sdw_rt_sdca_jack_exit(). As a result, sof_sdw_rt_sdca_jack_exit() will be called twice by mc_dailink_exit_loop(). Set ctx->headset_codec_dev = NULL; after put_device(ctx->headset_codec_dev); to avoid ctx->headset_codec_dev being put twice.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52697.html
CVE-2023-52697
https://bugzilla.suse.com/1224596
SUSE Bug 1224596

Описание

In the Linux kernel, the following vulnerability has been resolved: calipso: fix memory leak in netlbl_calipso_add_pass() If IPv6 support is disabled at boot (ipv6.disable=1), the calipso_init() -> netlbl_calipso_ops_register() function isn't called, and the netlbl_calipso_ops_get() function always returns NULL. In this case, the netlbl_calipso_add_pass() function allocates memory for the doi_def variable but doesn't free it with the calipso_doi_free(). BUG: memory leak unreferenced object 0xffff888011d68180 (size 64): comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) hex dump (first 32 bytes): 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<...>] kmalloc include/linux/slab.h:552 [inline] [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller [PM: merged via the LSM tree at Jakub Kicinski request]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52698.html
CVE-2023-52698
https://bugzilla.suse.com/1224621
SUSE Bug 1224621

Описание

In the Linux kernel, the following vulnerability has been resolved: sysv: don't call sb_bread() with pointers_lock held syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52699.html
CVE-2023-52699
https://bugzilla.suse.com/1224659
SUSE Bug 1224659

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52735.html
CVE-2023-52735
https://bugzilla.suse.com/1225475
SUSE Bug 1225475

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: Fix null dereference on suspend A race condition exists where a synchronous (noqueue) transfer can be active during a system suspend. This can cause a null pointer dereference exception to occur when the system resumes. Example order of events leading to the exception: 1. spi_sync() calls __spi_transfer_message_noqueue() which sets ctlr->cur_msg 2. Spi transfer begins via spi_transfer_one_message() 3. System is suspended interrupting the transfer context 4. System is resumed 6. spi_controller_resume() calls spi_start_queue() which resets cur_msg to NULL 7. Spi transfer context resumes and spi_finalize_current_message() is called which dereferences cur_msg (which is now NULL) Wait for synchronous transfers to complete before suspending by acquiring the bus mutex and setting/checking a suspend flag.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52749.html
CVE-2023-52749
https://bugzilla.suse.com/1225476
SUSE Bug 1225476

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly byte-swap NOP when compiling for big-endian, and the resulting series of bytes happened to match the encoding of FNMADD S21, S30, S0, S0. This went unnoticed until commit: 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD") Prior to that commit, the kernel would always enable the use of FPSIMD early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of FNMADD within the kernel was not detected, but could result in the corruption of user or kernel FPSIMD state. After that commit, the instructions happen to trap during boot prior to FPSIMD being detected and enabled, e.g. | Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __pi_strcmp+0x1c/0x150 | lr : populate_properties+0xe4/0x254 | sp : ffffd014173d3ad0 | x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 | x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 | x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 | x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 | x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 | x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 | x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 | x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a | x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 | Kernel panic - not syncing: Unhandled exception | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xec/0x108 | show_stack+0x18/0x2c | dump_stack_lvl+0x50/0x68 | dump_stack+0x18/0x24 | panic+0x13c/0x340 | el1t_64_irq_handler+0x0/0x1c | el1_abort+0x0/0x5c | el1h_64_sync+0x64/0x68 | __pi_strcmp+0x1c/0x150 | unflatten_dt_nodes+0x1e8/0x2d8 | __unflatten_device_tree+0x5c/0x15c | unflatten_device_tree+0x38/0x50 | setup_arch+0x164/0x1e0 | start_kernel+0x64/0x38c | __primary_switched+0xbc/0xc4 Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked commit.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52750.html
CVE-2023-52750
https://bugzilla.suse.com/1225485
SUSE Bug 1225485

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52751.html
CVE-2023-52751
https://bugzilla.suse.com/1225489
SUSE Bug 1225489

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid NULL dereference of timing generator [Why & How] Check whether assigned timing generator is NULL or not before accessing its funcs to prevent NULL dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52753.html
CVE-2023-52753
https://bugzilla.suse.com/1225478
SUSE Bug 1225478

Описание

In the Linux kernel, the following vulnerability has been resolved: media: imon: fix access to invalid resource for the second interface imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52754.html
CVE-2023-52754
https://bugzilla.suse.com/1225490
SUSE Bug 1225490

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when releasing mids All release_mid() callers seem to hold a reference of @mid so there is no need to call kref_put(&mid->refcount, __release_mid) under @server->mid_lock spinlock. If they don't, then an use-after-free bug would have occurred anyways. By getting rid of such spinlock also fixes a potential deadlock as shown below CPU 0 CPU 1 ------------------------------------------------------------------ cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&server->mid_lock); spin_lock(&cifs_tcp_ses_lock) spin_lock(&server->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *deadlock*

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52757.html
CVE-2023-52757
https://bugzilla.suse.com/1225548
SUSE Bug 1225548

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52759.html
CVE-2023-52759
https://bugzilla.suse.com/1225560
SUSE Bug 1225560

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52762.html
CVE-2023-52762
https://bugzilla.suse.com/1225573
SUSE Bug 1225573

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. The `i3c_master_bus_init` function may attach the I2C devices before the I3C bus initialization. In this flow, the DAT `alloc_entry`` will be used before the DAT `init`. Additionally, if the `i3c_master_bus_init` fails, the DAT `cleanup` will execute before the device is detached, which will execue DAT `free_entry` function. The above scenario can cause the driver to use DAT_data when it is NULL.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52763.html
CVE-2023-52763
https://bugzilla.suse.com/1225570
SUSE Bug 1225570

Описание

In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52764.html
CVE-2023-52764
https://bugzilla.suse.com/1225571
SUSE Bug 1225571

Описание

In the Linux kernel, the following vulnerability has been resolved: mfd: qcom-spmi-pmic: Fix revid implementation The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. First, it assumes that just because the sibling base device has been registered that means that it is also bound to a driver, which may not be the case (e.g. due to probe deferral or asynchronous probe). This could trigger a NULL-pointer dereference when attempting to access the driver data of the unbound device. Second, it accesses driver data of a sibling device directly and without any locking, which means that the driver data may be freed while it is being accessed (e.g. on driver unbind). Third, it leaks a struct device reference to the sibling device which is looked up using the spmi_device_from_of() every time a function (child) device is calling the revid function (e.g. on probe). Fix this mess by reimplementing the revid lookup so that it is done only at probe of the PMIC device; the base device fetches the revid info from the hardware, while any secondary SPMI device fetches the information from the base device and caches it so that it can be accessed safely from its children. If the base device has not been probed yet then probe of a secondary device is deferred.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52765.html
CVE-2023-52765
https://bugzilla.suse.com/1225029
SUSE Bug 1225029

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52766.html
CVE-2023-52766
https://bugzilla.suse.com/1230620
SUSE Bug 1230620

Описание

In the Linux kernel, the following vulnerability has been resolved: tls: fix NULL deref on tls_sw_splice_eof() with empty record syzkaller discovered that if tls_sw_splice_eof() is executed as part of sendfile() when the plaintext/ciphertext sk_msg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tls_push_record() to go on the `split = true` path (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tls_merge_open_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref. It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path. tls_sw_push_pending_record() already handles this case correctly; let's do the same check in tls_sw_splice_eof().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52767.html
CVE-2023-52767
https://bugzilla.suse.com/1224998
SUSE Bug 1224998

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: use vmm_table as array in wilc struct Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52768.html
CVE-2023-52768
https://bugzilla.suse.com/1225004
SUSE Bug 1225004

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix htt mlo-offset event locking The ath12k active pdevs are protected by RCU but the htt mlo-offset event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52769.html
CVE-2023-52769
https://bugzilla.suse.com/1225001
SUSE Bug 1225001

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver. Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down. The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove(). That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed: 1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature: BUG: spinlock bad magic on CPU#0, kworker/u56:0/11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 Workqueue: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Call Trace: do_raw_spin_lock+0x69/0xa0 __mutex_lock+0x695/0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] process_one_work+0x1e3/0x4c0 worker_thread+0x1dd/0x3d0 2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52771.html
CVE-2023-52771
https://bugzilla.suse.com/1225007
SUSE Bug 1225007

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: fix use-after-free in unix_stream_read_actor() syzbot reported the following crash [1] After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us. [1] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 unix_stream_recv_urg net/unix/af_unix.c:2587 [inline] unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666 unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK> Allocated by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0xf8/0x340 mm/slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb net/core/skbuff.c:1073 [inline] consume_skb net/core/skbuff.c:1288 [inline] consume_skb+0xdf/0x170 net/core/skbuff.c:1282 queue_oob net/unix/af_unix.c:2178 [inline] u ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52772.html
CVE-2023-52772
https://bugzilla.suse.com/1224989
SUSE Bug 1224989
https://bugzilla.suse.com/1224991
SUSE Bug 1224991

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() When ddc_service_construct() is called, it explicitly checks both the link type and whether there is something on the link which will dictate whether the pin is marked as hw_supported. If the pin isn't set or the link is not set (such as from unloading/reloading amdgpu in an IGT test) then fail the amdgpu_dm_i2c_xfer() call.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52773.html
CVE-2023-52773
https://bugzilla.suse.com/1225041
SUSE Bug 1225041

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/dasd: protect device queue against concurrent access In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52774.html
CVE-2023-52774
https://bugzilla.suse.com/1225572
SUSE Bug 1225572

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid data corruption caused by decline We found a data corruption issue during testing of SMC-R on Redis applications. The benchmark has a low probability of reporting a strange error as shown below. "Error: Protocol error, got "\xe2" as reply type byte" Finally, we found that the retrieved error data was as follows: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 It is quite obvious that this is a SMC DECLINE message, which means that the applications received SMC protocol message. We found that this was caused by the following situations: client server | clc proposal -------------> | clc accept <------------- | clc confirm -------------> wait llc confirm send llc confirm |failed llc confirm | x------ (after 2s)timeout wait llc confirm rsp wait decline (after 1s) timeout (after 2s) timeout | decline --------------> | decline <-------------- As a result, a decline message was sent in the implementation, and this message was read from TCP by the already-fallback connection. This patch double the client timeout as 2x of the server value, With this simple change, the Decline messages should never cross or collide (during Confirm link timeout). This issue requires an immediate solution, since the protocol updates involve a more long-term solution.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52775.html
CVE-2023-52775
https://bugzilla.suse.com/1225088
SUSE Bug 1225088

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dfs-radar and temperature event locking The ath12k active pdevs are protected by RCU but the DFS-radar and temperature event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as RCU read-side critical sections to avoid any potential use-after-free issues. Note that the temperature event handler looks like a place holder currently but would still trigger an RCU lockdep splat. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52776.html
CVE-2023-52776
https://bugzilla.suse.com/1225090
SUSE Bug 1225090

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix gtk offload status event locking The ath11k active pdevs are protected by RCU but the gtk offload status event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52777.html
CVE-2023-52777
https://bugzilla.suse.com/1224992
SUSE Bug 1224992

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm is not used. The page pool is also not allocated when the port is stopped. It can also be not allocated in case of errors. The current implementation leads to the following crash calling ethstats on a port that is down or when calling it at the wrong moment: ble to handle kernel NULL pointer dereference at virtual address 00000070 [00000070] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Hardware name: Marvell Armada 380/385 (Device Tree) PC is at page_pool_get_stats+0x18/0x1cc LR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta] pc : [<c0b413cc>] lr : [<bf0a98d8>] psr: a0000013 sp : f1439d48 ip : f1439dc0 fp : 0000001d r10: 00000100 r9 : c4816b80 r8 : f0d75150 r7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68 r3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 066b004a DAC: 00000051 Register r0 information: NULL pointer Register r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Register r2 information: non-paged memory Register r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048 Register r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Register r5 information: NULL pointer Register r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096 Register r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c Register r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208 Register r9 information: slab task_struct start c4816b80 pointer offset 0 Register r10 information: non-paged memory Register r11 information: non-paged memory Register r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Process snmpd (pid: 733, stack limit = 0x38de3a88) Stack: (0xf1439d48 to 0xf143a000) 9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80 9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000 9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8 9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50 9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d 9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000 9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000 9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80 9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8 9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40 9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000 9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0 9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0 9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014 9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c 9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036 9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000 9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0 9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000 page_pool_get_s ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52780.html
CVE-2023-52780
https://bugzilla.suse.com/1224933
SUSE Bug 1224933

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: config: fix iteration issue in 'usb_get_bos_descriptor()' The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors. Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly. To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52781.html
CVE-2023-52781
https://bugzilla.suse.com/1225092
SUSE Bug 1225092

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Track xmit submission to PTP WQ after populating metadata map Ensure the skb is available in metadata mapping to skbs before tracking the metadata index for detecting undelivered CQEs. If the metadata index is put in the tracking list before putting the skb in the map, the metadata index might be used for detecting undelivered CQEs before the relevant skb is available in the map, which can lead to a null-ptr-deref. Log: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ #108 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events mlx5e_rx_dim_work [mlx5_core] RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core] Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07 RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206 RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005 RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028 RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383 R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40 R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x144/0x210 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core] ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core] __napi_poll.constprop.0+0xa4/0x580 net_rx_action+0x460/0xb80 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? __napi_poll.constprop.0+0x580/0x580 ? tasklet_action_common.isra.0+0x2ef/0x760 __do_softirq+0x26c/0x827 irq_exit_rcu+0xc2/0x100 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:__kmem_cache_alloc_node+0xb/0x330 Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83 RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246 RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218 RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0 RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9 R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0 R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450 ? cmd_exec+0x796/0x2200 [mlx5_core] kmalloc_trace+0x26/0xc0 cmd_exec+0x796/0x2200 [mlx5_core] mlx5_cmd_do+0x22/0xc0 [mlx5_core] mlx5_cmd_exec+0x17/0x30 [mlx5_core] mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core] ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core] ? lockdep_set_lock_cmp_fn+0x190/0x190 ? process_one_work+0x659/0x1220 mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core] process_one_work+0x730/0x1220 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? max_active_store+0xf0/0xf0 ? assign_work+0x168/0x240 worker_thread+0x70f/0x12d0 ? __kthread_parkme+0xd1/0x1d0 ? process_one_work+0x1220/0x1220 kthread+0x2d9/0x3b0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_as ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52782.html
CVE-2023-52782
https://bugzilla.suse.com/1225103
SUSE Bug 1225103

Описание

In the Linux kernel, the following vulnerability has been resolved: net: wangxun: fix kernel panic due to null pointer When the device uses a custom subsystem vendor ID, the function wx_sw_init() returns before the memory of 'wx->mac_table' is allocated. The null pointer will causes the kernel panic.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52783.html
CVE-2023-52783
https://bugzilla.suse.com/1225104
SUSE Bug 1225104

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52784.html
CVE-2023-52784
https://bugzilla.suse.com/1224946
SUSE Bug 1224946

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix racy may inline data check in dio write syzbot reports that the following warning from ext4_iomap_begin() triggers as of the commit referenced below: if (WARN_ON_ONCE(ext4_has_inline_data(inode))) return -ERANGE; This occurs during a dio write, which is never expected to encounter an inode with inline data. To enforce this behavior, ext4_dio_write_iter() checks the current inline state of the inode and clears the MAY_INLINE_DATA state flag to either fall back to buffered writes, or enforce that any other writers in progress on the inode are not allowed to create inline data. The problem is that the check for existing inline data and the state flag can span a lock cycle. For example, if the ilock is originally locked shared and subsequently upgraded to exclusive, another writer may have reacquired the lock and created inline data before the dio write task acquires the lock and proceeds. The commit referenced below loosens the lock requirements to allow some forms of unaligned dio writes to occur under shared lock, but AFAICT the inline data check was technically already racy for any dio write that would have involved a lock cycle. Regardless, lift clearing of the state bit to the same lock critical section that checks for preexisting inline data on the inode to close the race.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52786.html
CVE-2023-52786
https://bugzilla.suse.com/1224939
SUSE Bug 1224939

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-mq: make sure active queue usage is held for bio_integrity_prep() blk_integrity_unregister() can come if queue usage counter isn't held for one bio with integrity prepared, so this request may be completed with calling profile->complete_fn, then kernel panic. Another constraint is that bio_integrity_prep() needs to be called before bio merge. Fix the issue by: - call bio_integrity_prep() with one queue usage counter grabbed reliably - call bio_integrity_prep() before bio merge

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52787.html
CVE-2023-52787
https://bugzilla.suse.com/1225105
SUSE Bug 1225105

Описание

In the Linux kernel, the following vulnerability has been resolved: i915/perf: Fix NULL deref bugs with drm_dbg() calls When i915 perf interface is not available dereferencing it will lead to NULL dereferences. As returning -ENOTSUPP is pretty clear return when perf interface is not available. [tursulin: added stable tag] (cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52788.html
CVE-2023-52788
https://bugzilla.suse.com/1225106
SUSE Bug 1225106

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: vcc: Add check for kstrdup() in vcc_probe() Add check for the return value of kstrdup() and return the error, if it fails in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52789.html
CVE-2023-52789
https://bugzilla.suse.com/1225180
SUSE Bug 1225180

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: core: Run atomic i2c xfer when !preemptible Since bae1d3a05a8b, i2c transfers are non-atomic if preemption is disabled. However, non-atomic i2c transfers require preemption (e.g. in wait_for_completion() while waiting for the DMA). panic() calls preempt_disable_notrace() before calling emergency_restart(). Therefore, if an i2c device is used for the restart, the xfer should be atomic. This avoids warnings like: [ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0 [ 12.676926] Voluntary context switch within RCU read-side critical section! ... [ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114 [ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70 ... [ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58 [ 13.001050] machine_restart from panic+0x2a8/0x32c Use !preemptible() instead, which is basically the same check as pre-v5.2.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52791.html
CVE-2023-52791
https://bugzilla.suse.com/1225108
SUSE Bug 1225108

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails Commit 5e42bcbc3fef ("cxl/region: decrement ->nr_targets on error in cxl_region_attach()") tried to avoid 'eiw' initialization errors when ->nr_targets exceeded 16, by just decrementing ->nr_targets when cxl_region_setup_targets() failed. Commit 86987c766276 ("cxl/region: Cleanup target list on attach error") extended that cleanup to also clear cxled->pos and p->targets[pos]. The initialization error was incidentally fixed separately by: Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable warnings") which was merged a few days after 5e42bcbc3fef. But now the original cleanup when cxl_region_setup_targets() fails prevents endpoint and switch decoder resources from being reused: 1) the cleanup does not set the decoder's region to NULL, which results in future dpa_size_store() calls returning -EBUSY 2) the decoder is not properly freed, which results in future commit errors associated with the upstream switch Now that the initialization errors were fixed separately, the proper cleanup for this case is to just return immediately. Then the resources associated with this target get cleanup up as normal when the failed region is deleted. The ->nr_targets decrement in the error case also helped prevent a p->targets[] array overflow, so add a new check to prevent against that overflow. Tested by trying to create an invalid region for a 2 switch * 2 endpoint topology, and then following up with creating a valid region.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52792.html
CVE-2023-52792
https://bugzilla.suse.com/1225477
SUSE Bug 1225477

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal: intel: powerclamp: fix mismatch in get function for max_idle KASAN reported this [ 444.853098] BUG: KASAN: global-out-of-bounds in param_get_int+0x77/0x90 [ 444.853111] Read of size 4 at addr ffffffffc16c9220 by task cat/2105 ... [ 444.853442] The buggy address belongs to the variable: [ 444.853443] max_idle+0x0/0xffffffffffffcde0 [intel_powerclamp] There is a mismatch between the param_get_int and the definition of max_idle. Replacing param_get_int with param_get_byte resolves this issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52794.html
CVE-2023-52794
https://bugzilla.suse.com/1225028
SUSE Bug 1225028

Описание

In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix use after free in vhost_vdpa_probe() The put_device() calls vhost_vdpa_release_dev() which calls ida_simple_remove() and frees "v". So this call to ida_simple_remove() is a use after free and a double free.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52795.html
CVE-2023-52795
https://bugzilla.suse.com/1225085
SUSE Bug 1225085

Описание

In the Linux kernel, the following vulnerability has been resolved: ipvlan: add ipvlan_route_v6_outbound() helper Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<f ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52796.html
CVE-2023-52796
https://bugzilla.suse.com/1224930
SUSE Bug 1224930

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix dfs radar event locking The ath11k active pdevs are protected by RCU but the DFS radar event handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52798.html
CVE-2023-52798
https://bugzilla.suse.com/1224947
SUSE Bug 1224947

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbFindLeaf Currently while searching for dmtree_t for sufficient free blocks there is an array out of bounds while getting element in tp->dm_stree. To add the required check for out of bound we first need to determine the type of dmtree. Thus added an extra parameter to dbFindLeaf so that the type of tree can be determined and the required check can be applied.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52799.html
CVE-2023-52799
https://bugzilla.suse.com/1225472
SUSE Bug 1225472

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52800.html
CVE-2023-52800
https://bugzilla.suse.com/1230600
SUSE Bug 1230600

Описание

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix missing update of domains_itree after splitting iopt_area In iopt_area_split(), if the original iopt_area has filled a domain and is linked to domains_itree, pages_nodes have to be properly reinserted. Otherwise the domains_itree becomes corrupted and we will UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52801.html
CVE-2023-52801
https://bugzilla.suse.com/1225006
SUSE Bug 1225006

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpc_remove_pipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpc_remove_pipedir would clean the released freed pipefs dentries. To fix this issue, rpc_remove_pipedir should check whether the current pipefs sb is consistent with the original pipefs sb. This error can be catched by KASAN: ========================================================= [ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [ 250.500549] Workqueue: events rpc_free_client_work [ 250.501001] Call Trace: [ 250.502880] kasan_report+0xb6/0xf0 [ 250.503209] ? dget_parent+0x195/0x200 [ 250.503561] dget_parent+0x195/0x200 [ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 [ 250.504384] rpc_rmdir_depopulate+0x1b/0x90 [ 250.504781] rpc_remove_client_dir+0xf5/0x150 [ 250.505195] rpc_free_client_work+0xe4/0x230 [ 250.505598] process_one_work+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390] kasan_save_stack+0x22/0x50 [ 22.039758] kasan_set_track+0x25/0x30 [ 22.040109] __kasan_slab_alloc+0x59/0x70 [ 22.040487] kmem_cache_alloc_lru+0xf0/0x240 [ 22.040889] __d_alloc+0x31/0x8e0 [ 22.041207] d_alloc+0x44/0x1f0 [ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140 [ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459] rpc_create_client_dir+0x34/0x150 [ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284] rpc_client_register+0x136/0x4e0 [ 22.043689] rpc_new_client+0x911/0x1020 [ 22.044057] rpc_create_xprt+0xcb/0x370 [ 22.044417] rpc_create+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803] kasan_save_stack+0x22/0x50 [ 22.050165] kasan_set_track+0x25/0x30 [ 22.050520] kasan_save_free_info+0x2b/0x50 [ 22.050921] __kasan_slab_free+0x10e/0x1a0 [ 22.051306] kmem_cache_free+0xa5/0x390 [ 22.051667] rcu_core+0x62c/0x1930 [ 22.051995] __do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952] kasan_save_stack+0x22/0x50 [ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 [ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209] dentry_free+0xb2/0x140 [ 22.054540] __dentry_kill+0x3be/0x540 [ 22.054900] shrink_dentry_list+0x199/0x510 [ 22.055293] shrink_dcache_parent+0x190/0x240 [ 22.055703] do_one_tree+0x11/0x40 [ 22.056028] shrink_dcache_for_umount+0x61/0x140 [ 22.056461] generic_shutdown_super+0x70/0x590 [ 22.056879] kill_anon_super+0x3a/0x60 [ 22.057234] rpc_kill_sb+0x121/0x200

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52803.html
CVE-2023-52803
https://bugzilla.suse.com/1225008
SUSE Bug 1225008

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add validity check for db_maxag and db_agpref Both db_maxag and db_agpref are used as the index of the db_agfree array, but there is currently no validity check for db_maxag and db_agpref, which can lead to errors. The following is related bug reported by Syzbot: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20 index 7936 is out of range for type 'atomic_t[128]' Add checking that the values of db_maxag and db_agpref are valid indexes for the db_agfree array.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52804.html
CVE-2023-52804
https://bugzilla.suse.com/1225550
SUSE Bug 1225550

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in diAlloc Currently there is not check against the agno of the iag while allocating new inodes to avoid fragmentation problem. Added the check which is required.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52805.html
CVE-2023-52805
https://bugzilla.suse.com/1225553
SUSE Bug 1225553

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix possible null-ptr-deref when assigning a stream While AudioDSP drivers assign streams exclusively of HOST or LINK type, nothing blocks a user to attempt to assign a COUPLED stream. As supplied substream instance may be a stub, what is the case when code-loading, such scenario ends with null-ptr-deref.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52806.html
CVE-2023-52806
https://bugzilla.suse.com/1225554
SUSE Bug 1225554

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs The hns3 driver define an array of string to show the coalesce info, but if the kernel adds a new mode or a new state, out-of-bounds access may occur when coalesce info is read via debugfs, this patch fix the problem.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52807.html
CVE-2023-52807
https://bugzilla.suse.com/1225097
SUSE Bug 1225097

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs If init debugfs failed during device registration due to memory allocation failure, debugfs_remove_recursive() is called, after which debugfs_dir is not set to NULL. debugfs_remove_recursive() will be called again during device removal. As a result, illegal pointer is accessed. [ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs! ... [ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 1669.872669] pc : down_write+0x24/0x70 [ 1669.876315] lr : down_write+0x1c/0x70 [ 1669.879961] sp : ffff000036f53a30 [ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8 [ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000 [ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270 [ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8 [ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310 [ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10 [ 1669.914982] x17: 0000000000000000 x16: 0000000000000000 [ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870 [ 1669.925555] x13: 0000000000000040 x12: 0000000000000228 [ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0 [ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10 [ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff [ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00 [ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000 [ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001 [ 1669.962563] Call trace: [ 1669.965000] down_write+0x24/0x70 [ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0 [ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main] [ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw] [ 1669.984175] pci_device_remove+0x48/0xd8 [ 1669.988082] device_release_driver_internal+0x1b4/0x250 [ 1669.993282] device_release_driver+0x28/0x38 [ 1669.997534] pci_stop_bus_device+0x84/0xb8 [ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40 [ 1670.007244] remove_store+0xfc/0x140 [ 1670.010802] dev_attr_store+0x44/0x60 [ 1670.014448] sysfs_kf_write+0x58/0x80 [ 1670.018095] kernfs_fop_write+0xe8/0x1f0 [ 1670.022000] __vfs_write+0x60/0x190 [ 1670.025472] vfs_write+0xac/0x1c0 [ 1670.028771] ksys_write+0x6c/0xd8 [ 1670.032071] __arm64_sys_write+0x24/0x30 [ 1670.035977] el0_svc_common+0x78/0x130 [ 1670.039710] el0_svc_handler+0x38/0x78 [ 1670.043442] el0_svc+0x8/0xc To fix this, set debugfs_dir to NULL after debugfs_remove_recursive().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52808.html
CVE-2023-52808
https://bugzilla.suse.com/1225555
SUSE Bug 1225555

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() fc_lport_ptp_setup() did not check the return value of fc_rport_create() which can return NULL and would cause a NULL pointer dereference. Address this issue by checking return value of fc_rport_create() and log error message on fc_rport_create() failed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52809.html
CVE-2023-52809
https://bugzilla.suse.com/1225556
SUSE Bug 1225556

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add check for negative db_l2nbperpage l2nbperpage is log2(number of blks per page), and the minimum legal value should be 0, not negative. In the case of l2nbperpage being negative, an error will occur when subsequently used as shift exponent. Syzbot reported this bug: UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12 shift exponent -16777216 is negative

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52810.html
CVE-2023-52810
https://bugzilla.suse.com/1225557
SUSE Bug 1225557

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool In practice the driver should never send more commands than are allocated to a queue's event pool. In the unlikely event that this happens, the code asserts a BUG_ON, and in the case that the kernel is not configured to crash on panic returns a junk event pointer from the empty event list causing things to spiral from there. This BUG_ON is a historical artifact of the ibmvfc driver first being upstreamed, and it is well known now that the use of BUG_ON is bad practice except in the most unrecoverable scenario. There is nothing about this scenario that prevents the driver from recovering and carrying on. Remove the BUG_ON in question from ibmvfc_get_event() and return a NULL pointer in the case of an empty event pool. Update all call sites to ibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate failure or recovery action.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52811.html
CVE-2023-52811
https://bugzilla.suse.com/1225559
SUSE Bug 1225559

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: check num of link levels when update pcie param In SR-IOV environment, the value of pcie_table->num_of_link_levels will be 0, and num_of_levels - 1 will cause array index out of bounds

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52812.html
CVE-2023-52812
https://bugzilla.suse.com/1225564
SUSE Bug 1225564

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix hungtask for PADATA_RESET We found a hungtask bug in test_aead_vec_cfg as follows: INFO: task cryptomgr_test:391009 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Call trace: __switch_to+0x98/0xe0 __schedule+0x6c4/0xf40 schedule+0xd8/0x1b4 schedule_timeout+0x474/0x560 wait_for_common+0x368/0x4e0 wait_for_completion+0x20/0x30 wait_for_completion+0x20/0x30 test_aead_vec_cfg+0xab4/0xd50 test_aead+0x144/0x1f0 alg_test_aead+0xd8/0x1e0 alg_test+0x634/0x890 cryptomgr_test+0x40/0x70 kthread+0x1e0/0x220 ret_from_fork+0x10/0x18 Kernel panic - not syncing: hung_task: blocked tasks For padata_do_parallel, when the return err is 0 or -EBUSY, it will call wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal case, aead_request_complete() will be called in pcrypt_aead_serial and the return err is 0 for padata_do_parallel. But, when pinst->flags is PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it won't call aead_request_complete(). Therefore, test_aead_vec_cfg will hung at wait_for_completion(&wait->completion), which will cause hungtask. The problem comes as following: (padata_do_parallel) | rcu_read_lock_bh(); | err = -EINVAL; | (padata_replace) | pinst->flags |= PADATA_RESET; err = -EBUSY | if (pinst->flags & PADATA_RESET) | rcu_read_unlock_bh() | return err In order to resolve the problem, we replace the return err -EBUSY with -EAGAIN, which means parallel_data is changing, and the caller should call it again. v3: remove retry and just change the return err. v2: introduce padata_try_do_parallel() in pcrypt_aead_encrypt and pcrypt_aead_decrypt to solve the hungtask.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52813.html
CVE-2023-52813
https://bugzilla.suse.com/1225527
SUSE Bug 1225527

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential null pointer derefernce The amdgpu_ras_get_context may return NULL if device not support ras feature, so add check before using.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52814.html
CVE-2023-52814
https://bugzilla.suse.com/1225565
SUSE Bug 1225565

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vkms: fix a possible null pointer dereference In amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_cvt_mode(). Add a check to avoid null pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52815.html
CVE-2023-52815
https://bugzilla.suse.com/1225568
SUSE Bug 1225568

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix shift out-of-bounds issue [ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int' [ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu [ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023 [ 567.614504] Workqueue: events send_exception_work_handler [amdgpu] [ 567.614748] Call Trace: [ 567.614750] <TASK> [ 567.614753] dump_stack_lvl+0x48/0x70 [ 567.614761] dump_stack+0x10/0x20 [ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310 [ 567.614769] ? srso_alias_return_thunk+0x5/0x7f [ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0 [ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu] [ 567.615047] ? srso_alias_return_thunk+0x5/0x7f [ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu] [ 567.615286] do_swap_page+0x7b6/0xa30 [ 567.615291] ? srso_alias_return_thunk+0x5/0x7f [ 567.615294] ? __free_pages+0x119/0x130 [ 567.615299] handle_pte_fault+0x227/0x280 [ 567.615303] __handle_mm_fault+0x3c0/0x720 [ 567.615311] handle_mm_fault+0x119/0x330 [ 567.615314] ? lock_mm_and_find_vma+0x44/0x250 [ 567.615318] do_user_addr_fault+0x1a9/0x640 [ 567.615323] exc_page_fault+0x81/0x1b0 [ 567.615328] asm_exc_page_fault+0x27/0x30 [ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52816.html
CVE-2023-52816
https://bugzilla.suse.com/1225529
SUSE Bug 1225529

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: 1. Navigate to the directory: /sys/kernel/debug/dri/0 2. Execute command: cat amdgpu_regs_smc 3. Exception Log:: [4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 [4005007.702562] #PF: supervisor instruction fetch in kernel mode [4005007.702567] #PF: error_code(0x0010) - not-present page [4005007.702570] PGD 0 P4D 0 [4005007.702576] Oops: 0010 [#1] SMP NOPTI [4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u [4005007.702590] RIP: 0010:0x0 [4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 [4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 [4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 [4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 [4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 [4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 [4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 [4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 [4005007.702633] Call Trace: [4005007.702636] <TASK> [4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] [4005007.703002] full_proxy_read+0x5c/0x80 [4005007.703011] vfs_read+0x9f/0x1a0 [4005007.703019] ksys_read+0x67/0xe0 [4005007.703023] __x64_sys_read+0x19/0x20 [4005007.703028] do_syscall_64+0x5c/0xc0 [4005007.703034] ? do_user_addr_fault+0x1e3/0x670 [4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 [4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 [4005007.703052] ? irqentry_exit+0x19/0x30 [4005007.703057] ? exc_page_fault+0x89/0x160 [4005007.703062] ? asm_exc_page_fault+0x8/0x30 [4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae [4005007.703075] RIP: 0033:0x7f5e07672992 [4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 [4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 [4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 [4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 [4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 [4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 [4005007.703105] </TASK> [4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca [4005007.703184] CR2: 0000000000000000 [4005007.703188] ---[ en ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52817.html
CVE-2023-52817
https://bugzilla.suse.com/1225569
SUSE Bug 1225569

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 For pptable structs that use flexible array sizes, use flexible arrays.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52818.html
CVE-2023-52818
https://bugzilla.suse.com/1225530
SUSE Bug 1225530

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga For pptable structs that use flexible array sizes, use flexible arrays.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52819.html
CVE-2023-52819
https://bugzilla.suse.com/1225532
SUSE Bug 1225532

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/panel: fix a possible null pointer dereference In versatile_panel_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52821.html
CVE-2023-52821
https://bugzilla.suse.com/1225022
SUSE Bug 1225022

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix a race condition of vram buffer unref in svm code prange->svm_bo unref can happen in both mmu callback and a callback after migrate to system ram. Both are async call in different tasks. Sync svm_bo unref operation to avoid random "use-after-free".

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52825.html
CVE-2023-52825
https://bugzilla.suse.com/1225076
SUSE Bug 1225076

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference In tpg110_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52826.html
CVE-2023-52826
https://bugzilla.suse.com/1225077
SUSE Bug 1225077

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() len is extracted from HTT message and could be an unexpected value in case errors happen, so add validation before using to avoid possible out-of-bound read in the following message iteration and parsing. The same issue also applies to ppdu_info->ppdu_stats.common.num_users, so validate it before using too. These are found during code review. Compile test only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52827.html
CVE-2023-52827
https://bugzilla.suse.com/1225078
SUSE Bug 1225078
https://bugzilla.suse.com/1227321
SUSE Bug 1227321

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() reg_cap.phy_id is extracted from WMI event and could be an unexpected value in case some errors happen. As a result out-of-bound write may occur to soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. This is found during code review. Compile tested only.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52829.html
CVE-2023-52829
https://bugzilla.suse.com/1225081
SUSE Bug 1225081
https://bugzilla.suse.com/1227474
SUSE Bug 1227474

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't return unset power in ieee80211_get_tx_power() We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52832.html
CVE-2023-52832
https://bugzilla.suse.com/1225577
SUSE Bug 1225577

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Add date->evt_skb is NULL check fix crash because of null pointers [ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 6104.969667] #PF: supervisor read access in kernel mode [ 6104.969668] #PF: error_code(0x0000) - not-present page [ 6104.969670] PGD 0 P4D 0 [ 6104.969673] Oops: 0000 [#1] SMP NOPTI [ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb] [ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246 [ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006 [ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000 [ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001 [ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0 [ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90 [ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000 [ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0 [ 6104.969701] PKRU: 55555554 [ 6104.969702] Call Trace: [ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb] [ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth] [ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth] [ 6104.969753] rfkill_set_block+0x92/0x160 [ 6104.969755] rfkill_fop_write+0x136/0x1e0 [ 6104.969759] __vfs_write+0x18/0x40 [ 6104.969761] vfs_write+0xdf/0x1c0 [ 6104.969763] ksys_write+0xb1/0xe0 [ 6104.969765] __x64_sys_write+0x1a/0x20 [ 6104.969769] do_syscall_64+0x51/0x180 [ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 6104.969773] RIP: 0033:0x7f5a21f18fef [ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef [ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012 [ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017 [ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002 [ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52833.html
CVE-2023-52833
https://bugzilla.suse.com/1225595
SUSE Bug 1225595

Описание

In the Linux kernel, the following vulnerability has been resolved: atl1c: Work around the DMA RX overflow issue This is based on alx driver commit 881d0327db37 ("net: alx: Work around the DMA RX overflow issue"). The alx and atl1c drivers had RX overflow error which was why a custom allocator was created to avoid certain addresses. The simpler workaround then created for alx driver, but not for atl1c due to lack of tester. Instead of using a custom allocator, check the allocated skb address and use skb_reserve() to move away from problematic 0x...fc0 address. Tested on AR8131 on Acer 4540.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52834.html
CVE-2023-52834
https://bugzilla.suse.com/1225599
SUSE Bug 1225599

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/core: Bail out early if the request AUX area is out of bound When perf-record with a large AUX area, e.g 4GB, it fails with: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) and it reveals a WARNING with __alloc_pages(): ------------[ cut here ]------------ WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 Call trace: __alloc_pages+0x1ec/0x248 __kmalloc_large_node+0xc0/0x1f8 __kmalloc_node+0x134/0x1e8 rb_alloc_aux+0xe0/0x298 perf_mmap+0x440/0x660 mmap_region+0x308/0x8a8 do_mmap+0x3c0/0x528 vm_mmap_pgoff+0xf4/0x1b8 ksys_mmap_pgoff+0x18c/0x218 __arm64_sys_mmap+0x38/0x58 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x58/0x188 do_el0_svc+0x34/0x50 el0_svc+0x34/0x108 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x1a4/0x1a8 'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to maintains AUX trace pages. The allocated page for this array is physically contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the size of pointer array crosses the limitation set by MAX_ORDER, it reveals a WARNING. So bail out early with -ENOMEM if the request AUX area is out of bound, e.g.: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52835.html
CVE-2023-52835
https://bugzilla.suse.com/1225602
SUSE Bug 1225602

Описание

In the Linux kernel, the following vulnerability has been resolved: locking/ww_mutex/test: Fix potential workqueue corruption In some cases running with the test-ww_mutex code, I was seeing odd behavior where sometimes it seemed flush_workqueue was returning before all the work threads were finished. Often this would cause strange crashes as the mutexes would be freed while they were being used. Looking at the code, there is a lifetime problem as the controlling thread that spawns the work allocates the "struct stress" structures that are passed to the workqueue threads. Then when the workqueue threads are finished, they free the stress struct that was passed to them. Unfortunately the workqueue work_struct node is in the stress struct. Which means the work_struct is freed before the work thread returns and while flush_workqueue is waiting. It seems like a better idea to have the controlling thread both allocate and free the stress structures, so that we can be sure we don't corrupt the workqueue by freeing the structure prematurely. So this patch reworks the test to do so, and with this change I no longer see the early flush_workqueue returns.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52836.html
CVE-2023-52836
https://bugzilla.suse.com/1225609
SUSE Bug 1225609

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_open Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set disk->private_data as NULL as before. UAF may be triggered in nbd_open() if someone tries to open nbd device right after nbd_put() since nbd has been free in nbd_dev_remove(). Fix this by implementing ->free_disk and free private data in it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52837.html
CVE-2023-52837
https://bugzilla.suse.com/1224935
SUSE Bug 1224935

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: imsttfb: fix a resource leak in probe I've re-written the error handling but the bug is that if init_imstt() fails we need to call iounmap(par->cmap_regs).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52838.html
CVE-2023-52838
https://bugzilla.suse.com/1225031
SUSE Bug 1225031

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52840.html
CVE-2023-52840
https://bugzilla.suse.com/1224928
SUSE Bug 1224928

Описание

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: mux: Add check and kfree for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Moreover, use kfree() in the later error handling in order to avoid memory leak.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52841.html
CVE-2023-52841
https://bugzilla.suse.com/1225592
SUSE Bug 1225592

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() KMSAN reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was stored to memory at: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: vsock-loopback vsock_loopback_work ===================================================== The following simple reproducer can cause the issue described above: int main(void) { int sock; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; } This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the `struct virtio_vsock_hdr` are not initialized when a new skb is allocated in `virtio_transport_init_hdr()`. This patch resolves the issue by initializing these fields during allocation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52842.html
CVE-2023-52842
https://bugzilla.suse.com/1225025
SUSE Bug 1225025

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: verify mac len before reading mac header LLC reads the mac header with eth_hdr without verifying that the skb has an Ethernet header. Syzbot was able to enter llc_rcv on a tun device. Tun can insert packets without mac len and with user configurable skb->protocol (passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 Add a mac_len test before all three eth_hdr(skb) calls under net/llc. There are further uses in include/net/llc_pdu.h. All these are protected by a test skb->protocol == ETH_P_802_2. Which does not protect against this tun scenario. But the mac_len test added in this patch in llc_fixup_skb will indirectly protect those too. That is called from llc_rcv before any other LLC code. It is tempting to just add a blanket mac_len check in llc_rcv, but not sure whether that could break valid LLC paths that do not assume an Ethernet header. 802.2 LLC may be used on top of non-802.3 protocols in principle. The below referenced commit shows that used to, on top of Token Ring. At least one of the three eth_hdr uses goes back to before the start of git history. But the one that syzbot exercises is introduced in this commit. That commit is old enough (2008), that effectively all stable kernels should receive this.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52843.html
CVE-2023-52843
https://bugzilla.suse.com/1224951
SUSE Bug 1224951

Описание

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: psi: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52844.html
CVE-2023-52844
https://bugzilla.suse.com/1225590
SUSE Bug 1225590

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING syzbot reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue. This patch changes the nla_policy for bearer-related names from NLA_STRING to NLA_NUL_STRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names. syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. This patch also resolved this issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52845.html
CVE-2023-52845
https://bugzilla.suse.com/1225585
SUSE Bug 1225585

Описание

In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv->timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52847.html
CVE-2023-52847
https://bugzilla.suse.com/1225588
SUSE Bug 1225588

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix shutdown order Ira reports that removing cxl_mock_mem causes a crash with the following trace: BUG: kernel NULL pointer dereference, address: 0000000000000044 [..] RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core] [..] Call Trace: <TASK> cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x29/0x40 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 device_unregister+0x13/0x60 devm_release_action+0x4d/0x90 ? __pfx_unregister_port+0x10/0x10 [cxl_core] delete_endpoint+0x121/0x130 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 ? lock_release+0x142/0x290 cdev_device_del+0x15/0x50 cxl_memdev_unregister+0x54/0x70 [cxl_core] This crash is due to the clearing out the cxl_memdev's driver context (@cxlds) before the subsystem is done with it. This is ultimately due to the region(s), that this memdev is a member, being torn down and expecting to be able to de-reference @cxlds, like here: static int cxl_region_decode_reset(struct cxl_region *cxlr, int count) ... if (cxlds->rcd) goto endpoint_reset; ... Fix it by keeping the driver context valid until memdev-device unregistration, and subsequently the entire stack of related dependencies, unwinds.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52849.html
CVE-2023-52849
https://bugzilla.suse.com/1224949
SUSE Bug 1224949

Описание

In the Linux kernel, the following vulnerability has been resolved: media: hantro: Check whether reset op is defined before use The i.MX8MM/N/P does not define the .reset op since reset of the VPU is done by genpd. Check whether the .reset op is defined before calling it to avoid NULL pointer dereference. Note that the Fixes tag is set to the commit which removed the reset op from i.MX8M Hantro G2 implementation, this is because before this commit all the implementations did define the .reset op.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52850.html
CVE-2023-52850
https://bugzilla.suse.com/1225014
SUSE Bug 1225014

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF In the unlikely event that workqueue allocation fails and returns NULL in mlx5_mkey_cache_init(), delete the call to mlx5r_umr_resource_cleanup() (which frees the QP) in mlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double free of the same QP when __mlx5_ib_add() does its cleanup. Resolves a splat: Syzkaller reported a UAF in ib_destroy_qp_user workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642): failed to create work queue infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642 Call Trace: <TASK> kasan_report (mm/kasan/report.c:590) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK> Allocated by task 1642: __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026 mm/slab_common.c:1039) create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720 ./include/rdma/ib_verbs.h:2795 drivers/infiniband/core/verbs.c:1209) ib_create_qp_kernel (drivers/infiniband/core/verbs.c:1347) mlx5r_umr_resource_init (drivers/infiniband/hw/mlx5/umr.c:164) mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4070) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... Freed by task 1642: __kmem_cache_free (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2112) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4076 drivers/infiniband/hw/mlx5/main.c:4065) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ...

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52851.html
CVE-2023-52851
https://bugzilla.suse.com/1225587
SUSE Bug 1225587

Описание

In the Linux kernel, the following vulnerability has been resolved: hid: cp2112: Fix duplicate workqueue initialization Previously the cp2112 driver called INIT_DELAYED_WORK within cp2112_gpio_irq_startup, resulting in duplicate initilizations of the workqueue on subsequent IRQ startups following an initial request. This resulted in a warning in set_work_data in workqueue.c, as well as a rare NULL dereference within process_one_work in workqueue.c. Initialize the workqueue within _probe instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52853.html
CVE-2023-52853
https://bugzilla.suse.com/1224988
SUSE Bug 1224988

Описание

In the Linux kernel, the following vulnerability has been resolved: padata: Fix refcnt handling in padata_free_shell() In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead to system UAF (Use-After-Free) issues. Due to the lengthy analysis of the pcrypt_aead01 function call, I'll describe the problem scenario using a simplified model: Suppose there's a user of padata named `user_function` that adheres to the padata requirement of calling `padata_free_shell` after `serial()` has been invoked, as demonstrated in the following code: ```c struct request { struct padata_priv padata; struct completion *done; }; void parallel(struct padata_priv *padata) { do_something(); } void serial(struct padata_priv *padata) { struct request *request = container_of(padata, struct request, padata); complete(request->done); } void user_function() { DECLARE_COMPLETION(done) padata->parallel = parallel; padata->serial = serial; padata_do_parallel(); wait_for_completion(&done); padata_free_shell(); } ``` In the corresponding padata.c file, there's the following code: ```c static void padata_serial_worker(struct work_struct *serial_work) { ... cnt = 0; while (!list_empty(&local_list)) { ... padata->serial(padata); cnt++; } local_bh_enable(); if (refcount_sub_and_test(cnt, &pd->refcnt)) padata_free_pd(pd); } ``` Because of the high system load and the accumulation of unexecuted softirq at this moment, `local_bh_enable()` in padata takes longer to execute than usual. Subsequently, when accessing `pd->refcnt`, `pd` has already been released by `padata_free_shell()`, resulting in a UAF issue with `pd->refcnt`. The fix is straightforward: add `refcount_dec_and_test` before calling `padata_free_pd` in `padata_free_shell`.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52854.html
CVE-2023-52854
https://bugzilla.suse.com/1225584
SUSE Bug 1225584

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&hsotg->lock, flags); ... if (!urb->hcpriv) { dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n"); goto out; } rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv ... out: spin_unlock_irqrestore(&hsotg->lock, flags); When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are concurrently executed, the NULL check of "urb->hcpriv" can be executed before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL pointer dereference. This possible bug is found by an experimental static analysis tool developed by myself. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported, when my tool analyzes the source code of Linux 6.5. To fix this possible bug, "urb->hcpriv = NULL" should be executed with holding the lock "hsotg->lock". After using this patch, my tool never reports the possible bug, with the kernelconfiguration allyesconfig for x86_64. Because I have no associated hardware, I cannot test the patch in runtime testing, and just verify it according to the code logic.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52855.html
CVE-2023-52855
https://bugzilla.suse.com/1225583
SUSE Bug 1225583

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/bridge: lt8912b: Fix crash on bridge detach The lt8912b driver, in its bridge detach function, calls drm_connector_unregister() and drm_connector_cleanup(). drm_connector_unregister() should be called only for connectors explicitly registered with drm_connector_register(), which is not the case in lt8912b. The driver's drm_connector_funcs.destroy hook is set to drm_connector_cleanup(). Thus the driver should not call either drm_connector_unregister() nor drm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a crash on bridge detach: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000 [0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks CPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2 Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_connector_cleanup+0x78/0x2d4 [drm] lr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] sp : ffff800082ed3a90 x29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000 x26: 0000000000000000 x25: dead000000000122 x24: dead000000000122 x23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000 x20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8 x17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038 x14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e x11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48 x8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: drm_connector_cleanup+0x78/0x2d4 [drm] lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] drm_bridge_detach+0x44/0x84 [drm] drm_encoder_cleanup+0x40/0xb8 [drm] drmm_encoder_alloc_release+0x1c/0x30 [drm] drm_managed_release+0xac/0x148 [drm] drm_dev_put.part.0+0x88/0xb8 [drm] devm_drm_dev_init_release+0x14/0x24 [drm] devm_action_release+0x14/0x20 release_nodes+0x5c/0x90 devres_release_all+0x8c/0xe0 device_unbind_cleanup+0x18/0x68 device_release_driver_internal+0x208/0x23c driver_detach+0x4c/0x94 bus_remove_driver+0x70/0xf4 driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 tidss_platform_driver_exit+0x18/0xb2c [tidss] __arm64_sys_delete_module+0x1a0/0x2b4 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x60/0x10c do_el0_svc_compat+0x1c/0x40 el0_svc_compat+0x40/0xac el0t_32_sync_handler+0xb0/0x138 el0t_32_sync+0x194/0x198 Code: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52856.html
CVE-2023-52856
https://bugzilla.suse.com/1224932
SUSE Bug 1224932

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix coverity issue with unintentional integer overflow 1. Instead of multiplying 2 variable of different types. Change to assign a value of one variable and then multiply the other variable. 2. Add a int variable for multiplier calculation instead of calculating different types multiplier with dma_addr_t variable directly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52857.html
CVE-2023-52857
https://bugzilla.suse.com/1225581
SUSE Bug 1225581

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52858.html
CVE-2023-52858
https://bugzilla.suse.com/1225566
SUSE Bug 1225566

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process When tearing down a 'hisi_hns3' PMU, we mistakenly run the CPU hotplug callbacks after the device has been unregistered, leading to fireworks when we try to execute empty function callbacks within the driver: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | CPU: 0 PID: 15 Comm: cpuhp/0 Tainted: G W O 5.12.0-rc4+ #1 | Hardware name: , BIOS KpxxxFPGA 1P B600 V143 04/22/2021 | pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--) | pc : perf_pmu_migrate_context+0x98/0x38c | lr : perf_pmu_migrate_context+0x94/0x38c | | Call trace: | perf_pmu_migrate_context+0x98/0x38c | hisi_hns3_pmu_offline_cpu+0x104/0x12c [hisi_hns3_pmu] Use cpuhp_state_remove_instance_nocalls() instead of cpuhp_state_remove_instance() so that the notifiers don't execute after the PMU device has been unregistered. [will: Rewrote commit message]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52860.html
CVE-2023-52860
https://bugzilla.suse.com/1224936
SUSE Bug 1224936

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: bridge: it66121: Fix invalid connector dereference Fix the NULL pointer dereference when no monitor is connected, and the sound card is opened from userspace. Instead return an empty buffer (of zeroes) as the EDID information to the sound framework if there is no connector attached.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52861.html
CVE-2023-52861
https://bugzilla.suse.com/1224941
SUSE Bug 1224941

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null pointer dereference in error message This patch fixes a null pointer dereference in the error message that is printed when the Display Core (DC) fails to initialize. The original message includes the DC version number, which is undefined if the DC is not initialized.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52862.html
CVE-2023-52862
https://bugzilla.suse.com/1225015
SUSE Bug 1225015

Описание

In the Linux kernel, the following vulnerability has been resolved: hwmon: (axi-fan-control) Fix possible NULL pointer dereference axi_fan_control_irq_handler(), dependent on the private axi_fan_control_data structure, might be called before the hwmon device is registered. That will cause an "Unable to handle kernel NULL pointer dereference" error.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52863.html
CVE-2023-52863
https://bugzilla.suse.com/1225586
SUSE Bug 1225586

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: wmi: Fix opening of char device Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via file private data"), the miscdevice stores a pointer to itself inside filp->private_data, which means that private_data will not be NULL when wmi_char_open() is called. This might cause memory corruption should wmi_char_open() be unable to find its driver, something which can happen when the associated WMI device is deleted in wmi_free_devices(). Fix the problem by using the miscdevice pointer to retrieve the WMI device data associated with a char device using container_of(). This also avoids wmi_char_open() picking a wrong WMI device bound to a driver with the same name as the original driver.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52864.html
CVE-2023-52864
https://bugzilla.suse.com/1225132
SUSE Bug 1225132

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52865.html
CVE-2023-52865
https://bugzilla.suse.com/1225086
SUSE Bug 1225086

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks() When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and then the below user-memory-access bug occurs. In hid_test_uclogic_params_cleanup_event_hooks(),it call uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata() will access hdev->dev with hdev=NULL, which will cause below user-memory-access. So add a fake_device with quirks member and call hid_set_drvdata() to assign hdev->dev->driver_data which avoids the null-ptr-def bug for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying this patch, the below user-memory-access bug never occurs. general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f] CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 ? sched_clock_cpu+0x69/0x550 ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70 ? load_balance+0x2950/0x2950 ? rcu_trc_cmpxchg_need_qs+0x67/0xa0 hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0 ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600 ? __switch_to+0x5cf/0xe60 ? migrate_enable+0x260/0x260 ? __kthread_parkme+0x83/0x150 ? kunit_try_run_case_cleanup+0xe0/0xe0 kunit_generic_run_threadfn_adapter+0x4a/0x90 ? kunit_try_catch_throw+0x80/0x80 kthread+0x2b5/0x380 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 0000000000000000 ]--- RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52866.html
CVE-2023-52866
https://bugzilla.suse.com/1225120
SUSE Bug 1225120

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: possible buffer overflow Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is checked after access.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52867.html
CVE-2023-52867
https://bugzilla.suse.com/1225009
SUSE Bug 1225009

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal: core: prevent potential string overflow The dev->id value comes from ida_alloc() so it's a number between zero and INT_MAX. If it's too high then these sprintf()s will overflow.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52868.html
CVE-2023-52868
https://bugzilla.suse.com/1225044
SUSE Bug 1225044

Описание

In the Linux kernel, the following vulnerability has been resolved: pstore/platform: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52869.html
CVE-2023-52869
https://bugzilla.suse.com/1225050
SUSE Bug 1225050

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52870.html
CVE-2023-52870
https://bugzilla.suse.com/1224937
SUSE Bug 1224937

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: llcc: Handle a second device without data corruption Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52871.html
CVE-2023-52871
https://bugzilla.suse.com/1225534
SUSE Bug 1225534
https://bugzilla.suse.com/1227475
SUSE Bug 1227475

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix race condition in status line change on dead connections gsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all timers, removing the virtual tty devices and clearing the data queues. This procedure, however, may cause subsequent changes of the virtual modem status lines of a DLCI. More data is being added the outgoing data queue and the deleted kick timer is restarted to handle this. At this point many resources have already been removed by the cleanup procedure. Thus, a kernel panic occurs. Fix this by proving in gsm_modem_update() that the cleanup procedure has not been started and the mux is still alive. Note that writing to a virtual tty is already protected by checks against the DLCI specific connection state.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52872.html
CVE-2023-52872
https://bugzilla.suse.com/1225591
SUSE Bug 1225591

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52873.html
CVE-2023-52873
https://bugzilla.suse.com/1225589
SUSE Bug 1225589

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro In the TDX_HYPERCALL asm, after the TDCALL instruction returns from the untrusted VMM, the registers that the TDX guest shares to the VMM need to be cleared to avoid speculative execution of VMM-provided values. RSI is specified in the bitmap of those registers, but it is missing when zeroing out those registers in the current TDX_HYPERCALL. It was there when it was originally added in commit 752d13305c78 ("x86/tdx: Expand __tdx_hypercall() to handle more arguments"), but was later removed in commit 1e70c680375a ("x86/tdx: Do not corrupt frame-pointer in __tdx_hypercall()"), which was correct because %rsi is later restored in the "pop %rsi". However a later commit 7a3a401874be ("x86/tdx: Drop flags from __tdx_hypercall()") removed that "pop %rsi" but forgot to add the "xor %rsi, %rsi" back. Fix by adding it back.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52874.html
CVE-2023-52874
https://bugzilla.suse.com/1225049
SUSE Bug 1225049

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52875.html
CVE-2023-52875
https://bugzilla.suse.com/1225096
SUSE Bug 1225096

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52876.html
CVE-2023-52876
https://bugzilla.suse.com/1225036
SUSE Bug 1225036

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() It is possible that typec_register_partner() returns ERR_PTR on failure. When port->partner is an error, a NULL pointer dereference may occur as shown below. [91222.095236][ T319] typec port0: failed to register partner (-17) ... [91225.061491][ T319] Unable to handle kernel NULL pointer dereference at virtual address 000000000000039f [91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc [91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc [91225.308067][ T319] Call trace: [91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc [91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8 [91225.355900][ T319] kthread_worker_fn+0x178/0x58c [91225.355902][ T319] kthread+0x150/0x200 [91225.355905][ T319] ret_from_fork+0x10/0x30 Add a check for port->partner to avoid dereferencing a NULL pointer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52877.html
CVE-2023-52877
https://bugzilla.suse.com/1224944
SUSE Bug 1224944

Описание

In the Linux kernel, the following vulnerability has been resolved: can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52878.html
CVE-2023-52878
https://bugzilla.suse.com/1225000
SUSE Bug 1225000

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Have trace_event_file have ref counters The following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&- The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5 The above causes a crash! BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50 What happens here is that the kprobe event creates a trace_event_file "file" descriptor that represents the file in tracefs to the event. It maintains state of the event (is it enabled for the given instance?). Opening the "enable" file gets a reference to the event "file" descriptor via the open file descriptor. When the kprobe event is deleted, the file is also deleted from the tracefs system which also frees the event "file" descriptor. But as the tracefs file is still opened by user space, it will not be totally removed until the final dput() is called on it. But this is not true with the event "file" descriptor that is already freed. If the user does a write to or simply closes the file descriptor it will reference the event "file" descriptor that was just freed, causing a use-after-free bug. To solve this, add a ref count to the event "file" descriptor as well as a new flag called "FREED". The "file" will not be freed until the last reference is released. But the FREE flag will be set when the event is removed to prevent any more modifications to that event from happening, even if there's still a reference to the event "file" descriptor.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52879.html
CVE-2023-52879
https://bugzilla.suse.com/1225101
SUSE Bug 1225101

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52880.html
CVE-2023-52880
https://bugzilla.suse.com/1222619
SUSE Bug 1222619

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52881.html
CVE-2023-52881
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1225611
SUSE Bug 1225611
https://bugzilla.suse.com/1226152
SUSE Bug 1226152

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52882.html
CVE-2023-52882
https://bugzilla.suse.com/1225692
SUSE Bug 1225692

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix possible null pointer dereference abo->tbo.resource may be NULL in amdgpu_vm_bo_update.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52883.html
CVE-2023-52883
https://bugzilla.suse.com/1226630
SUSE Bug 1226630

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions Grab input->mutex during suspend/resume functions like it is done in other input drivers. This fixes the following warning during system suspend/resume cycle on Samsung Exynos5250-based Snow Chromebook: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]--- ... ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52884.html
CVE-2023-52884
https://bugzilla.suse.com/1226764
SUSE Bug 1226764

Описание

A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-6238.html
CVE-2023-6238
https://bugzilla.suse.com/1217384
SUSE Bug 1217384
https://bugzilla.suse.com/1217388
SUSE Bug 1217388

Описание

A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-7042.html
CVE-2023-7042
https://bugzilla.suse.com/1218336
SUSE Bug 1218336

Описание

A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel's SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-0639.html
CVE-2024-0639
https://bugzilla.suse.com/1218917
SUSE Bug 1218917

Описание

Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-21823.html
CVE-2024-21823
https://bugzilla.suse.com/1223625
SUSE Bug 1223625

Описание

NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C. This issue affects Linux kernel: v2.6.12-rc2.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-22099.html
CVE-2024-22099
https://bugzilla.suse.com/1219170
SUSE Bug 1219170

Описание

In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-23848.html
CVE-2024-23848
https://bugzilla.suse.com/1219104
SUSE Bug 1219104

Описание

A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-24861.html
CVE-2024-24861
https://bugzilla.suse.com/1219623
SUSE Bug 1219623

Описание

create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-25739.html
CVE-2024-25739
https://bugzilla.suse.com/1219834
SUSE Bug 1219834

Описание

printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-25741.html
CVE-2024-25741
https://bugzilla.suse.com/1219832
SUSE Bug 1219832

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: regenerate buddy after block freeing failed if under fc replay This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on code in mb_free_blocks(), fast commit replay can end up marking as free blocks that are already marked as such. This causes corruption of the buddy bitmap so we need to regenerate it in that case.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26601.html
CVE-2024-26601
https://bugzilla.suse.com/1220342
SUSE Bug 1220342

Описание

In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: error_code(0x0000) - not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] <IRQ> [1136314.452465] ? __die+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice] [1136314.528506] ice_napi_poll+0x467/0x670 [ice] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60 This comes from __xdp_return() call with xdp_buff argument passed as NULL which is supposed to be consumed by xsk_buff_free() call. To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskb_list. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpf_xdp_adjust_tail().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26611.html
CVE-2024-26611
https://bugzilla.suse.com/1221303
SUSE Bug 1221303

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26614.html
CVE-2024-26614
https://bugzilla.suse.com/1221293
SUSE Bug 1221293

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26615.html
CVE-2024-26615
https://bugzilla.suse.com/1220942
SUSE Bug 1220942

Описание

In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq() [2] pdsc_adminq_post() When the device goes through reset via PCIe reset and/or a fw_down/fw_up cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated. A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed. In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time. The adminq_refcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fw_down cycle it will set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent any further adminq_refcnt increments. Waiting for the adminq_refcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminq_refcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fw_up cycle the driver will once again initialize the adminq_refcnt to 1 allowing the adminq to be used again.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26623.html
CVE-2024-26623
https://bugzilla.suse.com/1221057
SUSE Bug 1221057

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after calling proto_ops::release()") Eric Biggers hinted that some protocols are missing a sock_orphan(), we need to perform a full audit. In net-next, I plan to clear sock->sk from sock_orphan() and amend Eric patch to add a warning. [1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27 CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 </TASK> Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26625.html
CVE-2024-26625
https://bugzilla.suse.com/1221086
SUSE Bug 1221086

Описание

In the Linux kernel, the following vulnerability has been resolved: block: Fix iterating over an empty bio with bio_for_each_folio_all If the bio contains no data, bio_first_folio() calls page_folio() on a NULL pointer and oopses. Move the test that we've reached the end of the bio from bio_next_folio() to bio_first_folio(). [axboe: add unlikely() to error case]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26632.html
CVE-2024-26632
https://bugzilla.suse.com/1221635
SUSE Bug 1221635

Описание

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26633.html
CVE-2024-26633
https://bugzilla.suse.com/1221647
SUSE Bug 1221647

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26635.html
CVE-2024-26635
https://bugzilla.suse.com/1221656
SUSE Bug 1221656

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve space. - Check all conditions again after socket lock is held again. - Do not account Ethernet header for mtu limitation. [1] skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0 kernel BUG at net/core/skbuff.c:193 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:189 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 lr : skb_panic net/core/skbuff.c:189 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 sp : ffff800096f97000 x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000 x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2 x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0 x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001 x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400 x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic net/core/skbuff.c:189 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 skb_push+0xf0/0x108 net/core/skbuff.c:2451 eth_header+0x44/0x1f8 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3188 [inline] llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33 llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209 llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270 llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x194/0x274 net/socket.c:767 splice_to_socket+0x7cc/0xd58 fs/splice.c:881 do_splice_from fs/splice.c:933 [inline] direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142 splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088 do_splice_direct+0x20c/0x348 fs/splice.c:1194 do_sendfile+0x4bc/0xc70 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26636.html
CVE-2024-26636
https://bugzilla.suse.com/1221659
SUSE Bug 1221659

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always make sure their values is zero by default. [1] BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Local variable msg created at: __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 nbd_read_reply drivers/block/nbd.c:732 [inline] recv_work+0x262/0x3100 drivers/block/nbd.c:863 CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: nbd5-recv recv_work

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26638.html
CVE-2024-26638
https://bugzilla.suse.com/1221649
SUSE Bug 1221649

Описание

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26641.html
CVE-2024-26641
https://bugzilla.suse.com/1221654
SUSE Bug 1221654

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26642.html
CVE-2024-26642
https://bugzilla.suse.com/1221830
SUSE Bug 1221830

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26643.html
CVE-2024-26643
https://bugzilla.suse.com/1221829
SUSE Bug 1221829

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26650.html
CVE-2024-26650
https://bugzilla.suse.com/1222048
SUSE Bug 1222048

Описание

In the Linux kernel, the following vulnerability has been resolved: net: pds_core: Fix possible double free in error handling path When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release calls kfree(padev) to free memory. We shouldn't call kfree(padev) again in the error handling path. Fix this by cleaning up the redundant kfree() and putting the error handling back to where the errors happened.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26652.html
CVE-2024-26652
https://bugzilla.suse.com/1222115
SUSE Bug 1222115
https://bugzilla.suse.com/1222116
SUSE Bug 1222116

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below: (Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | ... | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker ... | dreamcastcard->channel-> //USE In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26654.html
CVE-2024-26654
https://bugzilla.suse.com/1222304
SUSE Bug 1222304

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free bug The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller1(int fd) { struct drm_amdgpu_gem_userptr arg; int ret; arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); } Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled: [ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340 [ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [ +0.000010] Call Trace: [ +0.000006] <TASK> [ +0.000007] ? show_regs+0x6a/0x80 [ +0.000018] ? __warn+0xa5/0x1b0 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000018] ? report_bug+0x24a/0x290 [ +0.000022] ? handle_bug+0x46/0x90 [ +0.000015] ? exc_invalid_op+0x19/0x50 [ +0.000016] ? asm_exc_invalid_op+0x1b/0x20 [ +0.000017] ? kasan_save_stack+0x26/0x50 [ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10 [ +0.000017] ? kasan_save_alloc_info+0x1e/0x30 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_kmalloc+0xb1/0xc0 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_read+0x11/0x20 [ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu] [ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu] [ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu] [ +0.004291] ? do_syscall_64+0x5f/0xe0 [ +0.000023] ? srso_return_thunk+0x5/0x5f [ +0.000017] drm_gem_object_free+0x3b/0x50 [drm] [ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu] [ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004270] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __this_cpu_preempt_check+0x13/0x20 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm] [ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm] [ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm] [ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26656.html
CVE-2024-26656
https://bugzilla.suse.com/1222307
SUSE Bug 1222307

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; union drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2); } The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL. As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ +0.007086] #PF: supervisor read access in kernel mode [ +0.005234] #PF: error_code(0x0000) - not-present page [ +0.005232] PGD 0 P4D 0 [ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4 [ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [ +0.007175] Call Trace: [ +0.002561] <TASK> [ +0.002141] ? show_regs+0x6a/0x80 [ +0.003473] ? __die+0x25/0x70 [ +0.003124] ? page_fault_oops+0x214/0x720 [ +0.004179] ? preempt_count_sub+0x18/0xc0 [ +0.004093] ? __pfx_page_fault_oops+0x10/0x10 [ +0.004590] ? srso_return_thunk+0x5/0x5f [ +0.004000] ? vprintk_default+0x1d/0x30 [ +0.004063] ? srso_return_thunk+0x5/0x5f [ +0.004087] ? vprintk+0x5c/0x90 [ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005807] ? srso_return_thunk+0x5/0x5f [ +0.004090] ? _printk+0xb3/0xe0 [ +0.003293] ? __pfx__printk+0x10/0x10 [ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.005482] ? do_user_addr_fault+0x345/0x770 [ +0.004361] ? exc_page_fault+0x64/0xf0 [ +0.003972] ? asm_exc_page_fault+0x27/0x30 [ +0.004271] ? add_taint+0x2a/0xa0 [ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [ +0.009530] ? finish_task_switch.isra.0+0x129/0x470 [ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [ +0.010063] ? __kasan_check_write+0x14/0x20 [ +0.004356] ? srso_return_thunk+0x5/0x5f [ +0.004001] ? mutex_unlock+0x81/0xd0 [ +0.003802] ? srso_return_thunk+0x5/0x5f [ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? __pfx_ ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26657.html
CVE-2024-26657
https://bugzilla.suse.com/1222273
SUSE Bug 1222273

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26663.html
CVE-2024-26663
https://bugzilla.suse.com/1222326
SUSE Bug 1222326

Описание

In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds access when building IPv6 PMTU error If the ICMPv6 error is built from a non-linear skb we get the following splat, BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 Read of size 4 at addr ffff88811d402c80 by task netperf/820 CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 ... kasan_report+0xd8/0x110 do_csum+0x220/0x240 csum_partial+0xc/0x20 skb_tunnel_check_pmtu+0xeb9/0x3280 vxlan_xmit_one+0x14c2/0x4080 vxlan_xmit+0xf61/0x5c00 dev_hard_start_xmit+0xfb/0x510 __dev_queue_xmit+0x7cd/0x32a0 br_dev_queue_push_xmit+0x39d/0x6a0 Use skb_checksum instead of csum_partial who cannot deal with non-linear SKBs.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26665.html
CVE-2024-26665
https://bugzilla.suse.com/1222328
SUSE Bug 1222328

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime blk_mq_mark_tag_wait() can't get driver tag successfully. This issue can be reproduced by running the following test in loop, and fio hang can be observed in < 30min when running it on my test VM in laptop. modprobe -r scsi_debug modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ --runtime=100 --numjobs=40 --time_based --name=test \ --ioengine=libaio Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which is just fine in case of running out of tag.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26671.html
CVE-2024-26671
https://bugzilla.suse.com/1222357
SUSE Bug 1222357

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations - Disallow families other than NFPROTO_{IPV4,IPV6,INET}. - Disallow layer 4 protocol with no ports, since destination port is a mandatory attribute for this object.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26673.html
CVE-2024-26673
https://bugzilla.suse.com/1222368
SUSE Bug 1222368

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3. mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The MCA code can recover from an in-kernel #MC if the fixup type is EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT the only thing that is raised for an in-kernel #MC is a panic. ex_handler_uaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected. Therefore, commit b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user() fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic. Commit 6014bc27561f ("x86-64: make access_ok() independent of LAM") added the check gp_fault_address_ok() right before the WARN_ONCE() in ex_handler_uaccess() to not warn about non-canonical user addresses due to LAM. With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user() exception fixups in order to be able to handle in-kernel MCEs correctly again. [ bp: Massage commit message. ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26674.html
CVE-2024-26674
https://bugzilla.suse.com/1222378
SUSE Bug 1222378

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 This forms a self-cyclic reference that GC should finally untangle but does not due to lack of MSG_OOB handling, resulting in memory leak. Recently, commit 11498715f266 ("af_unix: Remove io_uring code for GC.") removed io_uring's dead code in GC and revealed the problem. The code was executed at the final stage of GC and unconditionally moved all GC candidates from gc_candidates to gc_inflight_list. That papered over the reported problem by always making the following WARN_ON_ONCE(!list_empty(&gc_candidates)) false. The problem has been there since commit 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") added full scm support for MSG_OOB while fixing another bug. To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26676.html
CVE-2024-26676
https://bugzilla.suse.com/1222380
SUSE Bug 1222380

Описание

In the Linux kernel, the following vulnerability has been resolved: inet: read sk->sk_family once in inet_recv_error() inet_recv_error() is called without holding the socket lock. IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM socket option and trigger a KCSAN warning.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26679.html
CVE-2024-26679
https://bugzilla.suse.com/1222385
SUSE Bug 1222385

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core") checks and reports safety errors, but leaves the Data Path Parity Errors for each channel in DMA unhandled at all, lead to a storm of interrupt. Fix it by checking and clearing the DMA_DPP_Interrupt_Status register.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26684.html
CVE-2024-26684
https://bugzilla.suse.com/1222445
SUSE Bug 1222445

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential bug in end_buffer_async_write According to a syzbot report, end_buffer_async_write(), which handles the completion of block device writes, may detect abnormal condition of the buffer async_write flag and cause a BUG_ON failure when using nilfs2. Nilfs2 itself does not use end_buffer_async_write(). But, the async_write flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") as a means of resolving double list insertion of dirty blocks in nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the resulting crash. This modification is safe as long as it is used for file data and b-tree node blocks where the page caches are independent. However, it was irrelevant and redundant to also introduce async_write for segment summary and super root blocks that share buffers with the backing device. This led to the possibility that the BUG_ON check in end_buffer_async_write would fail as described above, if independent writebacks of the backing device occurred in parallel. The use of async_write for segment summary buffers has already been removed in a previous change. Fix this issue by removing the manipulation of the async_write flag for the remaining super root block buffer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26685.html
CVE-2024-26685
https://bugzilla.suse.com/1222437
SUSE Bug 1222437

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken *inside* kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires the kvm->lock while already holding the vcpu->mutex lock from kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by protecting the hyp vm handle with the config_lock, much like we already do for other forms of VM-scoped data.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26691.html
CVE-2024-26691
https://bugzilla.suse.com/1222463
SUSE Bug 1222463

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix double-free of blocks due to wrong extents moved_len In ext4_move_extents(), moved_len is only updated when all moves are successfully executed, and only discards orig_inode and donor_inode preallocations when moved_len is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations. If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4_mb_release_inode_pa() and ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mb_update_avg_fragment_size() because bb_free is not zero and bb_fragments is zero. Therefore, update move_len after each extent move to avoid the issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26704.html
CVE-2024-26704
https://bugzilla.suse.com/1222422
SUSE Bug 1222422

Описание

In the Linux kernel, the following vulnerability has been resolved: interconnect: qcom: sc8180x: Mark CO0 BCM keepalive The CO0 BCM needs to be up at all times, otherwise some hardware (like the UFS controller) loses its connection to the rest of the SoC, resulting in a hang of the platform, accompanied by a spectacular logspam. Mark it as keepalive to prevent such cases.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26714.html
CVE-2024-26714
https://bugzilla.suse.com/1222489
SUSE Bug 1222489

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26726.html
CVE-2024-26726
https://bugzilla.suse.com/1222532
SUSE Bug 1222532

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready() syzbot reported the following NULL pointer dereference issue [1]: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:0x0 [...] Call Trace: <TASK> sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230 unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called concurrently, psock->saved_data_ready can be NULL, causing the above issue. This patch fixes this issue by calling the appropriate data ready function using the sk_psock_data_ready() helper and protecting it from concurrency with sk->sk_callback_lock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26731.html
CVE-2024-26731
https://bugzilla.suse.com/1222371
SUSE Bug 1222371

Описание

In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26733.html
CVE-2024-26733
https://bugzilla.suse.com/1222585
SUSE Bug 1222585

Описание

In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26734.html
CVE-2024-26734
https://bugzilla.suse.com/1222438
SUSE Bug 1222438

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26737.html
CVE-2024-26737
https://bugzilla.suse.com/1222557
SUSE Bug 1222557

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: don't override retval if we already lost the skb If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26739.html
CVE-2024-26739
https://bugzilla.suse.com/1222559
SUSE Bug 1222559

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: use the backlog for mirred ingress The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") hangs our testing VMs every 10 or so runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by lockdep. The problem as previously described by Davide (see Link) is that if we reverse flow of traffic with the redirect (egress -> ingress) we may reach the same socket which generated the packet. And we may still be holding its socket lock. The common solution to such deadlocks is to put the packet in the Rx backlog, rather than run the Rx path inline. Do that for all egress -> ingress reversals, not just once we started to nest mirred calls. In the past there was a concern that the backlog indirection will lead to loss of error reporting / less accurate stats. But the current workaround does not seem to address the issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26740.html
CVE-2024-26740
https://bugzilla.suse.com/1222563
SUSE Bug 1222563

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix disable_managed_interrupts Correct blk-mq registration issue with module parameter disable_managed_interrupts enabled. When we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to register with blk-mq using blk_mq_map_queues(). The driver is currently calling blk_mq_pci_map_queues() which results in a stack trace and possibly undefined behavior. Stack Trace: [ 7.860089] scsi host2: smartpqi [ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0 [ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse [ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1 [ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022 [ 7.963026] Workqueue: events work_for_cpu_fn [ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0 [ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54 [ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216 [ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010 [ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310 [ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00 [ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000 [ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8 [ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000 [ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0 [ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 8.172818] PKRU: 55555554 [ 8.172819] Call Trace: [ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310 [ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245 [ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi] [ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi] [ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi] [ 8.323286] local_pci_probe+0x42/0x80 [ 8.337855] work_for_cpu_fn+0x16/0x20 [ 8.351193] process_one_work+0x1a7/0x360 [ 8.364462] ? create_worker+0x1a0/0x1a0 [ 8.379252] worker_thread+0x1ce/0x390 [ 8.392623] ? create_worker+0x1a0/0x1a0 [ 8.406295] kthread+0x10a/0x120 [ 8.418428] ? set_kthread_struct+0x50/0x50 [ 8.431532] ret_from_fork+0x1f/0x40 [ 8.444137] ---[ end trace 1bf0173d39354506 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26742.html
CVE-2024-26742
https://bugzilla.suse.com/1222608
SUSE Bug 1222608

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Drop oob_skb ref before purging queue in GC. syzbot reported another task hung in __unix_gc(). [0] The current while loop assumes that all of the left candidates have oob_skb and calling kfree_skb(oob_skb) releases the remaining candidates. However, I missed a case that oob_skb has self-referencing fd and another fd and the latter sk is placed before the former in the candidate list. Then, the while loop never proceeds, resulting the task hung. __unix_gc() has the same loop just before purging the collected skb, so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() release all inflight sockets. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 kthread+0x2ef/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26750.html
CVE-2024-26750
https://bugzilla.suse.com/1222617
SUSE Bug 1222617

Описание

In the Linux kernel, the following vulnerability has been resolved: md: Don't register sync_thread for reshape directly Currently, if reshape is interrupted, then reassemble the array will register sync_thread directly from pers->run(), in this case 'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee that md_do_sync() will be executed, hence stop_sync_thread() will hang because 'MD_RECOVERY_RUNNING' can't be cleared. Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE, however, following hang can still be triggered by dm-raid test shell/lvconvert-raid-reshape.sh occasionally: [root@fedora ~]# cat /proc/1982/stack [<0>] stop_sync_thread+0x1ab/0x270 [md_mod] [<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod] [<0>] raid_presuspend+0x1e/0x70 [dm_raid] [<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod] [<0>] __dm_destroy+0x2a5/0x310 [dm_mod] [<0>] dm_destroy+0x16/0x30 [dm_mod] [<0>] dev_remove+0x165/0x290 [dm_mod] [<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod] [<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod] [<0>] vfs_ioctl+0x21/0x60 [<0>] __x64_sys_ioctl+0xb9/0xe0 [<0>] do_syscall_64+0xc6/0x230 [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 Meanwhile mddev->recovery is: MD_RECOVERY_RUNNING | MD_RECOVERY_INTR | MD_RECOVERY_RESHAPE | MD_RECOVERY_FROZEN Fix this problem by remove the code to register sync_thread directly from raid10 and raid5. And let md_check_recovery() to register sync_thread.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26756.html
CVE-2024-26756
https://bugzilla.suse.com/1222531
SUSE Bug 1222531

Описание

In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore suspended array in md_check_recovery() mddev_suspend() never stop sync_thread, hence it doesn't make sense to ignore suspended array in md_check_recovery(), which might cause sync_thread can't be unregistered. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) suspend the array: raid_postsuspend mddev_suspend 2) stop the array: raid_dtr md_stop __md_stop_writes stop_sync_thread set_bit(MD_RECOVERY_INTR, &mddev->recovery); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) 3) sync thread done: md_do_sync set_bit(MD_RECOVERY_DONE, &mddev->recovery); md_wakeup_thread(mddev->thread); 4) daemon thread can't unregister sync thread: md_check_recovery if (mddev->suspended) return; -> return directly md_read_sync_thread clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; This problem is not just related to dm-raid, fix it by ignoring suspended array in md_check_recovery(). And follow up patches will improve dm-raid better to frozen sync thread during suspend.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26758.html
CVE-2024-26758
https://bugzilla.suse.com/1230341
SUSE Bug 1230341

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: target: pscsi: Fix bio_put() for error case As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit() and kfree(). That is not done properly for the error case, hitting WARN and NULL pointer dereference in bio_free().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26760.html
CVE-2024-26760
https://bugzilla.suse.com/1222596
SUSE Bug 1222596

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA. That is, the host physical address (HPA) the HDM decoder registers are programmed with are system physical addresses (SPA). During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1, 8.1.3.8) are checked if the memory is enabled and the CXL range is in a HPA window that is described in a CFMWS structure of the CXL host bridge (cxl-3.1, 9.18.1.3). Now, if the HPA is not an SPA, the CXL range does not match a CFMWS window and the CXL memory range will be disabled then. The HDM decoder stops working which causes system memory being disabled and further a system hang during HDM decoder initialization, typically when a CXL enabled kernel boots. Prevent a system hang and do not disable the HDM decoder if the decoder's CXL range is not found in a CFMWS window. Note the change only fixes a hardware hang, but does not implement HPA/SPA translation. Support for this can be added in a follow on patch series.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26761.html
CVE-2024-26761
https://bugzilla.suse.com/1230375
SUSE Bug 1230375

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the following kernel warning appears: WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is submitted by libaio.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26764.html
CVE-2024-26764
https://bugzilla.suse.com/1222721
SUSE Bug 1222721

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fixed integer types and null check locations [why]: issues fixed: - comparison with wider integer type in loop condition which can cause infinite loops - pointer dereference before null check

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26767.html
CVE-2024-26767
https://bugzilla.suse.com/1230339
SUSE Bug 1230339

Описание

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid deadlock on delete association path When deleting an association the shutdown path is deadlocking because we try to flush the nvmet_wq nested. Avoid this by deadlock by deferring the put work into its own work item.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26769.html
CVE-2024-26769
https://bugzilla.suse.com/1222727
SUSE Bug 1222727

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Places the logic for checking if the group's block bitmap is corrupt under the protection of the group lock to avoid allocating blocks from the group with a corrupted block bitmap.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26772.html
CVE-2024-26772
https://bugzilla.suse.com/1222613
SUSE Bug 1222613

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Determine if the group block bitmap is corrupted before using ac_b_ex in ext4_mb_try_best_found() to avoid allocating blocks from a group with a corrupted block bitmap in the following concurrency and making the situation worse. ext4_mb_regular_allocator ext4_lock_group(sb, group) ext4_mb_good_group // check if the group bbitmap is corrupted ext4_mb_complex_scan_group // Scan group gets ac_b_ex but doesn't use it ext4_unlock_group(sb, group) ext4_mark_group_bitmap_corrupted(group) // The block bitmap was corrupted during // the group unlock gap. ext4_mb_try_best_found ext4_lock_group(ac->ac_sb, group) ext4_mb_use_best_found mb_mark_used // Allocating blocks in block bitmap corrupted group

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26773.html
CVE-2024-26773
https://bugzilla.suse.com/1222618
SUSE Bug 1222618

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt Determine if bb_fragments is 0 instead of determining bb_free to eliminate the risk of dividing by zero when the block bitmap is corrupted.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26774.html
CVE-2024-26774
https://bugzilla.suse.com/1222622
SUSE Bug 1222622

Описание

In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); <Interrupt> [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26775.html
CVE-2024-26775
https://bugzilla.suse.com/1222627
SUSE Bug 1222627

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix task hung while purging oob_skb in GC. syzbot reported a task hung; at the same time, GC was looping infinitely in list_for_each_entry_safe() for OOB skb. [0] syzbot demonstrated that the list_for_each_entry_safe() was not actually safe in this case. A single skb could have references for multiple sockets. If we free such a skb in the list_for_each_entry_safe(), the current and next sockets could be unlinked in a single iteration. unix_notinflight() uses list_del_init() to unlink the socket, so the prefetched next socket forms a loop itself and list_for_each_entry_safe() never stops. Here, we must use while() and make sure we always fetch the first socket. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> unix_gc+0x563/0x13b0 net/unix/garbage.c:319 unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 unix_release+0x91/0xf0 net/unix/af_unix.c:1064 __sock_release+0xb0/0x270 net/socket.c:659 sock_close+0x1c/0x30 net/socket.c:1421 __fput+0x270/0xb80 fs/file_table.c:376 task_work_run+0x14f/0x250 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa8a/0x2ad0 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline] __se_sys_exit_group kernel/exit.c:1029 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f9d6cbdac09 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26780.html
CVE-2024-26780
https://bugzilla.suse.com/1222588
SUSE Bug 1222588

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeup_kswapd() is called with a wrong zone index, -1. Fixed it by checking the index before calling wakeup_kswapd(). > BUG: unable to handle page fault for address: 00000000000033f3 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP NOPTI > CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) > Code: (omitted) > RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 > RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 > RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff > R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 > FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > <TASK> > ? __die > ? page_fault_oops > ? __pte_offset_map_lock > ? exc_page_fault > ? asm_exc_page_fault > ? wakeup_kswapd > migrate_misplaced_page > __handle_mm_fault > handle_mm_fault > do_user_addr_fault > exc_page_fault > asm_exc_page_fault > RIP: 0033:0x55b897ba0808 > Code: (omitted) > RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 > RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 > RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 > RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 > R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 > </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26783.html
CVE-2024-26783
https://bugzilla.suse.com/1222615
SUSE Bug 1222615

Описание

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix protection fault in iommufd_test_syz_conv_iova Syzkaller reported the following bug: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] Call Trace: lock_acquire lock_acquire+0x1ce/0x4f0 down_read+0x93/0x4a0 iommufd_test_syz_conv_iova+0x56/0x1f0 iommufd_test_access_rw.isra.0+0x2ec/0x390 iommufd_test+0x1058/0x1e30 iommufd_fops_ioctl+0x381/0x510 vfs_ioctl __do_sys_ioctl __se_sys_ioctl __x64_sys_ioctl+0x170/0x1e0 do_syscall_x64 do_syscall_64+0x71/0x140 This is because the new iommufd_access_change_ioas() sets access->ioas to NULL during its process, so the lock might be gone in a concurrent racing context. Fix this by doing the same access->ioas sanity as iommufd_access_rw() and iommufd_access_pin_pages() functions do.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26785.html
CVE-2024-26785
https://bugzilla.suse.com/1222779
SUSE Bug 1222779

Описание

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix iopt_access_list_id overwrite bug Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360 Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails. Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26786.html
CVE-2024-26786
https://bugzilla.suse.com/1222780
SUSE Bug 1222780

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26791.html
CVE-2024-26791
https://bugzilla.suse.com/1222793
SUSE Bug 1222793

Описание

In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() The gtp_link_ops operations structure for the subsystem must be registered after registering the gtp_net_ops pernet operations structure. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: [ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 [ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 [ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 [ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 [ 1010.715968] PKRU: 55555554 [ 1010.715972] Call Trace: [ 1010.715985] ? __die_body.cold+0x1a/0x1f [ 1010.715995] ? die_addr+0x43/0x70 [ 1010.716002] ? exc_general_protection+0x199/0x2f0 [ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 [ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] [ 1010.716042] __rtnl_newlink+0x1063/0x1700 [ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 [ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 [ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 [ 1010.716076] ? __kernel_text_address+0x56/0xa0 [ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 [ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 [ 1010.716098] ? arch_stack_walk+0x9e/0xf0 [ 1010.716106] ? stack_trace_save+0x91/0xd0 [ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 [ 1010.716121] ? __lock_acquire+0x15c5/0x5380 [ 1010.716139] ? mark_held_locks+0x9e/0xe0 [ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 [ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 [ 1010.716160] rtnl_newlink+0x69/0xa0 [ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 [ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716179] ? lock_acquire+0x1fe/0x560 [ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 [ 1010.716196] netlink_rcv_skb+0x14d/0x440 [ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716208] ? netlink_ack+0xab0/0xab0 [ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 [ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 [ 1010.716226] ? __virt_addr_valid+0x30b/0x590 [ 1010.716233] netlink_unicast+0x54b/0x800 [ 1010.716240] ? netlink_attachskb+0x870/0x870 [ 1010.716248] ? __check_object_size+0x2de/0x3b0 [ 1010.716254] netlink_sendmsg+0x938/0xe40 [ 1010.716261] ? netlink_unicast+0x800/0x800 [ 1010.716269] ? __import_iovec+0x292/0x510 [ 1010.716276] ? netlink_unicast+0x800/0x800 [ 1010.716284] __sock_sendmsg+0x159/0x190 [ 1010.716290] ____sys_sendmsg+0x712/0x880 [ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 [ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 [ 1010.716309] ? lock_acquire+0x1fe/0x560 [ 1010.716315] ? drain_array_locked+0x90/0x90 [ 1010.716324] ___sys_sendmsg+0xf8/0x170 [ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 [ 1010.716337] ? lockdep_init_map ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26793.html
CVE-2024-26793
https://bugzilla.suse.com/1222428
SUSE Bug 1222428

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between ordered extent completion and fiemap For fiemap we recently stopped locking the target extent range for the whole duration of the fiemap call, in order to avoid a deadlock in a scenario where the fiemap buffer happens to be a memory mapped range of the same file. This use case is very unlikely to be useful in practice but it may be triggered by fuzz testing (syzbot, etc). However by not locking the target extent range for the whole duration of the fiemap call we can race with an ordered extent. This happens like this: 1) The fiemap task finishes processing a file extent item that covers the file range [512K, 1M[, and that file extent item is the last item in the leaf currently being processed; 2) And ordered extent for the file range [768K, 2M[, in COW mode, completes (btrfs_finish_one_ordered()) and the file extent item covering the range [512K, 1M[ is trimmed to cover the range [512K, 768K[ and then a new file extent item for the range [768K, 2M[ is inserted in the inode's subvolume tree; 3) The fiemap task calls fiemap_next_leaf_item(), which then calls btrfs_next_leaf() to find the next leaf / item. This finds that the the next key following the one we previously processed (its type is BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding to the new file extent item inserted by the ordered extent, which has a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K; 4) Later the fiemap code ends up at emit_fiemap_extent() and triggers the warning: if (cache->offset + cache->len > offset) { WARN_ON(1); return -EINVAL; } Since we get 1M > 768K, because the previously emitted entry for the old extent covering the file range [512K, 1M[ ends at an offset that is greater than the new extent's start offset (768K). This makes fiemap fail with -EINVAL besides triggering the warning that produces a stack trace like the following: [1621.677651] ------------[ cut here ]------------ [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs] [1621.677899] Modules linked in: btrfs blake2b_generic (...) [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1 [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678033] Code: 2b 4c 89 63 (...) [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206 [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000 [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90 [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000 [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000 [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850 [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000 [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0 [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1621.678056] Call Trace: [1621.678074] <TASK> [1621.678076] ? __warn+0x80/0x130 [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678159] ? report_bug+0x1f4/0x200 [1621.678164] ? handle_bug+0x42/0x70 [1621.678167] ? exc_invalid_op+0x14/0x70 [1621.678170] ? asm_exc_invalid_op+0x16/0x20 [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678253] extent_fiemap+0x766 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26794.html
CVE-2024-26794
https://bugzilla.suse.com/1222426
SUSE Bug 1222426

Описание

In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 <Skipping backtrace for watchdog timeout> [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26802.html
CVE-2024-26802
https://bugzilla.suse.com/1222799
SUSE Bug 1222799

Описание

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26805.html
CVE-2024-26805
https://bugzilla.suse.com/1222630
SUSE Bug 1222630

Описание

In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller *host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26807.html
CVE-2024-26807
https://bugzilla.suse.com/1222801
SUSE Bug 1222801

Описание

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26813.html
CVE-2024-26813
https://bugzilla.suse.com/1222809
SUSE Bug 1222809

Описание

In the Linux kernel, the following vulnerability has been resolved: vfio/fsl-mc: Block calling interrupt handler without trigger The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive. The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26814.html
CVE-2024-26814
https://bugzilla.suse.com/1222810
SUSE Bug 1222810

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check taprio_parse_tc_entry() is not correctly checking TCA_TAPRIO_TC_ENTRY_INDEX attribute: int tc; // Signed value tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]); if (tc >= TC_QOPT_MAX_QUEUE) { NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range"); return -ERANGE; } syzbot reported that it could fed arbitary negative values: UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18 shift exponent -2147418108 is negative CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386 taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline] taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline] taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877 taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134 qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355 tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f1b2dea3759 Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340 R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26815.html
CVE-2024-26815
https://bugzilla.suse.com/1222635
SUSE Bug 1222635

Описание

In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26816.html
CVE-2024-26816
https://bugzilla.suse.com/1222624
SUSE Bug 1222624

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26822.html
CVE-2024-26822
https://bugzilla.suse.com/1223011
SUSE Bug 1223011

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packet scheduler must re-inject all the mptcp-level unacked data. To avoid acquiring unneeded locks, it first try to check if any unacked data is present at all in the RTX queue, but such check is currently broken, as it uses TCP-specific helper on an MPTCP socket. Funnily enough fuzzers and static checkers are happy, as the accessed memory still belongs to the mptcp_sock struct, and even from a functional perspective the recovery completed successfully, as the short-cut test always failed. A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize tcp_sock fast path variables") - exposed the issue, as the tcp field reorganization makes the mptcp code always skip the re-inection. Fix the issue dropping the bogus call: we are on a slow path, the early optimization proved once again to be evil.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26826.html
CVE-2024-26826
https://bugzilla.suse.com/1223010
SUSE Bug 1223010

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix missing folio cleanup in writeback race path In zswap_writeback_entry(), after we get a folio from __read_swap_cache_async(), we grab the tree lock again to check that the swap entry was not invalidated and recycled. If it was, we delete the folio we just added to the swap cache and exit. However, __read_swap_cache_async() returns the folio locked when it is newly allocated, which is always true for this path, and the folio is ref'd. Make sure to unlock and put the folio before returning. This was discovered by code inspection, probably because this path handles a race condition that should not happen often, and the bug would not crash the system, it will only strand the folio indefinitely.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26832.html
CVE-2024-26832
https://bugzilla.suse.com/1223007
SUSE Bug 1223007

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix password opcode ordering for workstations The Lenovo workstations require the password opcode to be run before the attribute value is changed (if Admin password is enabled). Tested on some Thinkpads to confirm they are OK with this order too.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26836.html
CVE-2024-26836
https://bugzilla.suse.com/1222968
SUSE Bug 1222968

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd() When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U << task_tag will out of bounds for a u32 mask. Fix this up to prevent SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type). [name:debug_monitors&]Unexpected kernel BRK exception at EL1 [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000 [name:mrdump&]PHYS_OFFSET: 0x80000000 [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288 [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c [name:mrdump&]sp : ffffffc0081471b0 <snip> Workqueue: ufs_eh_wq_0 ufshcd_err_handler Call trace: dump_backtrace+0xf8/0x144 show_stack+0x18/0x24 dump_stack_lvl+0x78/0x9c dump_stack+0x18/0x44 mrdump_common_die+0x254/0x480 [mrdump] ipanic_die+0x20/0x30 [mrdump] notify_die+0x15c/0x204 die+0x10c/0x5f8 arm64_notify_die+0x74/0x13c do_debug_exception+0x164/0x26c el1_dbg+0x64/0x80 el1h_64_sync_handler+0x3c/0x90 el1h_64_sync+0x68/0x6c ufshcd_clear_cmd+0x280/0x288 ufshcd_wait_for_dev_cmd+0x3e4/0x82c ufshcd_exec_dev_cmd+0x5bc/0x9ac ufshcd_verify_dev_init+0x84/0x1c8 ufshcd_probe_hba+0x724/0x1ce0 ufshcd_host_reset_and_restore+0x260/0x574 ufshcd_reset_and_restore+0x138/0xbd0 ufshcd_err_handler+0x1218/0x2f28 process_one_work+0x5fc/0x1140 worker_thread+0x7d8/0xe20 kthread+0x25c/0x468 ret_from_fork+0x10/0x20

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26842.html
CVE-2024-26842
https://bugzilla.suse.com/1223013
SUSE Bug 1223013

Описание

In the Linux kernel, the following vulnerability has been resolved: block: Fix WARNING in _copy_from_iter Syzkaller reports a warning in _copy_from_iter because an iov_iter is supposedly used in the wrong direction. The reason is that syzcaller managed to generate a request with a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs the kernel to copy user buffers into the kernel, read into the copied buffers and then copy the data back to user space. Thus the iovec is used in both directions. Detect this situation in the block layer and construct a new iterator with the correct direction for the copy-in.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26844.html
CVE-2024-26844
https://bugzilla.suse.com/1223015
SUSE Bug 1223015

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Add TMF to tmr_list handling An abort that is responded to by iSCSI itself is added to tmr_list but does not go to target core. A LUN_RESET that goes through tmr_list takes a refcounter on the abort and waits for completion. However, the abort will be never complete because it was not started in target core. Unable to locate ITT: 0x05000000 on CID: 0 Unable to locate RefTaskTag: 0x05000000 on CID: 0. wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop ... INFO: task kworker/0:2:49 blocked for more than 491 seconds. task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800 Workqueue: events target_tmr_work [target_core_mod] Call Trace: __switch_to+0x2c4/0x470 _schedule+0x314/0x1730 schedule+0x64/0x130 schedule_timeout+0x168/0x430 wait_for_completion+0x140/0x270 target_put_cmd_and_wait+0x64/0xb0 [target_core_mod] core_tmr_lun_reset+0x30/0xa0 [target_core_mod] target_tmr_work+0xc8/0x1b0 [target_core_mod] process_one_work+0x2d4/0x5d0 worker_thread+0x78/0x6c0 To fix this, only add abort to tmr_list if it will be handled by target core.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26845.html
CVE-2024-26845
https://bugzilla.suse.com/1223018
SUSE Bug 1223018

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has been added by the initial commit. There is some logic around trying to prevent from hanging forever in wait_for_completion, though it does not handling all cases. E.g. blktests is able to reproduce the situation where the module unload hangs forever. If we completely rely on the cleanup code executed from the nvme_delete_ctrl path, all IDs will be freed eventually. This makes calling ida_destroy unnecessary. We only have to ensure that all nvme_delete_ctrl code has been executed before we leave nvme_fc_exit_module. This is done by flushing the nvme_delete_wq workqueue. While at it, remove the unused nvme_fc_wq workqueue too.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26846.html
CVE-2024-26846
https://bugzilla.suse.com/1223023
SUSE Bug 1223023

Описание

In the Linux kernel, the following vulnerability has been resolved: igc: avoid returning frame twice in XDP_REDIRECT When a frame can not be transmitted in XDP_REDIRECT (e.g. due to a full queue), it is necessary to free it by calling xdp_return_frame_rx_napi. However, this is the responsibility of the caller of the ndo_xdp_xmit (see for example bq_xmit_all in kernel/bpf/devmap.c) and thus calling it inside igc_xdp_xmit (which is the ndo_xdp_xmit of the igc driver) as well will lead to memory corruption. In fact, bq_xmit_all expects that it can return all frames after the last successfully transmitted one. Therefore, break for the first not transmitted frame, but do not call xdp_return_frame_rx_napi in igc_xdp_xmit. This is equally implemented in other Intel drivers such as the igb. There are two alternatives to this that were rejected: 1. Return num_frames as all the frames would have been transmitted and release them inside igc_xdp_xmit. While it might work technically, it is not what the return value is meant to represent (i.e. the number of SUCCESSFULLY transmitted packets). 2. Rework kernel/bpf/devmap.c and all drivers to support non-consecutively dropped packets. Besides being complex, it likely has a negative performance impact without a significant gain since it is anyway unlikely that the next frame can be transmitted if the previous one was dropped. The memory corruption can be reproduced with the following script which leads to a kernel panic after a few seconds. It basically generates more traffic than a i225 NIC can transmit and pushes it via XDP_REDIRECT from a virtual interface to the physical interface where frames get dropped. #!/bin/bash INTERFACE=enp4s0 INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex` sudo ip link add dev veth1 type veth peer name veth2 sudo ip link set up $INTERFACE sudo ip link set up veth1 sudo ip link set up veth2 cat << EOF > redirect.bpf.c SEC("prog") int redirect(struct xdp_md *ctx) { return bpf_redirect($INTERFACE_IDX, 0); } char _license[] SEC("license") = "GPL"; EOF clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o sudo ip link set veth2 xdp obj redirect.bpf.o cat << EOF > pass.bpf.c SEC("prog") int pass(struct xdp_md *ctx) { return XDP_PASS; } char _license[] SEC("license") = "GPL"; EOF clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o sudo ip link set $INTERFACE xdp obj pass.bpf.o cat << EOF > trafgen.cfg { /* Ethernet Header */ 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, const16(ETH_P_IP), /* IPv4 Header */ 0b01000101, 0, # IPv4 version, IHL, TOS const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header)) const16(2), # IPv4 ident 0b01000000, 0, # IPv4 flags, fragmentation off 64, # IPv4 TTL 17, # Protocol UDP csumip(14, 33), # IPv4 checksum /* UDP Header */ 10, 0, 1, 1, # IP Src - adapt as needed 10, 0, 1, 2, # IP Dest - adapt as needed const16(6666), # UDP Src Port const16(6666), # UDP Dest Port const16(1008), # UDP length (UDP header 8 bytes + payload length) csumudp(14, 34), # UDP checksum /* Payload */ fill('W', 1000), } EOF sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26853.html
CVE-2024-26853
https://bugzilla.suse.com/1223061
SUSE Bug 1223061

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: fix uninitialized dplls mutex usage The pf->dplls.lock mutex is initialized too late, after its first use. Move it to the top of ice_dpll_init. Note that the "err_exit" error path destroys the mutex. And the mutex is the last thing destroyed in ice_dpll_deinit. This fixes the following warning with CONFIG_DEBUG_MUTEXES: ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0 ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link) ice 0000:10:00.0: PTP init successful ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40 Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c> CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3 Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023 Workqueue: events work_for_cpu_fn RIP: 0010:__mutex_lock+0x773/0xd40 Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a> RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8 FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x84/0x170 ? __mutex_lock+0x773/0xd40 ? report_bug+0x1c7/0x1d0 ? prb_read_valid+0x1b/0x30 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __mutex_lock+0x773/0xd40 ? rcu_is_watching+0x11/0x50 ? __kmalloc_node_track_caller+0x346/0x490 ? ice_dpll_lock_status_get+0x28/0x50 [ice] ? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice] ? ice_dpll_lock_status_get+0x28/0x50 [ice] ice_dpll_lock_status_get+0x28/0x50 [ice] dpll_device_get_one+0x14f/0x2e0 dpll_device_event_send+0x7d/0x150 dpll_device_register+0x124/0x180 ice_dpll_init_dpll+0x7b/0xd0 [ice] ice_dpll_init+0x224/0xa40 [ice] ? _dev_info+0x70/0x90 ice_load+0x468/0x690 [ice] ice_probe+0x75b/0xa10 [ice] ? _raw_spin_unlock_irqrestore+0x4f/0x80 ? process_one_work+0x1a3/0x500 local_pci_probe+0x47/0xa0 work_for_cpu_fn+0x17/0x30 process_one_work+0x20d/0x500 worker_thread+0x1df/0x3e0 ? __pfx_worker_thread+0x10/0x10 kthread+0x103/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> irq event stamp: 125197 hardirqs last enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0 hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0 softirqs last enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60 softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60 ---[ end trace 0000000000000000 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26854.html
CVE-2024-26854
https://bugzilla.suse.com/1223039
SUSE Bug 1223039

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() The function ice_bridge_setlink() may encounter a NULL pointer dereference if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently in nla_for_each_nested(). To address this issue, add a check to ensure that br_spec is not NULL before proceeding with the nested attribute iteration.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26855.html
CVE-2024-26855
https://bugzilla.suse.com/1223051
SUSE Bug 1223051

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sparx5: Fix use after free inside sparx5_del_mact_entry Based on the static analyzis of the code it looks like when an entry from the MAC table was removed, the entry was still used after being freed. More precise the vid of the mac_entry was used after calling devm_kfree on the mac_entry. The fix consists in first using the vid of the mac_entry to delete the entry from the HW and after that to free it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26856.html
CVE-2024-26856
https://bugzilla.suse.com/1223052
SUSE Bug 1223052

Описание

In the Linux kernel, the following vulnerability has been resolved: geneve: make sure to pull inner header in geneve_rx() syzbot triggered a bug in geneve_rx() [1] Issue is similar to the one I fixed in commit 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. [1] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline] BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] geneve_rx drivers/net/geneve.c:279 [inline] geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346 __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422 udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 process_backlog+0x480/0x8b0 net/core/dev.c:5976 __napi_poll+0xe3/0x980 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x8b8/0x1870 net/core/dev.c:6778 __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553 do_softirq+0x9a/0xf0 kernel/softirq.c:454 __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline] __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x352/0x790 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1296 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26857.html
CVE-2024-26857
https://bugzilla.suse.com/1223058
SUSE Bug 1223058

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map Just simply reordering the functions mlx5e_ptp_metadata_map_put and mlx5e_ptpsq_track_metadata in the mlx5e_txwqe_complete context is not good enough since both the compiler and CPU are free to reorder these two functions. If reordering does occur, the issue that was supposedly fixed by 7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating metadata map") will be seen. This will lead to NULL pointer dereferences in mlx5e_ptpsq_mark_ts_cqes_undelivered in the NAPI polling context due to the tracking list being populated before the metadata map.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26858.html
CVE-2024-26858
https://bugzilla.suse.com/1223020
SUSE Bug 1223020

Описание

In the Linux kernel, the following vulnerability has been resolved: dm-integrity: fix a memory leak when rechecking the data Memory for the "checksums" pointer will leak if the data is rechecked after checksum failure (because the associated kfree won't happen due to 'goto skip_io'). Fix this by freeing the checksums memory before recheck, and just use the "checksum_onstack" memory for storing checksum during recheck.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26860.html
CVE-2024-26860
https://bugzilla.suse.com/1223077
SUSE Bug 1223077

Описание

In the Linux kernel, the following vulnerability has been resolved: wireguard: receive: annotate data-race around receiving_counter.counter Syzkaller with KCSAN identified a data-race issue when accessing keypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE() annotations to mark the data race as intentional. BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0: counter_validate drivers/net/wireguard/receive.c:321 [inline] wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461 __napi_poll+0x60/0x3b0 net/core/dev.c:6536 napi_poll net/core/dev.c:6605 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6738 __do_softirq+0xc4/0x279 kernel/softirq.c:553 do_softirq+0x5e/0x90 kernel/softirq.c:454 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499 process_one_work kernel/workqueue.c:2633 [inline] ... read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1: decrypt_packet drivers/net/wireguard/receive.c:252 [inline] wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501 process_one_work kernel/workqueue.c:2633 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706 worker_thread+0x525/0x730 kernel/workqueue.c:2787 ...

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26861.html
CVE-2024-26861
https://bugzilla.suse.com/1223076
SUSE Bug 1223076

Описание

In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26862.html
CVE-2024-26862
https://bugzilla.suse.com/1223111
SUSE Bug 1223111

Описание

In the Linux kernel, the following vulnerability has been resolved: hsr: Fix uninit-value access in hsr_get_node() KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== If the packet type ID field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid value as a sequence number. This causes the above issue. This patch fixes the issue by returning NULL if the Ethernet header is not followed by an HSR tag.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26863.html
CVE-2024-26863
https://bugzilla.suse.com/1223021
SUSE Bug 1223021

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: lpspi: Avoid potential use-after-free in probe() fsl_lpspi_probe() is allocating/disposing memory manually with spi_alloc_host()/spi_alloc_target(), but uses devm_spi_register_controller(). In case of error after the latter call the memory will be explicitly freed in the probe function by spi_controller_put() call, but used afterwards by "devm" management outside probe() (spi_unregister_controller() <- devm_spi_unregister() below). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 ... Call trace: kernfs_find_ns kernfs_find_and_get_ns sysfs_remove_group sysfs_remove_groups device_remove_attrs device_del spi_unregister_controller devm_spi_unregister release_nodes devres_release_all really_probe driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26866.html
CVE-2024-26866
https://bugzilla.suse.com/1223024
SUSE Bug 1223024

Описание

In the Linux kernel, the following vulnerability has been resolved: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26868.html
CVE-2024-26868
https://bugzilla.suse.com/1223038
SUSE Bug 1223038

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4_listxattr() does not return an error because either generic_listxattr() or nfs4_listxattr_nfs4_label() consumes exactly all the bytes then size is 0 when calling nfs4_listxattr_nfs4_user() which then triggers the following kernel BUG: [ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopy_abort+0x70/0xa0 [ 99.416227] __check_heap_object+0x134/0x158 [ 99.416505] check_heap_object+0x150/0x188 [ 99.416696] __check_object_size.part.0+0x78/0x168 [ 99.416886] __check_object_size+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] path_listxattr+0x78/0xe0 [ 99.417476] __arm64_sys_listxattr+0x28/0x40 [ 99.417723] invoke_syscall+0x78/0x100 [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 [ 99.418186] do_el0_svc+0x24/0x38 [ 99.418376] el0_svc+0x3c/0x110 [ 99.418554] el0t_64_sync_handler+0x120/0x130 [ 99.418788] el0t_64_sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', thus calling lisxattr() with size = 16 will trigger the bug. Add check on nfs4_listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26870.html
CVE-2024-26870
https://bugzilla.suse.com/1223113
SUSE Bug 1223113

Описание

In the Linux kernel, the following vulnerability has been resolved: quota: Fix potential NULL pointer dereference Below race may cause NULL pointer dereference P1 P2 dquot_free_inode quota_off drop_dquot_ref remove_dquot_ref dquots = i_dquot(inode) dquots = i_dquot(inode) srcu_read_lock dquots[cnt]) != NULL (1) dquots[type] = NULL (2) spin_lock(&dquots[cnt]->dq_dqb_lock) (3) .... If dquot_free_inode(or other routines) checks inode's quota pointers (1) before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer dereference will be triggered. So let's fix it by using a temporary pointer to avoid this issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26878.html
CVE-2024-26878
https://bugzilla.suse.com/1223060
SUSE Bug 1223060

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when 1588 is received on HIP08 devices The HIP08 devices does not register the ptp devices, so the hdev->ptp is NULL, but the hardware can receive 1588 messages, and set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the access of hdev->ptp->flags will cause a kernel crash: [ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 [ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 ... [ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge] [ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge] [ 5889.279101] sp : ffff800012c3bc50 [ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040 [ 5889.289927] x27: ffff800009116484 x26: 0000000080007500 [ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000 [ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000 [ 5889.309134] x21: 0000000000000000 x20: ffff204004220080 [ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000 [ 5889.321897] x17: 0000000000000000 x16: 0000000000000000 [ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000 [ 5889.334617] x13: 0000000000000000 x12: 00000000010011df [ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000 [ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d [ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480 [ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000 [ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000 [ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080 [ 5889.378857] Call trace: [ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge] [ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3] [ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3] [ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3] [ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3] [ 5889.411084] napi_poll+0xcc/0x264 [ 5889.415329] net_rx_action+0xd4/0x21c [ 5889.419911] __do_softirq+0x130/0x358 [ 5889.424484] irq_exit+0x134/0x154 [ 5889.428700] __handle_domain_irq+0x88/0xf0 [ 5889.433684] gic_handle_irq+0x78/0x2c0 [ 5889.438319] el1_irq+0xb8/0x140 [ 5889.442354] arch_cpu_idle+0x18/0x40 [ 5889.446816] default_idle_call+0x5c/0x1c0 [ 5889.451714] cpuidle_idle_call+0x174/0x1b0 [ 5889.456692] do_idle+0xc8/0x160 [ 5889.460717] cpu_startup_entry+0x30/0xfc [ 5889.465523] secondary_start_kernel+0x158/0x1ec [ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80) [ 5889.477950] SMP: stopping secondary CPUs [ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95 [ 5890.522951] Starting crashdump kernel...

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26881.html
CVE-2024-26881
https://bugzilla.suse.com/1223041
SUSE Bug 1223041

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26882.html
CVE-2024-26882
https://bugzilla.suse.com/1223034
SUSE Bug 1223034

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26883.html
CVE-2024-26883
https://bugzilla.suse.com/1223035
SUSE Bug 1223035

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26884.html
CVE-2024-26884
https://bugzilla.suse.com/1223189
SUSE Bug 1223189

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26885.html
CVE-2024-26885
https://bugzilla.suse.com/1223190
SUSE Bug 1223190

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26889.html
CVE-2024-26889
https://bugzilla.suse.com/1228195
SUSE Bug 1228195

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix deadlock between bd_link_disk_holder and partition scan 'open_mutex' of gendisk is used to protect open/close block devices. But in bd_link_disk_holder(), it is used to protect the creation of symlink between holding disk and slave bdev, which introduces some issues. When bd_link_disk_holder() is called, the driver is usually in the process of initialization/modification and may suspend submitting io. At this time, any io hold 'open_mutex', such as scanning partitions, can cause deadlocks. For example, in raid: T1 T2 bdev_open_by_dev lock open_mutex [1] ... efi_partition ... md_submit_bio md_ioctl mddev_syspend -> suspend all io md_add_new_disk bind_rdev_to_array bd_link_disk_holder try lock open_mutex [2] md_handle_request -> wait mddev_resume T1 scan partition, T2 add a new device to raid. T1 waits for T2 to resume mddev, but T2 waits for open_mutex held by T1. Deadlock occurs. Fix it by introducing a local mutex 'blk_holder_mutex' to replace 'open_mutex'.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26899.html
CVE-2024-26899
https://bugzilla.suse.com/1223045
SUSE Bug 1223045

Описание

In the Linux kernel, the following vulnerability has been resolved: md: fix kmemleak of rdev->serial If kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be alloc not be freed, and kmemleak occurs. unreferenced object 0xffff88815a350000 (size 49152): comm "mdadm", pid 789, jiffies 4294716910 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc f773277a): [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0 [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270 [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f [<00000000f206d60a>] kvmalloc_node+0x74/0x150 [<0000000034bf3363>] rdev_init_serial+0x67/0x170 [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220 [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630 [<0000000073c28560>] md_add_new_disk+0x400/0x9f0 [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10 [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0 [<0000000085086a11>] vfs_ioctl+0x22/0x60 [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0 [<00000000e54e675e>] do_syscall_64+0x71/0x150 [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26900.html
CVE-2024-26900
https://bugzilla.suse.com/1223046
SUSE Bug 1223046

Описание

In the Linux kernel, the following vulnerability has been resolved: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1]. [1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240" Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26901.html
CVE-2024-26901
https://bugzilla.suse.com/1223198
SUSE Bug 1223198

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security During our fuzz testing of the connection and disconnection process at the RFCOMM layer, we discovered this bug. By comparing the packets from a normal connection and disconnection process with the testcase that triggered a KASAN report. We analyzed the cause of this bug as follows: 1. In the packets captured during a normal connection, the host sends a `Read Encryption Key Size` type of `HCI_CMD` packet (Command Opcode: 0x1408) to the controller to inquire the length of encryption key.After receiving this packet, the controller immediately replies with a Command Completepacket (Event Code: 0x0e) to return the Encryption Key Size. 2. In our fuzz test case, the timing of the controller's response to this packet was delayed to an unexpected point: after the RFCOMM and L2CAP layers had disconnected but before the HCI layer had disconnected. 3. After receiving the Encryption Key Size Response at the time described in point 2, the host still called the rfcomm_check_security function. However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` had already been released, and when the function executed `return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling rfcomm_recv_frame in rfcomm_process_rx.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26903.html
CVE-2024-26903
https://bugzilla.suse.com/1223187
SUSE Bug 1223187

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26906.html
CVE-2024-26906
https://bugzilla.suse.com/1223202
SUSE Bug 1223202

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free A recent DRM series purporting to simplify support for "transparent bridges" and handling of probe deferrals ironically exposed a use-after-free issue on pmic_glink_altmode probe deferral. This has manifested itself as the display subsystem occasionally failing to initialise and NULL-pointer dereferences during boot of machines like the Lenovo ThinkPad X13s. Specifically, the dp-hpd bridge is currently registered before all resources have been acquired which means that it can also be deregistered on probe deferrals. In the meantime there is a race window where the new aux bridge driver (or PHY driver previously) may have looked up the dp-hpd bridge and stored a (non-reference-counted) pointer to the bridge which is about to be deallocated. When the display controller is later initialised, this triggers a use-after-free when attaching the bridges: dp -> aux -> dp-hpd (freed) which may, for example, result in the freed bridge failing to attach: [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16 or a NULL-pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ... Call trace: drm_bridge_attach+0x70/0x1a8 [drm] drm_aux_bridge_attach+0x24/0x38 [aux_bridge] drm_bridge_attach+0x80/0x1a8 [drm] dp_bridge_init+0xa8/0x15c [msm] msm_dp_modeset_init+0x28/0xc4 [msm] The DRM bridge implementation is clearly fragile and implicitly built on the assumption that bridges may never go away. In this case, the fix is to move the bridge registration in the pmic_glink_altmode driver to after all resources have been looked up. Incidentally, with the new dp-hpd bridge implementation, which registers child devices, this is also a requirement due to a long-standing issue in driver core that can otherwise lead to a probe deferral loop (see commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")). [DB: slightly fixed commit message by adding the word 'commit']

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26909.html
CVE-2024-26909
https://bugzilla.suse.com/1223143
SUSE Bug 1223143

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26920.html
CVE-2024-26920
https://bugzilla.suse.com/1228237
SUSE Bug 1228237

Описание

In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26921.html
CVE-2024-26921
https://bugzilla.suse.com/1223138
SUSE Bug 1223138
https://bugzilla.suse.com/1223139
SUSE Bug 1223139

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26922.html
CVE-2024-26922
https://bugzilla.suse.com/1223315
SUSE Bug 1223315

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26923.html
CVE-2024-26923
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1223683
SUSE Bug 1223683

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26925.html
CVE-2024-26925
https://bugzilla.suse.com/1223390
SUSE Bug 1223390
https://bugzilla.suse.com/1224175
SUSE Bug 1224175

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26928.html
CVE-2024-26928
https://bugzilla.suse.com/1223532
SUSE Bug 1223532

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd() When unregister pd capabilitie in tcpm, KASAN will capture below double -free issue. The root cause is the same capabilitiy will be kfreed twice, the first time is kfreed by pd_capabilities_release() and the second time is explicitly kfreed by tcpm_port_unregister_pd(). [ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc [ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10 [ 4.001206] [ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53 [ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT) [ 4.017569] Workqueue: events_unbound deferred_probe_work_func [ 4.023456] Call trace: [ 4.025920] dump_backtrace+0x94/0xec [ 4.029629] show_stack+0x18/0x24 [ 4.032974] dump_stack_lvl+0x78/0x90 [ 4.036675] print_report+0xfc/0x5c0 [ 4.040289] kasan_report_invalid_free+0xa0/0xc0 [ 4.044937] __kasan_slab_free+0x124/0x154 [ 4.049072] kfree+0xb4/0x1e8 [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc [ 4.056725] tcpm_register_port+0x1dd0/0x2558 [ 4.061121] tcpci_register_port+0x420/0x71c [ 4.065430] tcpci_probe+0x118/0x2e0 To fix the issue, this will remove kree() from tcpm_port_unregister_pd().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26932.html
CVE-2024-26932
https://bugzilla.suse.com/1223649
SUSE Bug 1223649

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in port "disable" sysfs attribute The show and store callback routines for the "disable" sysfs attribute file in port.c acquire the device lock for the port's parent hub device. This can cause problems if another process has locked the hub to remove it or change its configuration: Removing the hub or changing its configuration requires the hub interface to be removed, which requires the port device to be removed, and device_del() waits until all outstanding sysfs attribute callbacks for the ports have returned. The lock can't be released until then. But the disable_show() or disable_store() routine can't return until after it has acquired the lock. The resulting deadlock can be avoided by calling sysfs_break_active_protection(). This will cause the sysfs core not to wait for the attribute's callback routine to return, allowing the removal to proceed. The disadvantage is that after making this call, there is no guarantee that the hub structure won't be deallocated at any moment. To prevent this, we have to acquire a reference to it first by calling hub_get().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26933.html
CVE-2024-26933
https://bugzilla.suse.com/1223670
SUSE Bug 1223670

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in usb_deauthorize_interface() Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one which acquires a device lock on an ancestor device: It calls usb_deauthorize_interface(), which locks the interface's parent USB device. The will lead to deadlock if another process already owns that lock and tries to remove the interface, whether through a configuration change or because the device has been disconnected. As part of the removal procedure, device_del() waits for all ongoing sysfs attribute callbacks to complete. But usb_deauthorize_interface() can't complete until the device lock has been released, and the lock won't be released until the removal has finished. The mechanism provided by sysfs to prevent this kind of deadlock is to use the sysfs_break_active_protection() function, which tells sysfs not to wait for the attribute callback. Reported-and-tested by: Yue Sun <samsun1006219@gmail.com> Reported by: xingwei lee <xrivendell7@gmail.com>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26934.html
CVE-2024-26934
https://bugzilla.suse.com/1223671
SUSE Bug 1223671

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26935.html
CVE-2024-26935
https://bugzilla.suse.com/1223675
SUSE Bug 1223675

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Reset queue_priority_hint on parking Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed. This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26937.html
CVE-2024-26937
https://bugzilla.suse.com/1223677
SUSE Bug 1223677

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode() If we have no VBT, or the VBT didn't declare the encoder in question, we won't have the 'devdata' for the encoder. Instead of oopsing just bail early. We won't be able to tell whether the port is DP++ or not, but so be it. (cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26938.html
CVE-2024-26938
https://bugzilla.suse.com/1223678
SUSE Bug 1223678

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the corresponding ttm_resource_manager is not allocated. This leads to a crash when trying to read from this file. Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file only when the corresponding ttm_resource_manager is allocated. crash> bt PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep" #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3 #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1 #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1 #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913 #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887 #7 [ffffb954506b3d40] page_fault at ffffffffb360116e [exception RIP: ttm_resource_manager_debug+0x11] RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246 RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940 RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000 RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000 R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm] #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3 RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985 RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003 RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000 R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003 ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26940.html
CVE-2024-26940
https://bugzilla.suse.com/1223718
SUSE Bug 1223718

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: handle kcalloc() allocation failure The kcalloc() in nouveau_dmem_evict_chunk() will return null if the physical memory has run out. As a result, if we dereference src_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs will happen. Moreover, the GPU is going away. If the kcalloc() fails, we could not evict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL flag in kcalloc(). Finally, as there is no need to have physically contiguous memory, this patch switches kcalloc() to kvcalloc() in order to avoid failing allocations.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26943.html
CVE-2024-26943
https://bugzilla.suse.com/1230527
SUSE Bug 1230527

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26944.html
CVE-2024-26944
https://bugzilla.suse.com/1223731
SUSE Bug 1223731

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix nr_cpus < nr_iaa case If nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which causes a divide-by-0 in rebalance_wq_table(). Make sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0 case, even though cpus_per_iaa is never used if nr_iaa == 0, for paranoia.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26945.html
CVE-2024-26945
https://bugzilla.suse.com/1223732
SUSE Bug 1223732

Описание

In the Linux kernel, the following vulnerability has been resolved: kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address Read from an unsafe address with copy_from_kernel_nofault() in arch_adjust_kprobe_addr() because this function is used before checking the address is in text or not. Syzcaller bot found a bug and reported the case if user specifies inaccessible data area, arch_adjust_kprobe_addr() will cause a kernel panic. [ mingo: Clarified the comment. ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26946.html
CVE-2024-26946
https://bugzilla.suse.com/1223669
SUSE Bug 1223669

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add a dc_state NULL check in dc_state_release [How] Check wheather state is NULL before releasing it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26948.html
CVE-2024-26948
https://bugzilla.suse.com/1223664
SUSE Bug 1223664

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix NULL pointer dereference when get power limit Because powerplay_table initialization is skipped under sriov case, We check and set default lower and upper OD value if powerplay_table is NULL.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26949.html
CVE-2024-26949
https://bugzilla.suse.com/1223665
SUSE Bug 1223665

Описание

In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: access device through ctx instead of peer The previous commit fixed a bug that led to a NULL peer->device being dereferenced. It's actually easier and faster performance-wise to instead get the device from ctx->wg. This semantically makes more sense too, since ctx->wg->peer_allowedips.seq is compared with ctx->allowedips_seq, basing them both in ctx. This also acts as a defence in depth provision against freed peers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26950.html
CVE-2024-26950
https://bugzilla.suse.com/1223661
SUSE Bug 1223661

Описание

In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: check for dangling peer via is_dead instead of empty list If all peers are removed via wg_peer_remove_all(), rather than setting peer_list to empty, the peer is added to a temporary list with a head on the stack of wg_peer_remove_all(). If a netlink dump is resumed and the cursored peer is one that has been removed via wg_peer_remove_all(), it will iterate from that peer and then attempt to dump freed peers. Fix this by instead checking peer->is_dead, which was explictly created for this purpose. Also move up the device_update_lock lockdep assertion, since reading is_dead relies on that. It can be reproduced by a small script like: echo "Setting config..." ip link add dev wg0 type wireguard wg setconf wg0 /big-config ( while true; do echo "Showing config..." wg showconf wg0 > /dev/null done ) & sleep 4 wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n") Resulting in: BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20 Read of size 8 at addr ffff88811956ec70 by task wg/59 CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5 Call Trace: <TASK> dump_stack_lvl+0x47/0x70 print_address_description.constprop.0+0x2c/0x380 print_report+0xab/0x250 kasan_report+0xba/0xf0 __lock_acquire+0x182a/0x1b20 lock_acquire+0x191/0x4b0 down_read+0x80/0x440 get_peer+0x140/0xcb0 wg_get_device_dump+0x471/0x1130

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26951.html
CVE-2024-26951
https://bugzilla.suse.com/1223660
SUSE Bug 1223660

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix reference counting on zcrypt card objects Tests with hot-plugging crytpo cards on KVM guests with debug kernel build revealed an use after free for the load field of the struct zcrypt_card. The reason was an incorrect reference handling of the zcrypt card object which could lead to a free of the zcrypt card object while it was still in use. This is an example of the slab message: kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43 kernel: kmalloc_trace+0x3f2/0x470 kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt] kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4] kernel: ap_device_probe+0x15c/0x290 kernel: really_probe+0xd2/0x468 kernel: driver_probe_device+0x40/0xf0 kernel: __device_attach_driver+0xc0/0x140 kernel: bus_for_each_drv+0x8c/0xd0 kernel: __device_attach+0x114/0x198 kernel: bus_probe_device+0xb4/0xc8 kernel: device_add+0x4d2/0x6e0 kernel: ap_scan_adapter+0x3d0/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43 kernel: kfree+0x37e/0x418 kernel: zcrypt_card_put+0x54/0x80 [zcrypt] kernel: ap_device_remove+0x4c/0xe0 kernel: device_release_driver_internal+0x1c4/0x270 kernel: bus_remove_device+0x100/0x188 kernel: device_del+0x164/0x3c0 kernel: device_unregister+0x30/0x90 kernel: ap_scan_adapter+0xc8/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: kthread+0x150/0x168 kernel: __ret_from_fork+0x3c/0x58 kernel: ret_from_fork+0xa/0x30 kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff) kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88 kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........ kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk. kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........ kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2 kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux) kernel: Call Trace: kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120 kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140 kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8 kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8 kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0 kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8 kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8 kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590 kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0 kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0 kernel: ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26957.html
CVE-2024-26957
https://bugzilla.suse.com/1223666
SUSE Bug 1223666

Описание

In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26958.html
CVE-2024-26958
https://bugzilla.suse.com/1223653
SUSE Bug 1223653

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26960.html
CVE-2024-26960
https://bugzilla.suse.com/1223655
SUSE Bug 1223655

Описание

In the Linux kernel, the following vulnerability has been resolved: mac802154: fix llsec key resources release in mac802154_llsec_key_del mac802154_llsec_key_del() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llsec_lookup_key() is traversing the list of keys in parallel with a key deletion: refcount_t: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Call Trace: <TASK> llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_encrypt+0x30c/0x9c0 ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690 sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20 dgram_sendmsg+0x90b/0xd60 __sys_sendto+0x466/0x4c0 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Also, ieee802154_llsec_key_entry structures are not freed by mac802154_llsec_key_del(): unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0 [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0 [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80 [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0 [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0 [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0 [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440 [<ffffffff86ff1d88>] genl_rcv+0x28/0x40 [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820 [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60 [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0 [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0 [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Handle the proper resource release in the RCU callback function mac802154_llsec_key_del_rcu(). Note that if llsec_lookup_key() finds a key, it gets a refcount via llsec_key_get() and locally copies key id from key_entry (which is a list element). So it's safe to call llsec_key_put() and free the list entry after the RCU grace period elapses. Found by Linux Verification Center (linuxtesting.org).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26961.html
CVE-2024-26961
https://bugzilla.suse.com/1223652
SUSE Bug 1223652

Описание

In the Linux kernel, the following vulnerability has been resolved: dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape For raid456, if reshape is still in progress, then IO across reshape position will wait for reshape to make progress. However, for dm-raid, in following cases reshape will never make progress hence IO will hang: 1) the array is read-only; 2) MD_RECOVERY_WAIT is set; 3) MD_RECOVERY_FROZEN is set; After commit c467e97f079f ("md/raid6: use valid sector values to determine if an I/O should wait on the reshape") fix the problem that IO across reshape position doesn't wait for reshape, the dm-raid test shell/lvconvert-raid-reshape.sh start to hang: [root@fedora ~]# cat /proc/979/stack [<0>] wait_woken+0x7d/0x90 [<0>] raid5_make_request+0x929/0x1d70 [raid456] [<0>] md_handle_request+0xc2/0x3b0 [md_mod] [<0>] raid_map+0x2c/0x50 [dm_raid] [<0>] __map_bio+0x251/0x380 [dm_mod] [<0>] dm_submit_bio+0x1f0/0x760 [dm_mod] [<0>] __submit_bio+0xc2/0x1c0 [<0>] submit_bio_noacct_nocheck+0x17f/0x450 [<0>] submit_bio_noacct+0x2bc/0x780 [<0>] submit_bio+0x70/0xc0 [<0>] mpage_readahead+0x169/0x1f0 [<0>] blkdev_readahead+0x18/0x30 [<0>] read_pages+0x7c/0x3b0 [<0>] page_cache_ra_unbounded+0x1ab/0x280 [<0>] force_page_cache_ra+0x9e/0x130 [<0>] page_cache_sync_ra+0x3b/0x110 [<0>] filemap_get_pages+0x143/0xa30 [<0>] filemap_read+0xdc/0x4b0 [<0>] blkdev_read_iter+0x75/0x200 [<0>] vfs_read+0x272/0x460 [<0>] ksys_read+0x7a/0x170 [<0>] __x64_sys_read+0x1c/0x30 [<0>] do_syscall_64+0xc6/0x230 [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 This is because reshape can't make progress. For md/raid, the problem doesn't exist because register new sync_thread doesn't rely on the IO to be done any more: 1) If array is read-only, it can switch to read-write by ioctl/sysfs; 2) md/raid never set MD_RECOVERY_WAIT; 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold 'reconfig_mutex', hence it can be cleared and reshape can continue by sysfs api 'sync_action'. However, I'm not sure yet how to avoid the problem in dm-raid yet. This patch on the one hand make sure raid_message() can't change sync_thread() through raid_message() after presuspend(), on the other hand detect the above 3 cases before wait for IO do be done in dm_suspend(), and let dm-raid requeue those IO.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26962.html
CVE-2024-26962
https://bugzilla.suse.com/1223654
SUSE Bug 1223654

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3-am62: fix module unload/reload behavior As runtime PM is enabled, the module can be runtime suspended when .remove() is called. Do a pm_runtime_get_sync() to make sure module is active before doing any register operations. Doing a pm_runtime_put_sync() should disable the refclk so no need to disable it again. Fixes the below warning at module removel. [ 39.705310] ------------[ cut here ]------------ [ 39.710004] clk:162:3 already disabled [ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8 We called of_platform_populate() in .probe() so call the cleanup function of_platform_depopulate() in .remove(). Get rid of the now unnnecessary dwc3_ti_remove_core(). Without this, module re-load doesn't work properly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26963.html
CVE-2024-26963
https://bugzilla.suse.com/1223651
SUSE Bug 1223651

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Add error handling in xhci_map_urb_for_dma Currently xhci_map_urb_for_dma() creates a temporary buffer and copies the SG list to the new linear buffer. But if the kzalloc_node() fails, then the following sg_pcopy_to_buffer() can lead to crash since it tries to memcpy to NULL pointer. So return -ENOMEM if kzalloc returns null pointer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26964.html
CVE-2024-26964
https://bugzilla.suse.com/1223650
SUSE Bug 1223650

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26972.html
CVE-2024-26972
https://bugzilla.suse.com/1223643
SUSE Bug 1223643

Описание

In the Linux kernel, the following vulnerability has been resolved: fat: fix uninitialized field in nostale filehandles When fat_encode_fh_nostale() encodes file handle without a parent it stores only first 10 bytes of the file handle. However the length of the file handle must be a multiple of 4 so the file handle is actually 12 bytes long and the last two bytes remain uninitialized. This is not great at we potentially leak uninitialized information with the handle to userspace. Properly initialize the full handle length.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26973.html
CVE-2024-26973
https://bugzilla.suse.com/1223641
SUSE Bug 1223641

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: max310x: fix NULL pointer dereference in I2C instantiation When trying to instantiate a max14830 device from userspace: echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device we get the following error: Unable to handle kernel NULL pointer dereference at virtual address... ... Call trace: max310x_i2c_probe+0x48/0x170 [max310x] i2c_device_probe+0x150/0x2a0 ... Add check for validity of devtype to prevent the error, and abort probe with a meaningful error message.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26978.html
CVE-2024-26978
https://bugzilla.suse.com/1223629
SUSE Bug 1223629

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix OOB in nilfs_set_de_type The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function, which uses this array, specifies the index to read from the array in the same way as "(mode & S_IFMT) >> S_SHIFT". static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode) { umode_t mode = inode->i_mode; de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob } However, when the index is determined this way, an out-of-bounds (OOB) error occurs by referring to an index that is 1 larger than the array size when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a patch to resize the nilfs_type_by_mode array should be applied to prevent OOB errors.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26981.html
CVE-2024-26981
https://bugzilla.suse.com/1223668
SUSE Bug 1223668

Описание

In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip@squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26982.html
CVE-2024-26982
https://bugzilla.suse.com/1223634
SUSE Bug 1223634

Описание

In the Linux kernel, the following vulnerability has been resolved: bootconfig: use memblock_free_late to free xbc memory to buddy On the time to free xbc memory in xbc_exit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs shows this case. This patch fixes the xbc memory free problem by calling memblock_free() in early xbc init error rewind path and calling memblock_free_late() in xbc exit path to free memory to buddy allocator. [ 9.410890] ================================================================== [ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 [ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1 [ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 [ 9.460789] Call Trace: [ 9.463518] <TASK> [ 9.465859] dump_stack_lvl+0x53/0x70 [ 9.469949] print_report+0xce/0x610 [ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 [ 9.478619] ? memblock_isolate_range+0x12d/0x260 [ 9.483877] kasan_report+0xc6/0x100 [ 9.487870] ? memblock_isolate_range+0x12d/0x260 [ 9.493125] memblock_isolate_range+0x12d/0x260 [ 9.498187] memblock_phys_free+0xb4/0x160 [ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 [ 9.508021] ? mutex_unlock+0x7e/0xd0 [ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 [ 9.516786] ? kernel_init_freeable+0x2d4/0x430 [ 9.521850] ? __pfx_kernel_init+0x10/0x10 [ 9.526426] xbc_exit+0x17/0x70 [ 9.529935] kernel_init+0x38/0x1e0 [ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 [ 9.538601] ret_from_fork+0x2c/0x50 [ 9.542596] ? __pfx_kernel_init+0x10/0x10 [ 9.547170] ret_from_fork_asm+0x1a/0x30 [ 9.551552] </TASK> [ 9.555649] The buggy address belongs to the physical page: [ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 [ 9.570821] flags: 0x200000000000000(node=0|zone=2) [ 9.576271] page_type: 0xffffffff() [ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 [ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 9.597476] page dumped because: kasan: bad access detected [ 9.605362] Memory state around the buggy address: [ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.634930] ^ [ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.654675] ==================================================================

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26983.html
CVE-2024-26983
https://bugzilla.suse.com/1223637
SUSE Bug 1223637

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you might see something like this crash. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 RSP: 0000:ffffac20c5857838 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10 R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ... ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau] nvkm_vmm_iter+0x351/0xa20 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __lock_acquire+0x3ed/0x2170 ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_map_locked+0x224/0x3a0 [nouveau] Adding any sort of useful debug usually makes it go away, so I hand wrote the function in a line, and debugged the asm. Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in the nv50_instobj_acquire called from nvkm_kmap. If Thread A and Thread B both get to nv50_instobj_acquire around the same time, and Thread A hits the refcount_set line, and in lockstep thread B succeeds at refcount_inc_not_zero, there is a chance the ptrs value won't have been stored since refcount_set is unordered. Force a memory barrier here, I picked smp_mb, since we want it on all CPUs and it's write followed by a read. v2: use paired smp_rmb/smp_wmb.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26984.html
CVE-2024-26984
https://bugzilla.suse.com/1223633
SUSE Bug 1223633

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in create_process failure Fix memory leak due to a leaked mmget reference on an error handling code path that is triggered when attempting to create KFD processes while a GPU reset is in progress.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26986.html
CVE-2024-26986
https://bugzilla.suse.com/1223728
SUSE Bug 1223728

Описание

In the Linux kernel, the following vulnerability has been resolved: init/main.c: Fix potential static_command_line memory overflow We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_line) which was miss-consolidated with strlen(boot_command_line) in the commit f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()")

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26988.html
CVE-2024-26988
https://bugzilla.suse.com/1223747
SUSE Bug 1223747

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: hibernate: Fix level3 translation fault in swsusp_save() On arm64 machines, swsusp_save() faults if it attempts to access MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : swsusp_save+0x280/0x538 lr : swsusp_save+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e Call trace: swsusp_save+0x280/0x538 swsusp_arch_suspend+0x148/0x190 hibernation_snapshot+0x240/0x39c hibernate+0xc4/0x378 state_store+0xf0/0x10c kobj_attr_store+0x14/0x24 The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() -> kernel_page_present() assuming that a page is always present when can_set_direct_map() is false (all of rodata_full, debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions should not be saved during hibernation. This problem was introduced by changes to the pfn_valid() logic in commit a7d9f306ba70 ("arm64: drop pfn_valid_within() and simplify pfn_valid()"). Similar to other architectures, drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. [catalin.marinas@arm.com: rework commit message]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26989.html
CVE-2024-26989
https://bugzilla.suse.com/1223748
SUSE Bug 1223748

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status Check kvm_mmu_page_ad_need_write_protect() when deciding whether to write-protect or clear D-bits on TDP MMU SPTEs, so that the TDP MMU accounts for any role-specific reasons for disabling D-bit dirty logging. Specifically, TDP MMU SPTEs must be write-protected when the TDP MMU is being used to run an L2 (i.e. L1 has disabled EPT) and PML is enabled. KVM always disables PML when running L2, even when L1 and L2 GPAs are in the some domain, so failing to write-protect TDP MMU SPTEs will cause writes made by L2 to not be reflected in the dirty log. [sean: massage shortlog and changelog, tweak ternary op formatting]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26990.html
CVE-2024-26990
https://bugzilla.suse.com/1223749
SUSE Bug 1223749

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes Fix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger KASAN splat, as seen in the private_mem_conversions_test selftest. When memory attributes are set on a GFN range, that range will have specific properties applied to the TDP. A huge page cannot be used when the attributes are inconsistent, so they are disabled for those the specific huge pages. For internal KVM reasons, huge pages are also not allowed to span adjacent memslots regardless of whether the backing memory could be mapped as huge. What GFNs support which huge page sizes is tracked by an array of arrays 'lpage_info' on the memslot, of 'kvm_lpage_info' structs. Each index of lpage_info contains a vmalloc allocated array of these for a specific supported page size. The kvm_lpage_info denotes whether a specific huge page (GFN and page size) on the memslot is supported. These arrays include indices for unaligned head and tail huge pages. Preventing huge pages from spanning adjacent memslot is covered by incrementing the count in head and tail kvm_lpage_info when the memslot is allocated, but disallowing huge pages for memory that has mixed attributes has to be done in a more complicated way. During the KVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in the range that has mismatched attributes. KVM does this a memslot at a time, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info for any huge page. This bit is essentially a permanently elevated count. So huge pages will not be mapped for the GFN at that page size if the count is elevated in either case: a huge head or tail page unaligned to the memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed attributes. To determine whether a huge page has consistent attributes, the KVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it consistently has the incoming attribute. Since level - 1 huge pages are aligned to level huge pages, it employs an optimization. As long as the level - 1 huge pages are checked first, it can just check these and assume that if each level - 1 huge page contained within the level sized huge page is not mixed, then the level size huge page is not mixed. This optimization happens in the helper hugepage_has_attrs(). Unfortunately, although the kvm_lpage_info array representing page size 'level' will contain an entry for an unaligned tail page of size level, the array for level - 1 will not contain an entry for each GFN at page size level. The level - 1 array will only contain an index for any unaligned region covered by level - 1 huge page size, which can be a smaller region. So this causes the optimization to overflow the level - 1 kvm_lpage_info and perform a vmalloc out of bounds read. In some cases of head and tail pages where an overflow could happen, callers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not required to prevent huge pages as discussed earlier. But for memslots that are smaller than the 1GB page size, it does call hugepage_has_attrs(). In this case the huge page is both the head and tail page. The issue can be observed simply by compiling the kernel with CONFIG_KASAN_VMALLOC and running the selftest "private_mem_conversions_test", which produces the output like the following: BUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110 Read of size 4 at addr ffffc900000a3008 by task private_mem_con/169 Call Trace: dump_stack_lvl print_report ? __virt_addr_valid ? hugepage_has_attrs ? hugepage_has_attrs kasan_report ? hugepage_has_attrs hugepage_has_attrs kvm_arch_post_set_memory_attributes kvm_vm_ioctl It is a little ambiguous whether the unaligned head page (in the bug case also the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set. It is not functionally required, as the unal ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26991.html
CVE-2024-26991
https://bugzilla.suse.com/1223695
SUSE Bug 1223695

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/pmu: Disable support for adaptive PEBS Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest. Bug #1 is that KVM doesn't account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() stores local variables as u8s and truncates the upper bits too, etc. Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value for PEBS events, perf will _always_ generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records. Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what KVM requests. Bug #4 is that adaptive PEBS *might* effectively bypass event filters set by the host, as "Updated Memory Access Info Group" records information that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER. Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" records. Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels. Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26992.html
CVE-2024-26992
https://bugzilla.suse.com/1223692
SUSE Bug 1223692

Описание

In the Linux kernel, the following vulnerability has been resolved: fs: sysfs: Fix reference leak in sysfs_break_active_protection() The sysfs_break_active_protection() routine has an obvious reference leak in its error path. If the call to kernfs_find_and_get() fails then kn will be NULL, so the companion sysfs_unbreak_active_protection() routine won't get called (and would only cause an access violation by trying to dereference kn->parent if it was called). As a result, the reference to kobj acquired at the start of the function will never be released. Fix the leak by adding an explicit kobject_put() call when kn is NULL.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26993.html
CVE-2024-26993
https://bugzilla.suse.com/1223693
SUSE Bug 1223693

Описание

In the Linux kernel, the following vulnerability has been resolved: speakup: Avoid crash on very long word In case a console is set up really large and contains a really long word (> 256 characters), we have to stop before the length of the word buffer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26994.html
CVE-2024-26994
https://bugzilla.suse.com/1223750
SUSE Bug 1223750

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Correct the PDO counting in pd_set Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are incorrectly added one. The index of the loop is equal to the number of PDOs to be updated when leaving the loop and it doesn't need to be added one. When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as the size of the local sink PDO array to match the Source capabilities of the partner port. If the off-by-one overflow occurs, a wrong RDO might be sent and unexpected power transfer might happen such as over voltage or over current (than expected). "nr_src_pdo" is used to set the Rp level when the port is in Source role. It is also the array size of the local Source capabilities when filling up the buffer which will be sent as the Source PDOs (such as in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp level might be set and wrong Source PDOs will be sent to the partner port. This could potentially cause over current or port resets.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26995.html
CVE-2024-26995
https://bugzilla.suse.com/1223696
SUSE Bug 1223696

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL. And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26996.html
CVE-2024-26996
https://bugzilla.suse.com/1223752
SUSE Bug 1223752

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: host: Fix dereference issue in DDMA completion flow. Fixed variable dereference issue in DDMA completion flow.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26997.html
CVE-2024-26997
https://bugzilla.suse.com/1223741
SUSE Bug 1223741

Описание

In the Linux kernel, the following vulnerability has been resolved: serial/pmac_zilog: Remove flawed mitigation for rx irq flood The mitigation was intended to stop the irq completely. That may be better than a hard lock-up but it turns out that you get a crash anyway if you're using pmac_zilog as a serial console: ttyPZ0: pmz: rx irq flood ! BUG: spinlock recursion on CPU#0, swapper/0 That's because the pr_err() call in pmz_receive_chars() results in pmz_console_write() attempting to lock a spinlock already locked in pmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal BUG splat. The spinlock in question is the one in struct uart_port. Even when it's not fatal, the serial port rx function ceases to work. Also, the iteration limit doesn't play nicely with QEMU, as can be seen in the bug report linked below. A web search for other reports of the error message "pmz: rx irq flood" didn't produce anything. So I don't think this code is needed any more. Remove it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26999.html
CVE-2024-26999
https://bugzilla.suse.com/1223754
SUSE Bug 1223754

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: mxs-auart: add spinlock around changing cts state The uart_handle_cts_change() function in serial_core expects the caller to hold uport->lock. For example, I have seen the below kernel splat, when the Bluetooth driver is loaded on an i.MX28 board. [ 85.119255] ------------[ cut here ]------------ [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1 [ 85.151396] Hardware name: Freescale MXS (Device Tree) [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth] (...) [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210 (...)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27000.html
CVE-2024-27000
https://bugzilla.suse.com/1223757
SUSE Bug 1223757

Описание

In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things can fall through the cracks. Depending on the hardware model, URBs can have either bulk or interrupt type, and current version of vmk80xx_find_usb_endpoints() function does not take that fully into account. While this warning does not seem to be too harmful, at the very least it will crash systems with 'panic_on_warn' set on them. Fix the issue found by Syzkaller [1] by somewhat simplifying the endpoint checking process with usb_find_common_endpoints() and ensuring that only expected endpoint types are present. This patch has not been tested on real hardware. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... Similar issue also found by Syzkaller:

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27001.html
CVE-2024-27001
https://bugzilla.suse.com/1223698
SUSE Bug 1223698

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Do a runtime PM get on controllers during probe mt8183-mfgcfg has a mutual dependency with genpd during the probing stage, which leads to a deadlock in the following call stack: CPU0: genpd_lock --> clk_prepare_lock genpd_power_off_work_fn() genpd_lock() generic_pm_domain::power_off() clk_unprepare() clk_prepare_lock() CPU1: clk_prepare_lock --> genpd_lock clk_register() __clk_core_init() clk_prepare_lock() clk_pm_runtime_get() genpd_lock() Do a runtime PM get at the probe function to make sure clk_register() won't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg, do this on all mediatek clock controller probings because we don't believe this would cause any regression. Verified on MT8183 and MT8192 Chromebooks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27002.html
CVE-2024-27002
https://bugzilla.suse.com/1223759
SUSE Bug 1223759

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree for clk_summary Similar to the previous commit, we should make sure that all devices are runtime resumed before printing the clk_summary through debugfs. Failure to do so would result in a deadlock if the thread is resuming a device to print clk state and that device is also runtime resuming in another thread, e.g the screen is turning on and the display driver is starting up. We remove the calls to clk_pm_runtime_{get,put}() in this path because they're superfluous now that we know the devices are runtime resumed. This also squashes a bug where the return value of clk_pm_runtime_get() wasn't checked, leading to an RPM count underflow on error paths.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27003.html
CVE-2024-27003
https://bugzilla.suse.com/1223761
SUSE Bug 1223761

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disable_unused Doug reported [1] the following hung task: INFO: task swapper/0:1 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008 Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c rpm_resume+0xe0/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 clk_pm_runtime_get+0x30/0xb0 clk_disable_unused_subtree+0x58/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused+0x4c/0xe4 do_one_initcall+0xcc/0x2d8 do_initcall_level+0xa4/0x148 do_initcalls+0x5c/0x9c do_basic_setup+0x24/0x30 kernel_init_freeable+0xec/0x164 kernel_init+0x28/0x120 ret_from_fork+0x10/0x20 INFO: task kworker/u16:0:9 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008 Workqueue: events_unbound deferred_probe_work_func Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c schedule_preempt_disabled+0x2c/0x48 __mutex_lock+0x238/0x488 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x50/0x74 clk_prepare_lock+0x7c/0x9c clk_core_prepare_lock+0x20/0x44 clk_prepare+0x24/0x30 clk_bulk_prepare+0x40/0xb0 mdss_runtime_resume+0x54/0x1c8 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x108/0x1f4 __rpm_callback+0x84/0x144 rpm_callback+0x30/0x88 rpm_resume+0x1f4/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 __device_attach+0xe0/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c device_add+0x644/0x814 mipi_dsi_device_register_full+0xe4/0x170 devm_mipi_dsi_device_register_full+0x28/0x70 ti_sn_bridge_probe+0x1dc/0x2c0 auxiliary_bus_probe+0x4c/0x94 really_probe+0xcc/0x2c8 __driver_probe_device+0xa8/0x130 driver_probe_device+0x48/0x110 __device_attach_driver+0xa4/0xcc bus_for_each_drv+0x8c/0xd8 __device_attach+0xf8/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c deferred_probe_work_func+0x9c/0xd8 process_one_work+0x148/0x518 worker_thread+0x138/0x350 kthread+0x138/0x1e0 ret_from_fork+0x10/0x20 The first thread is walking the clk tree and calling clk_pm_runtime_get() to power on devices required to read the clk hardware via struct clk_ops::is_enabled(). This thread holds the clk prepare_lock, and is trying to runtime PM resume a device, when it finds that the device is in the process of resuming so the thread schedule()s away waiting for the device to finish resuming before continuing. The second thread is runtime PM resuming the same device, but the runtime resume callback is calling clk_prepare(), trying to grab the prepare_lock waiting on the first thread. This is a classic ABBA deadlock. To properly fix the deadlock, we must never runtime PM resume or suspend a device with the clk prepare_lock held. Actually doing that is near impossible today because the global prepare_lock would have to be dropped in the middle of the tree, the device runtime PM resumed/suspended, and then the prepare_lock grabbed again to ensure consistency of the clk tree topology. If anything changes with the clk tree in the meantime, we've lost and will need to start the operation all over again. Luckily, most of the time we're simply incrementing or decrementing the runtime PM count on an active device, so we don't have the chance to schedule away with the prepare_lock held. Let's fix this immediate problem that can be ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27004.html
CVE-2024-27004
https://bugzilla.suse.com/1223762
SUSE Bug 1223762

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27008.html
CVE-2024-27008
https://bugzilla.suse.com/1223802
SUSE Bug 1223802

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27012.html
CVE-2024-27012
https://bugzilla.suse.com/1223804
SUSE Bug 1223804

Описание

In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e #3 [fffffe00003fced0] do_nmi at ffffffff8922660d #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27013.html
CVE-2024-27013
https://bugzilla.suse.com/1223745
SUSE Bug 1223745

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock while disabling aRFS When disabling aRFS under the `priv->state_lock`, any scheduled aRFS works are canceled using the `cancel_work_sync` function, which waits for the work to end if it has already started. However, while waiting for the work handler, the handler will try to acquire the `state_lock` which is already acquired. The worker acquires the lock to delete the rules if the state is down, which is not the worker's responsibility since disabling aRFS deletes the rules. Add an aRFS state variable, which indicates whether the aRFS is enabled and prevent adding rules when the aRFS is disabled. Kernel log: ====================================================== WARNING: possible circular locking dependency detected 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I ------------------------------------------------------ ethtool/386089 is trying to acquire lock: ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0 but task is already holding lock: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&priv->state_lock){+.+.}-{3:3}: __mutex_lock+0x80/0xc90 arfs_handle_work+0x4b/0x3b0 [mlx5_core] process_one_work+0x1dc/0x4a0 worker_thread+0x1bf/0x3c0 kthread+0xd7/0x100 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 -> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}: __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0 __flush_work+0x7a/0x4e0 __cancel_work_timer+0x131/0x1c0 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1a1/0x270 netlink_sendmsg+0x214/0x460 __sock_sendmsg+0x38/0x60 __sys_sendto+0x113/0x170 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x46/0x4e other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&priv->state_lock); lock((work_completion)(&rule->arfs_work)); lock(&priv->state_lock); lock((work_completion)(&rule->arfs_work)); *** DEADLOCK *** 3 locks held by ethtool/386089: #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240 #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] stack backtrace: CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x60/0xa0 check_noncircular+0x144/0x160 __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0 ? __flush_work+0x74/0x4e0 ? save_trace+0x3e/0x360 ? __flush_work+0x74/0x4e0 __flush_work+0x7a/0x4e0 ? __flush_work+0x74/0x4e0 ? __lock_acquire+0xa78/0x2c80 ? lock_acquire+0xd0/0x2b0 ? mark_held_locks+0x49/0x70 __cancel_work_timer+0x131/0x1c0 ? mark_held_locks+0x49/0x70 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 ? ethn ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27014.html
CVE-2024-27014
https://bugzilla.suse.com/1223735
SUSE Bug 1223735

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entry because the pppoe header is expected to be at the network header offset. This bug causes a mismatch in the flow table lookup, so pppoe packets enter the classical forwarding path.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27015.html
CVE-2024-27015
https://bugzilla.suse.com/1223806
SUSE Bug 1223806

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate pppoe header Ensure there is sufficient room to access the protocol field of the PPPoe header. Validate it once before the flowtable lookup, then use a helper function to access protocol field.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27016.html
CVE-2024-27016
https://bugzilla.suse.com/1223807
SUSE Bug 1223807

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27019.html
CVE-2024-27019
https://bugzilla.suse.com/1223813
SUSE Bug 1223813

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27020.html
CVE-2024-27020
https://bugzilla.suse.com/1223815
SUSE Bug 1223815

Описание

In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27022.html
CVE-2024-27022
https://bugzilla.suse.com/1223774
SUSE Bug 1223774

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: null check for nla_nest_start nla_nest_start() may fail and return NULL. Insert a check and set errno based on other call sites within the same source code.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27025.html
CVE-2024-27025
https://bugzilla.suse.com/1223778
SUSE Bug 1223778

Описание

In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_xa_ref_*_del() for multiple registrations Currently, if there are multiple registrations of the same pin on the same dpll device, following warnings are observed: WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:143 dpll_xa_ref_pin_del.isra.0+0x21e/0x230 WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:223 __dpll_pin_unregister+0x2b3/0x2c0 The problem is, that in both dpll_xa_ref_dpll_del() and dpll_xa_ref_pin_del() registration is only removed from list in case the reference count drops to zero. That is wrong, the registration has to be removed always. To fix this, remove the registration from the list and free it unconditionally, instead of doing it only when the ref reference counter reaches zero.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27027.html
CVE-2024-27027
https://bugzilla.suse.com/1223787
SUSE Bug 1223787

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: spi-mt65xx: Fix NULL pointer access in interrupt handler The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27028.html
CVE-2024-27028
https://bugzilla.suse.com/1223788
SUSE Bug 1223788

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Use separate handlers for interrupts For PF to AF interrupt vector and VF to AF vector same interrupt handler is registered which is causing race condition. When two interrupts are raised to two CPUs at same time then two cores serve same event corrupting the data.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27030.html
CVE-2024-27030
https://bugzilla.suse.com/1223790
SUSE Bug 1223790

Описание

In the Linux kernel, the following vulnerability has been resolved: NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt The loop inside nfs_netfs_issue_read() currently does not disable interrupts while iterating through pages in the xarray to submit for NFS read. This is not safe though since after taking xa_lock, another page in the mapping could be processed for writeback inside an interrupt, and deadlock can occur. The fix is simple and clean if we use xa_for_each_range(), which handles the iteration with RCU while reducing code complexity. The problem is easily reproduced with the following test: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs On the console with a lockdep-enabled kernel a message similar to the following will be seen: ================================ WARNING: inconsistent lock state 6.7.0-lockdbg+ #10 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at: nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs+0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 pv_native_safe_halt+0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry+0x34/0x40 start_secondary+0x19d/0x1c0 secondary_startup_64_no_verify+0x18f/0x19b irq event stamp: 176891 hardirqs last enabled at (176891): [<ffffffffa67a0be4>] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs last disabled at (176890): [<ffffffffa67a0899>] _raw_spin_lock_irqsave+0x79/0xa0 softirqs last enabled at (176646): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 softirqs last disabled at (176633): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&xa->xa_lock#4); <Interrupt> lock(&xa->xa_lock#4); *** DEADLOCK *** 2 locks held by test5/1708: #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_unbounded+0xa4/0x280 stack backtrace: CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Call Trace: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs] nfs_readahead+0x323/0x5a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27031.html
CVE-2024-27031
https://bugzilla.suse.com/1223805
SUSE Bug 1223805

Описание

In the Linux kernel, the following vulnerability has been resolved: nfp: flower: handle acti_netdevs allocation failure The kmalloc_array() in nfp_fl_lag_do_work() will return null, if the physical memory has run out. As a result, if we dereference the acti_netdevs, the null pointer dereference bugs will happen. This patch adds a check to judge whether allocation failure occurs. If it happens, the delayed work will be rescheduled and try again.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27046.html
CVE-2024-27046
https://bugzilla.suse.com/1223827
SUSE Bug 1223827

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: ensure offloading TID queue exists The resume code path assumes that the TX queue for the offloading TID has been configured. At resume time it then tries to sync the write pointer as it may have been updated by the firmware. In the unusual event that no packets have been send on TID 0, the queue will not have been allocated and this causes a crash. Fix this by ensuring the queue exist at suspend time.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27056.html
CVE-2024-27056
https://bugzilla.suse.com/1223822
SUSE Bug 1223822

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend When the system is suspended while audio is active, the sof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during suspend the DSP is turned off, streams will be re-started after resume. If the firmware crashes during while audio is running (or when we reset the stream before suspend) then the sof_ipc4_set_multi_pipeline_state() will fail with IPC error and the state change is interrupted. This will cause misalignment between the kernel and firmware state on next DSP boot resulting errors returned by firmware for IPC messages, eventually failing the audio resume. On stream close the errors are ignored so the kernel state will be corrected on the next DSP boot, so the second boot after the DSP panic. If sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then state parameter is SOF_IPC4_PIPE_RESET and only in this case. Treat a forced pipeline reset similarly to how we treat a pcm_free by ignoring error on state sending to allow the kernel's state to be consistent with the state the firmware will have after the next boot.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27057.html
CVE-2024-27057
https://bugzilla.suse.com/1223831
SUSE Bug 1223831

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau: lock the client object tree. It appears the client object tree has no locking unless I've missed something else. Fix races around adding/removing client objects, mostly vram bar mappings. 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI [ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 [ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 [ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau] [ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe [ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206 [ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58 [ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400 [ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000 [ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0 [ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007 [ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000 [ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0 [ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4562.099544] Call Trace: [ 4562.099555] <TASK> [ 4562.099573] ? die_addr+0x36/0x90 [ 4562.099583] ? exc_general_protection+0x246/0x4a0 [ 4562.099593] ? asm_exc_general_protection+0x26/0x30 [ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau] [ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau] [ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau] [ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau] [ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0 [ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm] [ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270 [ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau] [ 4562.100356] __do_fault+0x32/0x150 [ 4562.100362] do_fault+0x7c/0x560 [ 4562.100369] __handle_mm_fault+0x800/0xc10 [ 4562.100382] handle_mm_fault+0x17c/0x3e0 [ 4562.100388] do_user_addr_fault+0x208/0x860 [ 4562.100395] exc_page_fault+0x7f/0x200 [ 4562.100402] asm_exc_page_fault+0x26/0x30 [ 4562.100412] RIP: 0033:0x9b9870 [ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7 [ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246 [ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000 [ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066 [ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000 [ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff [ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4562.100446] </TASK> [ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27062.html
CVE-2024-27062
https://bugzilla.suse.com/1223834
SUSE Bug 1223834

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix a memory leak in nf_tables_updchain If nft_netdev_register_hooks() fails, the memory associated with nft_stats is not freed, causing a memory leak. This patch fixes it by moving nft_stats_alloc() down after nft_netdev_register_hooks() succeeds.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27064.html
CVE-2024-27064
https://bugzilla.suse.com/1223740
SUSE Bug 1223740

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not compare internal table flags on updates Restore skipping transaction if table update does not modify flags.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27065.html
CVE-2024-27065
https://bugzilla.suse.com/1223836
SUSE Bug 1223836

Описание

In the Linux kernel, the following vulnerability has been resolved: xen/evtchn: avoid WARN() when unbinding an event channel When unbinding a user event channel, the related handler might be called a last time in case the kernel was built with CONFIG_DEBUG_SHIRQ. This might cause a WARN() in the handler. Avoid that by adding an "unbinding" flag to struct user_event which will short circuit the handler.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27067.html
CVE-2024-27067
https://bugzilla.suse.com/1223739
SUSE Bug 1223739

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when detecting delalloc ranges during fiemap For fiemap we recently stopped locking the target extent range for the whole duration of the fiemap call, in order to avoid a deadlock in a scenario where the fiemap buffer happens to be a memory mapped range of the same file. This use case is very unlikely to be useful in practice but it may be triggered by fuzz testing (syzbot, etc). This however introduced a race that makes us miss delalloc ranges for file regions that are currently holes, so the caller of fiemap will not be aware that there's data for some file regions. This can be quite serious for some use cases - for example in coreutils versions before 9.0, the cp program used fiemap to detect holes and data in the source file, copying only regions with data (extents or delalloc) from the source file to the destination file in order to preserve holes (see the documentation for its --sparse command line option). This means that if cp was used with a source file that had delalloc in a hole, the destination file could end up without that data, which is effectively a data loss issue, if it happened to hit the race described below. The race happens like this: 1) Fiemap is called, without the FIEMAP_FLAG_SYNC flag, for a file that has delalloc in the file range [64M, 65M[, which is currently a hole; 2) Fiemap locks the inode in shared mode, then starts iterating the inode's subvolume tree searching for file extent items, without having the whole fiemap target range locked in the inode's io tree - the change introduced recently by commit b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking"). It only locks ranges in the io tree when it finds a hole or prealloc extent since that commit; 3) Note that fiemap clones each leaf before using it, and this is to avoid deadlocks when locking a file range in the inode's io tree and the fiemap buffer is memory mapped to some file, because writing to the page with btrfs_page_mkwrite() will wait on any ordered extent for the page's range and the ordered extent needs to lock the range and may need to modify the same leaf, therefore leading to a deadlock on the leaf; 4) While iterating the file extent items in the cloned leaf before finding the hole in the range [64M, 65M[, the delalloc in that range is flushed and its ordered extent completes - meaning the corresponding file extent item is in the inode's subvolume tree, but not present in the cloned leaf that fiemap is iterating over; 5) When fiemap finds the hole in the [64M, 65M[ range by seeing the gap in the cloned leaf (or a file extent item with disk_bytenr == 0 in case the NO_HOLES feature is not enabled), it will lock that file range in the inode's io tree and then search for delalloc by checking for the EXTENT_DELALLOC bit in the io tree for that range and ordered extents (with btrfs_find_delalloc_in_range()). But it finds nothing since the delalloc in that range was already flushed and the ordered extent completed and is gone - as a result fiemap will not report that there's delalloc or an extent for the range [64M, 65M[, so user space will be mislead into thinking that there's a hole in that range. This could actually be sporadically triggered with test case generic/094 from fstests, which reports a missing extent/delalloc range like this: generic/094 2s ... - output mismatch (see /home/fdmanana/git/hub/xfstests/results//generic/094.out.bad) --- tests/generic/094.out 2020-06-10 19:29:03.830519425 +0100 +++ /home/fdmanana/git/hub/xfstests/results//generic/094.out.bad 2024-02-28 11:00:00.381071525 +0000 @@ -1,3 +1,9 @@ QA output created by 094 fiemap run with sync fiemap run without sync +ERROR: couldn't find extent at 7 +map is 'HHDDHPPDPHPH' +logical: [ 5.. 6] phys: ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27080.html
CVE-2024-27080
https://bugzilla.suse.com/1223782
SUSE Bug 1223782

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix some memleaks in gssx_dec_option_array The creds and oa->data need to be freed in the error-handling paths after their allocation. So this patch add these deallocations in the corresponding paths.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27388.html
CVE-2024-27388
https://bugzilla.suse.com/1223744
SUSE Bug 1223744

Описание

In the Linux kernel, the following vulnerability has been resolved: pstore: inode: Only d_invalidate() is needed Unloading a modular pstore backend with records in pstorefs would trigger the dput() double-drop warning: WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410 Using the combo of d_drop()/dput() (as mentioned in Documentation/filesystems/vfs.rst) isn't the right approach here, and leads to the reference counting problem seen above. Use d_invalidate() and update the code to not bother checking for error codes that can never happen. ---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27389.html
CVE-2024-27389
https://bugzilla.suse.com/1223705
SUSE Bug 1223705

Описание

In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks").

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27393.html
CVE-2024-27393
https://bugzilla.suse.com/1224076
SUSE Bug 1224076

Описание

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix Use-After-Free in ovs_ct_exit Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27395.html
CVE-2024-27395
https://bugzilla.suse.com/1224098
SUSE Bug 1224098

Описание

In the Linux kernel, the following vulnerability has been resolved: net: gtp: Fix Use-After-Free in gtp_dellink Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal of gtp_dellink, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27396.html
CVE-2024-27396
https://bugzilla.suse.com/1224096
SUSE Bug 1224096

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27399.html
CVE-2024-27399
https://bugzilla.suse.com/1224177
SUSE Bug 1224177

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2 This reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap. The basic problem here is that after the move the old location is simply not available any more. Some fixes were suggested, but essentially we should call the move notification before actually moving things because only this way we have the correct order for DMA-buf and VM move notifications as well. Also rework the statistic handling so that we don't update the eviction counter before the move. v2: add missing NULL check

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27400.html
CVE-2024-27400
https://bugzilla.suse.com/1224180
SUSE Bug 1224180

Описание

In the Linux kernel, the following vulnerability has been resolved: firewire: nosy: ensure user_length is taken into account when fetching packet contents Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27401.html
CVE-2024-27401
https://bugzilla.suse.com/1224181
SUSE Bug 1224181

Описание

In the Linux kernel, the following vulnerability has been resolved: phonet/pep: fix racy skb_queue_empty() use The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27402.html
CVE-2024-27402
https://bugzilla.suse.com/1224414
SUSE Bug 1224414

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data races on remote_id Similar to the previous patch, address the data race on remote_id, adding the suitable ONCE annotations.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27404.html
CVE-2024-27404
https://bugzilla.suse.com/1224422
SUSE Bug 1224422

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for any leftover bytes in SKB provided by u_ether and if there are any pending bytes, it treats them as a separate NTB and parses it. But in case the second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that were parsed properly in the first NTB and saved in rx_list are dropped. Adding a few custom traces showed the following: [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: req 000000003868811a length 1025/16384 zsI ==> 0 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames In this case, the giveback is of 1025 bytes and block length is 1024. The rest 1 byte (which is 0x00) won't be parsed resulting in drop of all datagrams in rx_list. Same is case with packets of size 2048: [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: req 0000000011dfd96e length 2049/16384 zsI ==> 0 [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 Lecroy shows one byte coming in extra confirming that the byte is coming in from PC: Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) --- Packet 4063861 Data(1024 bytes) Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) --- Packet 4063863 Data(1 byte) Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) According to Windows driver, no ZLP is needed if wBlockLength is non-zero, because the non-zero wBlockLength has already told the function side the size of transfer to be expected. However, there are in-market NCM devices that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. To deal with such devices, it pads an extra 0 at end so the transfer is no longer multiple of wMaxPacketSize.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27405.html
CVE-2024-27405
https://bugzilla.suse.com/1224423
SUSE Bug 1224423

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are not stored in the same memory as the eDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27408.html
CVE-2024-27408
https://bugzilla.suse.com/1224430
SUSE Bug 1224430

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject iftype change with mesh ID change It's currently possible to change the mesh ID when the interface isn't yet in mesh mode, at the same time as changing it into mesh mode. This leads to an overwrite of data in the wdev->u union for the interface type it currently has, causing cfg80211_change_iface() to do wrong things when switching. We could probably allow setting an interface to mesh while setting the mesh ID at the same time by doing a different order of operations here, but realistically there's no userspace that's going to do this, so just disallow changes in iftype when setting mesh ID.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27410.html
CVE-2024-27410
https://bugzilla.suse.com/1224432
SUSE Bug 1224432

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: keep DMA buffers required for suspend/resume Nouveau deallocates a few buffers post GPU init which are required for GPU suspend/resume to function correctly. This is likely not as big an issue on systems where the NVGPU is the only GPU, but on multi-GPU set ups it leads to a regression where the kernel module errors and results in a system-wide rendering freeze. This commit addresses that regression by moving the two buffers required for suspend and resume to be deallocated at driver unload instead of post init.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27411.html
CVE-2024-27411
https://bugzilla.suse.com/1224433
SUSE Bug 1224433

Описание

In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx-i2c: Do not free non existing IRQ The bq27xxx i2c-client may not have an IRQ, in which case client->irq will be 0. bq27xxx_battery_i2c_probe() already has an if (client->irq) check wrapping the request_threaded_irq(). But bq27xxx_battery_i2c_remove() unconditionally calls free_irq(client->irq) leading to: [ 190.310742] ------------[ cut here ]------------ [ 190.310843] Trying to free already-free IRQ 0 [ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Followed by a backtrace when unbinding the driver. Add an if (client->irq) to bq27xxx_battery_i2c_remove() mirroring probe() to fix this.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27412.html
CVE-2024-27412
https://bugzilla.suse.com/1224437
SUSE Bug 1224437

Описание

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27413.html
CVE-2024-27413
https://bugzilla.suse.com/1224438
SUSE Bug 1224438
https://bugzilla.suse.com/1225315
SUSE Bug 1225315

Описание

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27414.html
CVE-2024-27414
https://bugzilla.suse.com/1224439
SUSE Bug 1224439

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST If we received HCI_EV_IO_CAPA_REQUEST while HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote does support SSP since otherwise this event shouldn't be generated.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27416.html
CVE-2024-27416
https://bugzilla.suse.com/1224723
SUSE Bug 1224723

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() It seems that if userspace provides a correct IFA_TARGET_NETNSID value but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr() returns -EINVAL with an elevated "struct net" refcount.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27417.html
CVE-2024-27417
https://bugzilla.suse.com/1224721
SUSE Bug 1224721

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mctp: take ownership of skb in mctp_local_output Currently, mctp_local_output only takes ownership of skb on success, and we may leak an skb if mctp_local_output fails in specific states; the skb ownership isn't transferred until the actual output routing occurs. Instead, make mctp_local_output free the skb on all error paths up to the route action, so it always consumes the passed skb.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27418.html
CVE-2024-27418
https://bugzilla.suse.com/1224720
SUSE Bug 1224720

Описание

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix data-races around sysctl_net_busy_read We need to protect the reader reading the sysctl value because the value can be changed concurrently.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27419.html
CVE-2024-27419
https://bugzilla.suse.com/1224759
SUSE Bug 1224759

Описание

In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq_info struct before running XDP program When running an XDP program that is attached to a cpumap entry, we don't initialise the xdp_rxq_info data structure being used in the xdp_buff that backs the XDP program invocation. Tobias noticed that this leads to random values being returned as the xdp_md->rx_queue_index value for XDP programs running in a cpumap. This means we're basically returning the contents of the uninitialised memory, which is bad. Fix this by zero-initialising the rxq data structure before running the XDP program.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27431.html
CVE-2024-27431
https://bugzilla.suse.com/1224718
SUSE Bug 1224718

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix PPE hanging issue A patch to resolve an issue was found in MediaTek's GPL-licensed SDK: In the mtk_ppe_stop() function, the PPE scan mode is not disabled before disabling the PPE. This can potentially lead to a hang during the process of disabling the PPE. Without this patch, the PPE may experience a hang during the reboot test.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27432.html
CVE-2024-27432
https://bugzilla.suse.com/1224716
SUSE Bug 1224716

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't set the MFP flag for the GTK The firmware doesn't need the MFP flag for the GTK, it can even make the firmware crash. in case the AP is configured with: group cipher TKIP and MFPC. We would send the GTK with cipher = TKIP and MFP which is of course not possible.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27434.html
CVE-2024-27434
https://bugzilla.suse.com/1224710
SUSE Bug 1224710

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27435.html
CVE-2024-27435
https://bugzilla.suse.com/1224717
SUSE Bug 1224717

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Stop parsing channels bits when all channels are found. If a usb audio device sets more bits than the amount of channels it could write outside of the map array.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27436.html
CVE-2024-27436
https://bugzilla.suse.com/1224803
SUSE Bug 1224803

Описание

In the Linux kernel, the following vulnerability has been resolved: efi: libstub: only free priv.runtime_map when allocated priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an uninitialized value to free_pool. Free priv.runtime_map only when it was allocated. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-33619.html
CVE-2024-33619
https://bugzilla.suse.com/1226768
SUSE Bug 1226768

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-mapping: benchmark: fix node id validation While validating node ids in map_benchmark_ioctl(), node_possible() may be provided with invalid argument outside of [0,MAX_NUMNODES-1] range leading to: BUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) Read of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971 CPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) kasan_report (mm/kasan/report.c:603) kasan_check_range (mm/kasan/generic.c:189) variable_test_bit (arch/x86/include/asm/bitops.h:227) [inline] arch_test_bit (arch/x86/include/asm/bitops.h:239) [inline] _test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline] node_state (include/linux/nodemask.h:423) [inline] map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Compare node ids with sane bounds first. NUMA_NO_NODE is considered a special valid case meaning that benchmarking kthreads won't be bound to a cpuset of a given node. Found by Linux Verification Center (linuxtesting.org).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-34777.html
CVE-2024-34777
https://bugzilla.suse.com/1226796
SUSE Bug 1226796

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: region: add owner module and take its refcount The current implementation of the fpga region assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the region during programming if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_region struct and use it to take the module's refcount. Modify the functions for registering a region to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the region as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a region without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga region.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35247.html
CVE-2024-35247
https://bugzilla.suse.com/1226948
SUSE Bug 1226948

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock with fiemap and extent locking While working on the patchset to remove extent locking I got a lockdep splat with fiemap and pagefaulting with my new extent lock replacement lock. This deadlock exists with our normal code, we just don't have lockdep annotations with the extent locking so we've never noticed it. Since we're copying the fiemap extent to user space on every iteration we have the chance of pagefaulting. Because we hold the extent lock for the entire range we could mkwrite into a range in the file that we have mmap'ed. This would deadlock with the following stack trace [<0>] lock_extent+0x28d/0x2f0 [<0>] btrfs_page_mkwrite+0x273/0x8a0 [<0>] do_page_mkwrite+0x50/0xb0 [<0>] do_fault+0xc1/0x7b0 [<0>] __handle_mm_fault+0x2fa/0x460 [<0>] handle_mm_fault+0xa4/0x330 [<0>] do_user_addr_fault+0x1f4/0x800 [<0>] exc_page_fault+0x7c/0x1e0 [<0>] asm_exc_page_fault+0x26/0x30 [<0>] rep_movs_alternative+0x33/0x70 [<0>] _copy_to_user+0x49/0x70 [<0>] fiemap_fill_next_extent+0xc8/0x120 [<0>] emit_fiemap_extent+0x4d/0xa0 [<0>] extent_fiemap+0x7f8/0xad0 [<0>] btrfs_fiemap+0x49/0x80 [<0>] __x64_sys_ioctl+0x3e1/0xb50 [<0>] do_syscall_64+0x94/0x1a0 [<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 I wrote an fstest to reproduce this deadlock without my replacement lock and verified that the deadlock exists with our existing locking. To fix this simply don't take the extent lock for the entire duration of the fiemap. This is safe in general because we keep track of where we are when we're searching the tree, so if an ordered extent updates in the middle of our fiemap call we'll still emit the correct extents because we know what offset we were on before. The only place we maintain the lock is searching delalloc. Since the delalloc stuff can change during writeback we want to lock the extent range so we have a consistent view of delalloc at the time we're checking to see if we need to set the delalloc flag. With this patch applied we no longer deadlock with my testcase.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35784.html
CVE-2024-35784
https://bugzilla.suse.com/1224804
SUSE Bug 1224804

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix stale locked mutex in nouveau_gem_ioctl_pushbuf If VM_BIND is enabled on the client the legacy submission ioctl can't be used, however if a client tries to do so regardless it will return an error. In this case the clients mutex remained unlocked leading to a deadlock inside nouveau_drm_postclose or any other nouveau ioctl call.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35786.html
CVE-2024-35786
https://bugzilla.suse.com/1224714
SUSE Bug 1224714

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix bounds check for dcn35 DcfClocks [Why] NumFclkLevelsEnabled is used for DcfClocks bounds check instead of designated NumDcfClkLevelsEnabled. That can cause array index out-of-bounds access. [How] Use designated variable for dcn35 DcfClocks bounds check.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35788.html
CVE-2024-35788
https://bugzilla.suse.com/1224709
SUSE Bug 1224709

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35789.html
CVE-2024-35789
https://bugzilla.suse.com/1224749
SUSE Bug 1224749
https://bugzilla.suse.com/1227320
SUSE Bug 1227320

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group The DisplayPort driver's sysfs nodes may be present to the userspace before typec_altmode_set_drvdata() completes in dp_altmode_probe. This means that a sysfs read can trigger a NULL pointer error by deferencing dp->hpd in hpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns NULL in those cases. Remove manual sysfs node creation in favor of adding attribute group as default for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is not used here otherwise the path to the sysfs nodes is no longer compliant with the ABI.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35790.html
CVE-2024-35790
https://bugzilla.suse.com/1224712
SUSE Bug 1224712

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35791.html
CVE-2024-35791
https://bugzilla.suse.com/1224725
SUSE Bug 1224725

Описание

In the Linux kernel, the following vulnerability has been resolved: dm-raid: really frozen sync_thread during suspend 1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that dm-raid relies on __md_stop_writes() to frozen sync_thread indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in md_stop_writes(), and since stop_sync_thread() is only used for dm-raid in this case, also move stop_sync_thread() to md_stop_writes(). 2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen, it only prevent new sync_thread to start, and it can't stop the running sync thread; In order to frozen sync_thread, after seting the flag, stop_sync_thread() should be used. 3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use it as condition for md_stop_writes() in raid_postsuspend() doesn't look correct. Consider that reentrant stop_sync_thread() do nothing, always call md_stop_writes() in raid_postsuspend(). 4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime, and if MD_RECOVERY_FROZEN is cleared while the array is suspended, new sync_thread can start unexpected. Fix this by disallow raid_message() to change sync_thread status during suspend. Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(), and with previous fixes, the test won't hang there anymore, however, the test will still fail and complain that ext4 is corrupted. And with this patch, the test won't hang due to stop_sync_thread() or fail due to ext4 is corrupted anymore. However, there is still a deadlock related to dm-raid456 that will be fixed in following patches.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35794.html
CVE-2024-35794
https://bugzilla.suse.com/1224706
SUSE Bug 1224706

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix deadlock while reading mqd from debugfs An errant disk backup on my desktop got into debugfs and triggered the following deadlock scenario in the amdgpu debugfs files. The machine also hard-resets immediately after those lines are printed (although I wasn't able to reproduce that part when reading by hand): [ 1318.016074][ T1082] ====================================================== [ 1318.016607][ T1082] WARNING: possible circular locking dependency detected [ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted [ 1318.017598][ T1082] ------------------------------------------------------ [ 1318.018096][ T1082] tar/1082 is trying to acquire lock: [ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x40/0x80 [ 1318.019084][ T1082] [ 1318.019084][ T1082] but task is already holding lock: [ 1318.020052][ T1082] ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] [ 1318.020607][ T1082] [ 1318.020607][ T1082] which lock already depends on the new lock. [ 1318.020607][ T1082] [ 1318.022081][ T1082] [ 1318.022081][ T1082] the existing dependency chain (in reverse order) is: [ 1318.023083][ T1082] [ 1318.023083][ T1082] -> #2 (reservation_ww_class_mutex){+.+.}-{3:3}: [ 1318.024114][ T1082] __ww_mutex_lock.constprop.0+0xe0/0x12f0 [ 1318.024639][ T1082] ww_mutex_lock+0x32/0x90 [ 1318.025161][ T1082] dma_resv_lockdep+0x18a/0x330 [ 1318.025683][ T1082] do_one_initcall+0x6a/0x350 [ 1318.026210][ T1082] kernel_init_freeable+0x1a3/0x310 [ 1318.026728][ T1082] kernel_init+0x15/0x1a0 [ 1318.027242][ T1082] ret_from_fork+0x2c/0x40 [ 1318.027759][ T1082] ret_from_fork_asm+0x11/0x20 [ 1318.028281][ T1082] [ 1318.028281][ T1082] -> #1 (reservation_ww_class_acquire){+.+.}-{0:0}: [ 1318.029297][ T1082] dma_resv_lockdep+0x16c/0x330 [ 1318.029790][ T1082] do_one_initcall+0x6a/0x350 [ 1318.030263][ T1082] kernel_init_freeable+0x1a3/0x310 [ 1318.030722][ T1082] kernel_init+0x15/0x1a0 [ 1318.031168][ T1082] ret_from_fork+0x2c/0x40 [ 1318.031598][ T1082] ret_from_fork_asm+0x11/0x20 [ 1318.032011][ T1082] [ 1318.032011][ T1082] -> #0 (&mm->mmap_lock){++++}-{3:3}: [ 1318.032778][ T1082] __lock_acquire+0x14bf/0x2680 [ 1318.033141][ T1082] lock_acquire+0xcd/0x2c0 [ 1318.033487][ T1082] __might_fault+0x58/0x80 [ 1318.033814][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu] [ 1318.034181][ T1082] full_proxy_read+0x55/0x80 [ 1318.034487][ T1082] vfs_read+0xa7/0x360 [ 1318.034788][ T1082] ksys_read+0x70/0xf0 [ 1318.035085][ T1082] do_syscall_64+0x94/0x180 [ 1318.035375][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e [ 1318.035664][ T1082] [ 1318.035664][ T1082] other info that might help us debug this: [ 1318.035664][ T1082] [ 1318.036487][ T1082] Chain exists of: [ 1318.036487][ T1082] &mm->mmap_lock --> reservation_ww_class_acquire --> reservation_ww_class_mutex [ 1318.036487][ T1082] [ 1318.037310][ T1082] Possible unsafe locking scenario: [ 1318.037310][ T1082] [ 1318.037838][ T1082] CPU0 CPU1 [ 1318.038101][ T1082] ---- ---- [ 1318.038350][ T1082] lock(reservation_ww_class_mutex); [ 1318.038590][ T1082] lock(reservation_ww_class_acquire); [ 1318.038839][ T1082] lock(reservation_ww_class_mutex); [ 1318.039083][ T1082] rlock(&mm->mmap_lock); [ 1318.039328][ T1082] [ 1318.039328][ T1082] *** DEADLOCK *** [ 1318.039328][ T1082] [ 1318.040029][ T1082] 1 lock held by tar/1082: [ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] [ 1318.040560][ T1082] [ 1318.040560][ T1082] stack backtrace: [ ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35795.html
CVE-2024-35795
https://bugzilla.suse.com/1224634
SUSE Bug 1224634

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ll_temac: platform_get_resource replaced by wrong function The function platform_get_resource was replaced with devm_platform_ioremap_resource_byname and is called using 0 as name. This eventually ends up in platform_get_resource_byname in the call stack, where it causes a null pointer in strcmp. if (type == resource_type(r) && !strcmp(r->name, name)) It should have been replaced with devm_platform_ioremap_resource.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35796.html
CVE-2024-35796
https://bugzilla.suse.com/1224615
SUSE Bug 1224615

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Prevent crash when disable stream [Why] Disabling stream encoder invokes a function that no longer exists. [How] Check if the function declaration is NULL in disable stream encoder.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35799.html
CVE-2024-35799
https://bugzilla.suse.com/1224740
SUSE Bug 1224740

Описание

In the Linux kernel, the following vulnerability has been resolved: efi: fix panic in kdump kernel Check if get_next_variable() is actually valid pointer before calling it. In kdump kernel this method is set to NULL that causes panic during the kexec-ed kernel boot. Tested with QEMU and OVMF firmware.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35800.html
CVE-2024-35800
https://bugzilla.suse.com/1224507
SUSE Bug 1224507

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35801.html
CVE-2024-35801
https://bugzilla.suse.com/1224732
SUSE Bug 1224732

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/efistub: Call mixed mode boot services on the firmware's stack Normally, the EFI stub calls into the EFI boot services using the stack that was live when the stub was entered. According to the UEFI spec, this stack needs to be at least 128k in size - this might seem large but all asynchronous processing and event handling in EFI runs from the same stack and so quite a lot of space may be used in practice. In mixed mode, the situation is a bit different: the bootloader calls the 32-bit EFI stub entry point, which calls the decompressor's 32-bit entry point, where the boot stack is set up, using a fixed allocation of 16k. This stack is still in use when the EFI stub is started in 64-bit mode, and so all calls back into the EFI firmware will be using the decompressor's limited boot stack. Due to the placement of the boot stack right after the boot heap, any stack overruns have gone unnoticed. However, commit 5c4feadb0011983b ("x86/decompressor: Move global symbol references to C code") moved the definition of the boot heap into C code, and now the boot stack is placed right at the base of BSS, where any overruns will corrupt the end of the .data section. While it would be possible to work around this by increasing the size of the boot stack, doing so would affect all x86 systems, and mixed mode systems are a tiny (and shrinking) fraction of the x86 installed base. So instead, record the firmware stack pointer value when entering from the 32-bit firmware, and switch to this stack every time a EFI boot service call is made.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35803.html
CVE-2024-35803
https://bugzilla.suse.com/1224742
SUSE Bug 1224742
https://bugzilla.suse.com/1225314
SUSE Bug 1225314

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Mark target gfn of emulated atomic instruction as dirty When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty. Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase. Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit. Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging. base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35804.html
CVE-2024-35804
https://bugzilla.suse.com/1224638
SUSE Bug 1224638

Описание

In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_exception_table_exit There was reported lockup when we exit a snapshot with many exceptions. Fix this by adding "cond_resched" to the loop that frees the exceptions.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35805.html
CVE-2024-35805
https://bugzilla.suse.com/1224743
SUSE Bug 1224743

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Always disable interrupts when taking cgr_lock smp_call_function_single disables IRQs when executing the callback. To prevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere. This is already done by qman_update_cgr and qman_delete_cgr; fix the other lockers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35806.html
CVE-2024-35806
https://bugzilla.suse.com/1224699
SUSE Bug 1224699

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35807.html
CVE-2024-35807
https://bugzilla.suse.com/1224735
SUSE Bug 1224735

Описание

In the Linux kernel, the following vulnerability has been resolved: md/dm-raid: don't call md_reap_sync_thread() directly Currently md_reap_sync_thread() is called from raid_message() directly without holding 'reconfig_mutex', this is definitely unsafe because md_reap_sync_thread() can change many fields that is protected by 'reconfig_mutex'. However, hold 'reconfig_mutex' here is still problematic because this will cause deadlock, for example, commit 130443d60b1b ("md: refactor idle/frozen_sync_thread() to fix deadlock"). Fix this problem by using stop_sync_thread() to unregister sync_thread, like md/raid did.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35808.html
CVE-2024-35808
https://bugzilla.suse.com/1224623
SUSE Bug 1224623

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not expected to be running after pm_runtime_get_sync() has been called, but the latter doesn't really guarantee that. It only guarantees that the suspend and resume callbacks will not be running when it returns. However, if a .runtime_idle() callback is already running when pm_runtime_get_sync() is called, the latter will notice that the runtime PM status of the device is RPM_ACTIVE and it will return right away without waiting for the former to complete. In fact, it cannot wait for .runtime_idle() to complete because it may be called from that callback (it arguably does not make much sense to do that, but it is not strictly prohibited). Thus in general, whoever is providing a .runtime_idle() callback needs to protect it from running in parallel with whatever code runs after pm_runtime_get_sync(). [Note that .runtime_idle() will not start after pm_runtime_get_sync() has returned, but it may continue running then if it has started earlier.] One way to address that race condition is to call pm_runtime_barrier() after pm_runtime_get_sync() (not before it, because a nonzero value of the runtime PM usage counter is necessary to prevent runtime PM callbacks from being invoked) to wait for the .runtime_idle() callback to complete should it be running at that point. A suitable place for doing that is in pci_device_remove() which calls pm_runtime_get_sync() before removing the driver, so it may as well call pm_runtime_barrier() subsequently, which will prevent the race in question from occurring, not just in the rtsx_pcr driver, but in any PCI drivers providing .runtime_idle() callbacks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35809.html
CVE-2024-35809
https://bugzilla.suse.com/1224738
SUSE Bug 1224738

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix the lifetime of the bo cursor memory The cleanup can be dispatched while the atomic update is still active, which means that the memory acquired in the atomic update needs to not be invalidated by the cleanup. The buffer objects in vmw_plane_state instead of using the builtin map_and_cache were trying to handle the lifetime of the mapped memory themselves, leading to crashes. Use the map_and_cache instead of trying to manage the lifetime of the buffer objects held by the vmw_plane_state. Fixes kernel oops'es in IGT's kms_cursor_legacy forked-bo.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35810.html
CVE-2024-35810
https://bugzilla.suse.com/1224626
SUSE Bug 1224626

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35811.html
CVE-2024-35811
https://bugzilla.suse.com/1224592
SUSE Bug 1224592

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35812.html
CVE-2024-35812
https://bugzilla.suse.com/1224624
SUSE Bug 1224624

Описание

In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid negative index with array access Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns prev_idata = idatas[i - 1], but doesn't check that the iterator i is greater than zero. Let's fix this by adding a check.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35813.html
CVE-2024-35813
https://bugzilla.suse.com/1224618
SUSE Bug 1224618

Описание

In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35814.html
CVE-2024-35814
https://bugzilla.suse.com/1224602
SUSE Bug 1224602

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb that is not embedded inside struct aio_kiocb. With the current code, depending on the compiler, the req->ki_ctx read happens either before the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such that it is guaranteed that the IOCB_AIO_RW test happens first.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35815.html
CVE-2024-35815
https://bugzilla.suse.com/1224685
SUSE Bug 1224685

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag Otherwise after the GTT bo is released, the GTT and gart space is freed but amdgpu_ttm_backend_unbind will not clear the gart page table entry and leave valid mapping entry pointing to the stale system page. Then if GPU access the gart address mistakely, it will read undefined value instead page fault, harder to debug and reproduce the real issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35817.html
CVE-2024-35817
https://bugzilla.suse.com/1224736
SUSE Bug 1224736
https://bugzilla.suse.com/1225313
SUSE Bug 1225313

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Use raw spinlock for cgr_lock smp_call_function always runs its callback in hard IRQ context, even on PREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock for cgr_lock to ensure we aren't waiting on a sleeping task. Although this bug has existed for a while, it was not apparent until commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth on rate change") which invokes smp_call_function_single via qman_update_cgr_safe every time a link goes up or down.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35819.html
CVE-2024-35819
https://bugzilla.suse.com/1224683
SUSE Bug 1224683

Описание

In the Linux kernel, the following vulnerability has been resolved: ubifs: Set page uptodate in the correct place Page cache reads are lockless, so setting the freshly allocated page uptodate before we've overwritten it with the data it's supposed to have in it will allow a simultaneous reader to see old data. Move the call to SetPageUptodate into ubifs_write_end(), which is after we copied the new data into the page.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35821.html
CVE-2024-35821
https://bugzilla.suse.com/1224629
SUSE Bug 1224629

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: udc: remove warning when queue disabled ep It is possible trigger below warning message from mass storage function, WARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104 pc : usb_ep_queue+0x7c/0x104 lr : fsg_main_thread+0x494/0x1b3c Root cause is mass storage function try to queue request from main thread, but other thread may already disable ep when function disable. As there is no function failure in the driver, in order to avoid effort to fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35822.html
CVE-2024-35822
https://bugzilla.suse.com/1224739
SUSE Bug 1224739

Описание

In the Linux kernel, the following vulnerability has been resolved: vt: fix unicode buffer corruption when deleting characters This is the same issue that was fixed for the VGA text buffer in commit 39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the buffer"). The cure is also the same i.e. replace memcpy() with memmove() due to the overlaping buffers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35823.html
CVE-2024-35823
https://bugzilla.suse.com/1224692
SUSE Bug 1224692

Описание

In the Linux kernel, the following vulnerability has been resolved: misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume When not configured for wakeup lis3lv02d_i2c_suspend() will call lis3lv02d_poweroff() even if the device has already been turned off by the runtime-suspend handler and if configured for wakeup and the device is runtime-suspended at this point then it is not turned back on to serve as a wakeup source. Before commit b1b9f7a49440 ("misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback"), lis3lv02d_poweroff() failed to disable the regulators which as a side effect made calling poweroff() twice ok. Now that poweroff() correctly disables the regulators, doing this twice triggers a WARN() in the regulator core: unbalanced disables for regulator-dummy WARNING: CPU: 1 PID: 92 at drivers/regulator/core.c:2999 _regulator_disable ... Fix lis3lv02d_i2c_suspend() to not call poweroff() a second time if already runtime-suspended and add a poweron() call when necessary to make wakeup work. lis3lv02d_i2c_resume() has similar issues, with an added weirness that it always powers on the device if it is runtime suspended, after which the first runtime-resume will call poweron() again, causing the enabled count for the regulator to increase by 1 every suspend/resume. These unbalanced regulator_enable() calls cause the regulator to never be turned off and trigger the following WARN() on driver unbind: WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put Fix this by making lis3lv02d_i2c_resume() mirror the new suspend().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35824.html
CVE-2024-35824
https://bugzilla.suse.com/1224609
SUSE Bug 1224609

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Fix handling of zero block length packets While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX set to 65536, it has been observed that we receive short packets, which come at interval of 5-10 seconds sometimes and have block length zero but still contain 1-2 valid datagrams present. According to the NCM spec: "If wBlockLength = 0x0000, the block is terminated by a short packet. In this case, the USB transfer must still be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent, and the size is a multiple of wMaxPacketSize for the given pipe, then no ZLP shall be sent. wBlockLength= 0x0000 must be used with extreme care, because of the possibility that the host and device may get out of sync, and because of test issues. wBlockLength = 0x0000 allows the sender to reduce latency by starting to send a very large NTB, and then shortening it when the sender discovers that there's not sufficient data to justify sending a large NTB" However, there is a potential issue with the current implementation, as it checks for the occurrence of multiple NTBs in a single giveback by verifying if the leftover bytes to be processed is zero or not. If the block length reads zero, we would process the same NTB infintely because the leftover bytes is never zero and it leads to a crash. Fix this by bailing out if block length reads zero.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35825.html
CVE-2024-35825
https://bugzilla.suse.com/1224681
SUSE Bug 1224681

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix overflow check in io_recvmsg_mshot_prep() The "controllen" variable is type size_t (unsigned long). Casting it to int could lead to an integer underflow. The check_add_overflow() function considers the type of the destination which is type int. If we add two positive values and the result cannot fit in an integer then that's counted as an overflow. However, if we cast "controllen" to an int and it turns negative, then negative values *can* fit into an int type so there is no overflow. Good: 100 + (unsigned long)-4 = 96 <-- overflow Bad: 100 + (int)-4 = 96 <-- no overflow I deleted the cast of the sizeof() as well. That's not a bug but the cast is unnecessary.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35827.html
CVE-2024-35827
https://bugzilla.suse.com/1224606
SUSE Bug 1224606

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() In the for statement of lbs_allocate_cmd_buffer(), if the allocation of cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35828.html
CVE-2024-35828
https://bugzilla.suse.com/1224622
SUSE Bug 1224622

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/lima: fix a memleak in lima_heap_alloc When lima_vm_map_bo fails, the resources need to be deallocated, or there will be memleaks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35829.html
CVE-2024-35829
https://bugzilla.suse.com/1224707
SUSE Bug 1224707

Описание

In the Linux kernel, the following vulnerability has been resolved: media: tc358743: register v4l2 async device only after successful setup Ensure the device has been setup correctly before registering the v4l2 async device, thus allowing userspace to access.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35830.html
CVE-2024-35830
https://bugzilla.suse.com/1224680
SUSE Bug 1224680

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix release of pinned pages when __io_uaddr_map fails Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35831.html
CVE-2024-35831
https://bugzilla.suse.com/1224698
SUSE Bug 1224698

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA This dma_alloc_coherent() is undone neither in the remove function, nor in the error handling path of fsl_qdma_probe(). Switch to the managed version to fix both issues.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35833.html
CVE-2024-35833
https://bugzilla.suse.com/1224632
SUSE Bug 1224632

Описание

In the Linux kernel, the following vulnerability has been resolved: xsk: recycle buffer in case Rx queue was full Add missing xsk_buff_free() call when __xsk_rcv_zc() failed to produce descriptor to XSK Rx queue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35834.html
CVE-2024-35834
https://bugzilla.suse.com/1224620
SUSE Bug 1224620

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a double-free in arfs_create_groups When `in` allocated by kvzalloc fails, arfs_create_groups will free ft->g and return an error. However, arfs_create_table, the only caller of arfs_create_groups, will hold this error and call to mlx5e_destroy_flow_table, in which the ft->g will be freed again.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35835.html
CVE-2024-35835
https://bugzilla.suse.com/1224605
SUSE Bug 1224605

Описание

In the Linux kernel, the following vulnerability has been resolved: dpll: fix pin dump crash for rebound module When a kernel module is unbound but the pin resources were not entirely freed (other kernel module instance of the same PCI device have had kept the reference to that pin), and kernel module is again bound, the pin properties would not be updated (the properties are only assigned when memory for the pin is allocated), prop pointer still points to the kernel module memory of the kernel module which was deallocated on the unbind. If the pin dump is invoked in this state, the result is a kernel crash. Prevent the crash by storing persistent pin properties in dpll subsystem, copy the content from the kernel module when pin is allocated, instead of using memory of the kernel module.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35836.html
CVE-2024-35836
https://bugzilla.suse.com/1224633
SUSE Bug 1224633

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: clear BM pool before initialization Register value persist after booting the kernel using kexec which results in kernel panic. Thus clear the BM pool registers before initialisation to fix the issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35837.html
CVE-2024-35837
https://bugzilla.suse.com/1224500
SUSE Bug 1224500

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential sta-link leak When a station is allocated, links are added but not set to valid yet (e.g. during connection to an AP MLD), we might remove the station without ever marking links valid, and leak them. Fix that.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35838.html
CVE-2024-35838
https://bugzilla.suse.com/1224613
SUSE Bug 1224613

Описание

In the Linux kernel, the following vulnerability has been resolved: net: tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer. If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways. What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report. To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35841.html
CVE-2024-35841
https://bugzilla.suse.com/1224687
SUSE Bug 1224687

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: sof-common: Add NULL check for normal_link string It's not granted that all entries of struct sof_conn_stream declare a `normal_link` (a non-SOF, direct link) string, and this is the case for SoCs that support only SOF paths (hence do not support both direct and SOF usecases). For example, in the case of MT8188 there is no normal_link string in any of the sof_conn_stream entries and there will be more drivers doing that in the future. To avoid possible NULL pointer KPs, add a NULL check for `normal_link`.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35842.html
CVE-2024-35842
https://bugzilla.suse.com/1224688
SUSE Bug 1224688

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Use device rbtree in iopf reporting path The existing I/O page fault handler currently locates the PCI device by calling pci_get_domain_bus_and_slot(). This function searches the list of all PCI devices until the desired device is found. To improve lookup efficiency, replace it with device_rbtree_find() to search the device within the probed device rbtree. The I/O page fault is initiated by the device, which does not have any synchronization mechanism with the software to ensure that the device stays in the probed device tree. Theoretically, a device could be released by the IOMMU subsystem after device_rbtree_find() and before iopf_get_dev_fault_param(), which would cause a use-after-free problem. Add a mutex to synchronize the I/O page fault reporting path and the IOMMU release device path. This lock doesn't introduce any performance overhead, as the conflict between I/O page fault reporting and device releasing is very rare.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35843.html
CVE-2024-35843
https://bugzilla.suse.com/1224751
SUSE Bug 1224751
https://bugzilla.suse.com/1227368
SUSE Bug 1227368

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35845.html
CVE-2024-35845
https://bugzilla.suse.com/1224731
SUSE Bug 1224731

Описание

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Prevent double free on error The error handling path in its_vpe_irq_domain_alloc() causes a double free when its_vpe_init() fails after successfully allocating at least one interrupt. This happens because its_vpe_irq_domain_free() frees the interrupts along with the area bitmap and the vprop_page and its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the vprop_page again. Fix this by unconditionally invoking its_vpe_irq_domain_free() which handles all cases correctly and by removing the bitmap/vprop_page freeing from its_vpe_irq_domain_alloc(). [ tglx: Massaged change log ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35847.html
CVE-2024-35847
https://bugzilla.suse.com/1224697
SUSE Bug 1224697

Описание

In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35848.html
CVE-2024-35848
https://bugzilla.suse.com/1224612
SUSE Bug 1224612

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35849.html
CVE-2024-35849
https://bugzilla.suse.com/1224733
SUSE Bug 1224733

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix NULL-deref on non-serdev setup Qualcomm ROME controllers can be registered from the Bluetooth line discipline and in this case the HCI UART serdev pointer is NULL. Add the missing sanity check to prevent a NULL-pointer dereference when setup() is called for a non-serdev controller.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35850.html
CVE-2024-35850
https://bugzilla.suse.com/1224600
SUSE Bug 1224600

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix NULL-deref on non-serdev suspend Qualcomm ROME controllers can be registered from the Bluetooth line discipline and in this case the HCI UART serdev pointer is NULL. Add the missing sanity check to prevent a NULL-pointer dereference when wakeup() is called for a non-serdev controller during suspend. Just return true for now to restore the original behaviour and address the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657 ("Bluetooth: hci_qca: only assign wakeup with serial port support") that causes the crash to happen already at setup() time.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35851.html
CVE-2024-35851
https://bugzilla.suse.com/1224509
SUSE Bug 1224509

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work The rehash delayed work is rescheduled with a delay if the number of credits at end of the work is not negative as supposedly it means that the migration ended. Otherwise, it is rescheduled immediately. After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash" the above is no longer accurate as a non-negative number of credits is no longer indicative of the migration being done. It can also happen if the work encountered an error in which case the migration will resume the next time the work is scheduled. The significance of the above is that it is possible for the work to be pending and associated with hints that were allocated when the migration started. This leads to the hints being leaked [1] when the work is canceled while pending as part of ACL region dismantle. Fix by freeing the hints if hints are associated with a work that was canceled while pending. Blame the original commit since the reliance on not having a pending work associated with hints is fragile. [1] unreferenced object 0xffff88810e7c3000 (size 256): comm "kworker/0:16", pid 176, jiffies 4295460353 hex dump (first 32 bytes): 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a....... 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@........... backtrace (crc 2544ddb9): [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0 [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390 [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400 [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160 [<00000000e81fd734>] process_one_work+0x59c/0xf20 [<00000000ceee9e81>] worker_thread+0x799/0x12c0 [<00000000bda6fe39>] kthread+0x246/0x300 [<0000000070056d23>] ret_from_fork+0x34/0x70 [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35852.html
CVE-2024-35852
https://bugzilla.suse.com/1224502
SUSE Bug 1224502

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35853.html
CVE-2024-35853
https://bugzilla.suse.com/1224604
SUSE Bug 1224604

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35854.html
CVE-2024-35854
https://bugzilla.suse.com/1224636
SUSE Bug 1224636

Описание

In the Linux kernel, the following vulnerability has been resolved: icmp: prevent possible NULL dereferences from icmp_build_probe() First problem is a double call to __in_dev_get_rcu(), because the second one could return NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) Second problem is a read from dev->ip6_ptr with no NULL check: if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)) Use the correct RCU API to fix these. v2: add missing include <net/addrconf.h>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35857.html
CVE-2024-35857
https://bugzilla.suse.com/1224619
SUSE Bug 1224619

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values. Because of this runtime dependency, when bpf_link refcnt drops to zero there could still be active BPF programs running accessing link data. This patch adds generic support to defer bpf_link dealloc callback to after RCU GP, if requested. This is done by exposing two different deallocation callbacks, one synchronous and one deferred. If deferred one is provided, bpf_link_free() will schedule dealloc_deferred() callback to happen after RCU GP. BPF is using two flavors of RCU: "classic" non-sleepable one and RCU tasks trace one. The latter is used when sleepable BPF programs are used. bpf_link_free() accommodates that by checking underlying BPF program's sleepable flag, and goes either through normal RCU GP only for non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF program is sleepable. We use this for multi-kprobe and multi-uprobe links, which dereference link during program run. We also preventively switch raw_tp link to use deferred dealloc callback, as upcoming changes in bpf-next tree expose raw_tp link data (specifically, cookie value) to BPF program at runtime as well.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35860.html
CVE-2024-35860
https://bugzilla.suse.com/1224531
SUSE Bug 1224531

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35861.html
CVE-2024-35861
https://bugzilla.suse.com/1224766
SUSE Bug 1224766
https://bugzilla.suse.com/1225312
SUSE Bug 1225312

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35862.html
CVE-2024-35862
https://bugzilla.suse.com/1224764
SUSE Bug 1224764
https://bugzilla.suse.com/1225311
SUSE Bug 1225311

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in is_valid_oplock_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35863.html
CVE-2024-35863
https://bugzilla.suse.com/1224763
SUSE Bug 1224763
https://bugzilla.suse.com/1225011
SUSE Bug 1225011

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35864.html
CVE-2024-35864
https://bugzilla.suse.com/1224765
SUSE Bug 1224765
https://bugzilla.suse.com/1225309
SUSE Bug 1225309

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_oplock_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35865.html
CVE-2024-35865
https://bugzilla.suse.com/1224668
SUSE Bug 1224668

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_dump_full_key() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35866.html
CVE-2024-35866
https://bugzilla.suse.com/1224667
SUSE Bug 1224667

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35867.html
CVE-2024-35867
https://bugzilla.suse.com/1224664
SUSE Bug 1224664
https://bugzilla.suse.com/1225012
SUSE Bug 1225012

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_write() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35868.html
CVE-2024-35868
https://bugzilla.suse.com/1224678
SUSE Bug 1224678

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix GUP-fast succeeding on secretmem folios folio_is_secretmem() currently relies on secretmem folios being LRU folios, to save some cycles. However, folios might reside in a folio batch without the LRU flag set, or temporarily have their LRU flag cleared. Consequently, the LRU flag is unreliable for this purpose. In particular, this is the case when secretmem_fault() allocates a fresh page and calls filemap_add_folio()->folio_add_lru(). The folio might be added to the per-cpu folio batch and won't get the LRU flag set until the batch was drained using e.g., lru_add_drain(). Consequently, folio_is_secretmem() might not detect secretmem folios and GUP-fast can succeed in grabbing a secretmem folio, crashing the kernel when we would later try reading/writing to the folio, because the folio has been unmapped from the directmap. Fix it by removing that unreliable check.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35872.html
CVE-2024-35872
https://bugzilla.suse.com/1224530
SUSE Bug 1224530

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/coco: Require seeding RNG with RDRAND on CoCo systems There are few uses of CoCo that don't rely on working cryptography and hence a working RNG. Unfortunately, the CoCo threat model means that the VM host cannot be trusted and may actively work against guests to extract secrets or manipulate computation. Since a malicious host can modify or observe nearly all inputs to guests, the only remaining source of entropy for CoCo guests is RDRAND. If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole is meant to gracefully continue on gathering entropy from other sources, but since there aren't other sources on CoCo, this is catastrophic. This is mostly a concern at boot time when initially seeding the RNG, as after that the consequences of a broken RDRAND are much more theoretical. So, try at boot to seed the RNG using 256 bits of RDRAND output. If this fails, panic(). This will also trigger if the system is booted without RDRAND, as RDRAND is essential for a safe CoCo boot. Add this deliberately to be "just a CoCo x86 driver feature" and not part of the RNG itself. Many device drivers and platforms have some desire to contribute something to the RNG, and add_device_randomness() is specifically meant for this purpose. Any driver can call it with seed data of any quality, or even garbage quality, and it can only possibly make the quality of the RNG better or have no effect, but can never make it worse. Rather than trying to build something into the core of the RNG, consider the particular CoCo issue just a CoCo issue, and therefore separate it all out into driver (well, arch/platform) code. [ bp: Massage commit message. ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35875.html
CVE-2024-35875
https://bugzilla.suse.com/1224665
SUSE Bug 1224665

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: fix VM_PAT handling in COW mappings PAT handling won't do the right thing in COW mappings: the first PTE (or, in fact, all PTEs) can be replaced during write faults to point at anon folios. Reliably recovering the correct PFN and cachemode using follow_phys() from PTEs will not work in COW mappings. Using follow_phys(), we might just get the address+protection of the anon folio (which is very wrong), or fail on swap/nonswap entries, failing follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and track_pfn_copy(), not properly calling free_pfn_range(). In free_pfn_range(), we either wouldn't call memtype_free() or would call it with the wrong range, possibly leaking memory. To fix that, let's update follow_phys() to refuse returning anon folios, and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings if we run into that. We will now properly handle untrack_pfn() with COW mappings, where we don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if the first page was replaced by an anon folio, though: we'd have to store the cachemode in the VMA to make this work, likely growing the VMA size. For now, lets keep it simple and let track_pfn_copy() just fail in that case: it would have failed in the past with swap/nonswap entries already, and it would have done the wrong thing with anon folios. Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn(): <--- C reproducer ---> #include <stdio.h> #include <sys/mman.h> #include <unistd.h> #include <liburing.h> int main(void) { struct io_uring_params p = {}; int ring_fd; size_t size; char *map; ring_fd = io_uring_setup(1, &p); if (ring_fd < 0) { perror("io_uring_setup"); return 1; } size = p.sq_off.array + p.sq_entries * sizeof(unsigned); /* Map the submission queue ring MAP_PRIVATE */ map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, ring_fd, IORING_OFF_SQ_RING); if (map == MAP_FAILED) { perror("mmap"); return 1; } /* We have at least one page. Let's COW it. */ *map = 0; pause(); return 0; } <--- C reproducer ---> On a system with 16 GiB RAM and swap configured: # ./iouring & # memhog 16G # killall iouring [ 301.552930] ------------[ cut here ]------------ [ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100 [ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g [ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1 [ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4 [ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100 [ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000 [ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282 [ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047 [ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200 [ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000 [ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000 [ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000 [ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000 [ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0 [ 301.565725] PKRU: 55555554 [ 301.565944] Call Trace: [ 301.566148] <TASK> [ 301.566325] ? untrack_pfn+0xf4/0x100 [ 301.566618] ? __warn+0x81/0x130 [ 301.566876] ? untrack_pfn+0xf4/0x100 [ 3 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35877.html
CVE-2024-35877
https://bugzilla.suse.com/1224525
SUSE Bug 1224525

Описание

In the Linux kernel, the following vulnerability has been resolved: of: module: prevent NULL pointer dereference in vsnprintf() In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35878.html
CVE-2024-35878
https://bugzilla.suse.com/1224671
SUSE Bug 1224671

Описание

In the Linux kernel, the following vulnerability has been resolved: of: dynamic: Synchronize of_changeset_destroy() with the devlink removals In the following sequence: 1) of_platform_depopulate() 2) of_overlay_remove() During the step 1, devices are destroyed and devlinks are removed. During the step 2, OF nodes are destroyed but __of_changeset_entry_destroy() can raise warnings related to missing of_node_put(): ERROR: memory leak, expected refcount 1 instead of 2 ... Indeed, during the devlink removals performed at step 1, the removal itself releasing the device (and the attached of_node) is done by a job queued in a workqueue and so, it is done asynchronously with respect to function calls. When the warning is present, of_node_put() will be called but wrongly too late from the workqueue job. In order to be sure that any ongoing devlink removals are done before the of_node destruction, synchronize the of_changeset_destroy() with the devlink removals.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35879.html
CVE-2024-35879
https://bugzilla.suse.com/1224524
SUSE Bug 1224524

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: hold io_buffer_list reference over mmap If we look up the kbuf, ensure that it doesn't get unregistered until after we're done with it. Since we're inside mmap, we cannot safely use the io_uring lock. Rely on the fact that we can lookup the buffer list under RCU now and grab a reference to it, preventing it from being unregistered until we're done with it. The lookup returns the io_buffer_list directly with it referenced.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35880.html
CVE-2024-35880
https://bugzilla.suse.com/1224523
SUSE Bug 1224523

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: mchp-pci1xxx: Fix a possible null pointer dereference in pci1xxx_spi_probe In function pci1xxxx_spi_probe, there is a potential null pointer that may be caused by a failed memory allocation by the function devm_kzalloc. Hence, a null pointer check needs to be added to prevent null pointer dereferencing later in the code. To fix this issue, spi_bus->spi_int[iter] should be checked. The memory allocated by devm_kzalloc will be automatically released, so just directly return -ENOMEM without worrying about memory leaks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35883.html
CVE-2024-35883
https://bugzilla.suse.com/1224521
SUSE Bug 1224521

Описание

In the Linux kernel, the following vulnerability has been resolved: udp: do not accept non-tunnel GSO skbs landing in a tunnel When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another netns. In such cases the packets will be GROed at the UDP level, which leads to various issues later on. The same thing can happen with rx-gro-list. We saw this with geneve packets being GROed at the UDP level. In such case gso_size is set; later the packet goes through the geneve rx path, the geneve header is pulled, the offset are adjusted and frag_list skbs are not adjusted with regard to geneve. When those skbs hit skb_fragment, it will misbehave. Different outcomes are possible depending on what the GROed skbs look like; from corrupted packets to kernel crashes. One example is a BUG_ON[1] triggered in skb_segment while processing the frag_list. Because gso_size is wrong (geneve header was pulled) skb_segment thinks there is "geneve header size" of data in frag_list, although it's in fact the next packet. The BUG_ON itself has nothing to do with the issue. This is only one of the potential issues. Looking up for a matching socket in udp_gro_receive is fragile: the lookup could be extended to all netns (not speaking about performances) but nothing prevents those packets from being modified in between and we could still not find a matching socket. It's OK to keep the current logic there as it should cover most cases but we also need to make sure we handle tunnel packets being GROed too early. This is done by extending the checks in udp_unexpected_gso: GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must be segmented. [1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35884.html
CVE-2024-35884
https://bugzilla.suse.com/1224520
SUSE Bug 1224520

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: stop interface during shutdown The mlxbf_gige driver intermittantly encounters a NULL pointer exception while the system is shutting down via "reboot" command. The mlxbf_driver will experience an exception right after executing its shutdown() method. One example of this exception is: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000 [0000000000000070] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 96000004 [#1] SMP CPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1 Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige] lr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige] sp : ffff8000080d3c10 x29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58 x26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008 x23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128 x20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff x17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7 x14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101 x11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404 x8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080 x5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige] mlxbf_gige_poll+0x54/0x160 [mlxbf_gige] __napi_poll+0x40/0x1c8 net_rx_action+0x314/0x3a0 __do_softirq+0x128/0x334 run_ksoftirqd+0x54/0x6c smpboot_thread_fn+0x14c/0x190 kthread+0x10c/0x110 ret_from_fork+0x10/0x20 Code: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002) ---[ end trace 7cc3941aa0d8e6a4 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt Kernel Offset: 0x4ce722520000 from 0xffff800008000000 PHYS_OFFSET: 0x80000000 CPU features: 0x000005c1,a3330e5a Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- During system shutdown, the mlxbf_gige driver's shutdown() is always executed. However, the driver's stop() method will only execute if networking interface configuration logic within the Linux distribution has been setup to do so. If shutdown() executes but stop() does not execute, NAPI remains enabled and this can lead to an exception if NAPI is scheduled while the hardware interface has only been partially deinitialized. The networking interface managed by the mlxbf_gige driver must be properly stopped during system shutdown so that IFF_UP is cleared, the hardware interface is put into a clean state, and NAPI is fully deinitialized.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35885.html
CVE-2024-35885
https://bugzilla.suse.com/1224519
SUSE Bug 1224519

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35886.html
CVE-2024-35886
https://bugzilla.suse.com/1224670
SUSE Bug 1224670

Описание

In the Linux kernel, the following vulnerability has been resolved: ax25: fix use-after-free bugs caused by ax25_ds_del_timer When the ax25 device is detaching, the ax25_dev_device_down() calls ax25_ds_del_timer() to cleanup the slave_timer. When the timer handler is running, the ax25_ds_del_timer() that calls del_timer() in it will return directly. As a result, the use-after-free bugs could happen, one of the scenarios is shown below: (Thread 1) | (Thread 2) | ax25_ds_timeout() ax25_dev_device_down() | ax25_ds_del_timer() | del_timer() | ax25_dev_put() //FREE | | ax25_dev-> //USE In order to mitigate bugs, when the device is detaching, use timer_shutdown_sync() to stop the timer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35887.html
CVE-2024-35887
https://bugzilla.suse.com/1224663
SUSE Bug 1224663

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: fix kernel panic on unknown packet types In the very rare case where a packet type is unknown to the driver, idpf_rx_process_skb_fields would return early without calling eth_type_trans to set the skb protocol / the network layer handler. This is especially problematic if tcpdump is running when such a packet is received, i.e. it would cause a kernel panic. Instead, call eth_type_trans for every single packet, even when the packet type is unknown.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35889.html
CVE-2024-35889
https://bugzilla.suse.com/1224517
SUSE Bug 1224517

Описание

In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Call Trace: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 A similar construction is found in skb_gro_receive, apply the same change there.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35890.html
CVE-2024-35890
https://bugzilla.suse.com/1224516
SUSE Bug 1224516

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: Fix potential null pointer dereference In lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may return NULL as ptp_header due to abnormal packet type or corrupted packet. Fix this bug by adding ptp_header check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35891.html
CVE-2024-35891
https://bugzilla.suse.com/1224513
SUSE Bug 1224513

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() is called with the qdisc lock held, not RTNL. We must use qdisc_lookup_rcu() instead of qdisc_lookup() syzbot reported: WARNING: suspicious RCU usage 6.1.74-syzkaller #0 Not tainted ----------------------------- net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792 stack backtrace: CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113 [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305 [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline] [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline] [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline] [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline] [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107 [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35892.html
CVE-2024-35892
https://bugzilla.suse.com/1224515
SUSE Bug 1224515

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35893.html
CVE-2024-35893
https://bugzilla.suse.com/1224512
SUSE Bug 1224512

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem operation must be hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock); <Interrupt> lock(&host->lock); Locks in sockmap are hardirq-unsafe by design. We expects elements to be deleted from sockmap/sockhash only in task (normal) context with interrupts enabled, or in softirq context. Detect when map_delete_elem operation is invoked from a context which is _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an error. Note that map updates are not affected by this issue. BPF verifier does not allow updating sockmap/sockhash from a BPF tracing program today.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35895.html
CVE-2024-35895
https://bugzilla.suse.com/1224511
SUSE Bug 1224511

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 </TASK> Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a The buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35896.html
CVE-2024-35896
https://bugzilla.suse.com/1224662
SUSE Bug 1224662

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller nft_flowtable_type_get() to protect the entire type query process.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35898.html
CVE-2024-35898
https://bugzilla.suse.com/1224498
SUSE Bug 1224498

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dump_stack_lvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virt_addr_valid+0xba/0x160 [ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548176] kasan_report+0xae/0xe0 [ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] [ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 [ 1360.548591] process_one_work+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfx_worker_thread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfx_kthread+0x10/0x10 [ 1360.548665] ret_from_fork+0x2f/0x50 [ 1360.548679] ? __pfx_kthread+0x10/0x10 [ 1360.548690] ret_from_fork_asm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasan_save_stack+0x20/0x40 [ 1360.548739] kasan_save_track+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmalloc_node+0x1f1/0x450 [ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] [ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlink_unicast+0x367/0x4f0 [ 1360.548935] netlink_sendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] __sys_sendmsg+0xbe/0x140 [ 1360.548971] do_syscall_64+0x55/0x120 [ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasan_save_stack+0x20/0x40 [ 1360.549009] kasan_save_track+0x14/0x30 [ 1360.549019] kasan_save_free_info+0x3b/0x60 [ 1360.549028] poison_slab_object+0x100/0x180 [ 1360.549036] __kasan_slab_free+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] [ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] [ 1360.549221] ops_exit_list+0x50/0xa0 [ 1360.549229] free_exit_list+0x101/0x140 [ 1360.549236] unregister_pernet_operations+0x107/0x160 [ 1360.549245] unregister_pernet_subsys+0x1c/0x30 [ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] [ 1360.549345] __do_sys_delete_module+0x253/0x370 [ 1360.549352] do_syscall_64+0x55/0x120 [ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d (gdb) list *__nft_release_table+0x473 0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). 11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11350 list_del(&flowtable->list); 11351 nft_use_dec(&table->use); 11352 nf_tables_flowtable_destroy(flowtable); 11353 } 11354 list_for_each_entry_safe(set, ns, &table->sets, list) { 11355 list_del(&set->list); 11356 nft_use_dec(&table->use); 11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11358 nft_map_deactivat ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35899.html
CVE-2024-35899
https://bugzilla.suse.com/1224499
SUSE Bug 1224499

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject new basechain after table flag update When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new). The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; } which triggers the following warning when trying to unregister chain w which is already unregistered. [ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 [...] [ 127.322519] Call Trace: [ 127.322521] <TASK> [ 127.322524] ? __warn+0x9f/0x1a0 [ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322537] ? report_bug+0x1b1/0x1e0 [ 127.322545] ? handle_bug+0x3c/0x70 [ 127.322552] ? exc_invalid_op+0x17/0x40 [ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 [ 127.322563] ? kasan_save_free_info+0x3b/0x60 [ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] [ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] [ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35900.html
CVE-2024-35900
https://bugzilla.suse.com/1224497
SUSE Bug 1224497

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix Rx DMA datasize and skb_over_panic mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be multiple of 64. So a packet slightly bigger than mtu+14, say 1536, can be received and cause skb_over_panic. Sample dmesg: [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL> [ 5325.243689] ------------[ cut here ]------------ [ 5325.245748] kernel BUG at net/core/skbuff.c:192! [ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60 [ 5325.302941] Call Trace: [ 5325.304389] <IRQ> [ 5325.315794] ? skb_panic+0x4f/0x60 [ 5325.317457] ? asm_exc_invalid_op+0x1f/0x30 [ 5325.319490] ? skb_panic+0x4f/0x60 [ 5325.321161] skb_put+0x4e/0x50 [ 5325.322670] mana_poll+0x6fa/0xb50 [mana] [ 5325.324578] __napi_poll+0x33/0x1e0 [ 5325.326328] net_rx_action+0x12e/0x280 As discussed internally, this alignment is not necessary. To fix this bug, remove it from the code. So oversized packets will be marked as CQE_RX_TRUNCATED by NIC, and dropped.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35901.html
CVE-2024-35901
https://bugzilla.suse.com/1224495
SUSE Bug 1224495

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/bpf: Fix IP after emitting call depth accounting Adjust the IP passed to `emit_patch` so it calculates the correct offset for the CALL instruction if `x86_call_depth_emit_accounting` emits code. Otherwise we will skip some instructions and most likely crash.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35903.html
CVE-2024-35903
https://bugzilla.suse.com/1224493
SUSE Bug 1224493

Описание

In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35904.html
CVE-2024-35904
https://bugzilla.suse.com/1224494
SUSE Bug 1224494

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35905.html
CVE-2024-35905
https://bugzilla.suse.com/1224488
SUSE Bug 1224488
https://bugzilla.suse.com/1226327
SUSE Bug 1226327

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: call request_irq() after NAPI initialized The mlxbf_gige driver encounters a NULL pointer exception in mlxbf_gige_open() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbf_gige module e) the mlxbf_gige module runs its open() as the the "oob_net0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] SMP CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : __napi_poll+0x40/0x230 sp : ffff800008003e00 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238 Call trace: 0x0 net_rx_action+0x178/0x360 __do_softirq+0x15c/0x428 __irq_exit_rcu+0xac/0xec irq_exit+0x18/0x2c handle_domain_irq+0x6c/0xa0 gic_handle_irq+0xec/0x1b0 call_on_irq_stack+0x20/0x2c do_interrupt_handler+0x5c/0x70 el1_interrupt+0x30/0x50 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x7c/0x80 __setup_irq+0x4c0/0x950 request_threaded_irq+0xf4/0x1bc mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige] mlxbf_gige_open+0x5c/0x170 [mlxbf_gige] __dev_open+0x100/0x220 __dev_change_flags+0x16c/0x1f0 dev_change_flags+0x2c/0x70 do_setlink+0x220/0xa40 __rtnl_newlink+0x56c/0x8a0 rtnl_newlink+0x58/0x84 rtnetlink_rcv_msg+0x138/0x3c4 netlink_rcv_skb+0x64/0x130 rtnetlink_rcv+0x20/0x30 netlink_unicast+0x2ec/0x360 netlink_sendmsg+0x278/0x490 __sock_sendmsg+0x5c/0x6c ____sys_sendmsg+0x290/0x2d4 ___sys_sendmsg+0x84/0xd0 __sys_sendmsg+0x70/0xd0 __arm64_sys_sendmsg+0x2c/0x40 invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x54/0x184 do_el0_svc+0x30/0xac el0_svc+0x48/0x160 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8 Code: bad PC value ---[ end trace 7d1c3f3bf9d81885 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt Kernel Offset: 0x2870a7a00000 from 0xffff800008000000 PHYS_OFFSET: 0x80000000 CPU features: 0x0,000005c1,a3332a5a Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- The exception happens because there is a pending RX interrupt before the call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this request_irq() completes. The ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35907.html
CVE-2024-35907
https://bugzilla.suse.com/1224492
SUSE Bug 1224492

Описание

In the Linux kernel, the following vulnerability has been resolved: tls: get psock ref after taking rxlock to avoid leak At the start of tls_sw_recvmsg, we take a reference on the psock, and then call tls_rx_reader_lock. If that fails, we return directly without releasing the reference. Instead of adding a new label, just take the reference after locking has succeeded, since we don't need it before.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35908.html
CVE-2024-35908
https://bugzilla.suse.com/1224490
SUSE Bug 1224490

Описание

In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Split 64bit accesses to fix alignment issues Some of the registers are aligned on a 32bit boundary, causing alignment faults on 64bit platforms. Unable to handle kernel paging request at virtual address ffffffc084a1d004 Mem abort info: ESR = 0x0000000096000061 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x21: alignment fault Data abort info: ISV = 0, ISS = 0x00000061, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000046ad6000 [ffffffc084a1d004] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013ffff003, pmd=0068000020a00711 Internal error: Oops: 0000000096000061 [#1] SMP Modules linked in: mtk_t7xx(+) qcserial pppoe ppp_async option nft_fib_inet nf_flow_table_inet mt7921u(O) mt7921s(O) mt7921e(O) mt7921_common(O) iwlmvm(O) iwldvm(O) usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7996e(O) mt792x_usb(O) mt792x_lib(O) mt7915e(O) mt76_usb(O) mt76_sdio(O) mt76_connac_lib(O) mt76(O) mac80211(O) iwlwifi(O) huawei_cdc_ncm cfg80211(O) cdc_ncm cdc_ether wwan usbserial usbnet slhc sfp rtc_pcf8563 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mt6577_auxadc mdio_i2c libcrc32c compat(O) cdc_wdm cdc_acm at24 crypto_safexcel pwm_fan i2c_gpio i2c_smbus industrialio i2c_algo_bit i2c_mux_reg i2c_mux_pca954x i2c_mux_pca9541 i2c_mux_gpio i2c_mux dummy oid_registry tun sha512_arm64 sha1_ce sha1_generic seqiv md5 geniv des_generic libdes cbc authencesn authenc leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd nvme nvme_core gpio_button_hotplug(O) dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax usbcore usb_common ptp aquantia pps_core mii tpm encrypted_keys trusted CPU: 3 PID: 5266 Comm: kworker/u9:1 Tainted: G O 6.6.22 #0 Hardware name: Bananapi BPI-R4 (DT) Workqueue: md_hk_wq t7xx_fsm_uninit [mtk_t7xx] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx] lr : t7xx_cldma_start+0xac/0x13c [mtk_t7xx] sp : ffffffc085d63d30 x29: ffffffc085d63d30 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: ffffff80c804f2c0 x24: ffffff80ca196c05 x23: 0000000000000000 x22: ffffff80c814b9b8 x21: ffffff80c814b128 x20: 0000000000000001 x19: ffffff80c814b080 x18: 0000000000000014 x17: 0000000055c9806b x16: 000000007c5296d0 x15: 000000000f6bca68 x14: 00000000dbdbdce4 x13: 000000001aeaf72a x12: 0000000000000001 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffffff80ca1ef6b4 x7 : ffffff80c814b818 x6 : 0000000000000018 x5 : 0000000000000870 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000010a947000 x1 : ffffffc084a1d004 x0 : ffffffc084a1d004 Call trace: t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx] t7xx_fsm_uninit+0x578/0x5ec [mtk_t7xx] process_one_work+0x154/0x2a0 worker_thread+0x2ac/0x488 kthread+0xe0/0xec ret_from_fork+0x10/0x20 Code: f9400800 91001000 8b214001 d50332bf (f9000022) ---[ end trace 0000000000000000 ]--- The inclusion of io-64-nonatomic-lo-hi.h indicates that all 64bit accesses can be replaced by pairs of nonatomic 32bit access. Fix alignment by forcing all accesses to be 32bit on 64bit platforms.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35909.html
CVE-2024-35909
https://bugzilla.suse.com/1224491
SUSE Bug 1224491

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: fix memory corruption bug with suspend and rebuild The ice driver would previously panic after suspend. This is caused from the driver *only* calling the ice_vsi_free_q_vectors() function by itself, when it is suspending. Since commit b3e7b3a6ee92 ("ice: prevent NULL pointer deref during reload") the driver has zeroed out num_q_vectors, and only restored it in ice_vsi_cfg_def(). This further causes the ice_rebuild() function to allocate a zero length buffer, after which num_q_vectors is updated, and then the new value of num_q_vectors is used to index into the zero length buffer, which corrupts memory. The fix entails making sure all the code referencing num_q_vectors only does so after it has been reset via ice_vsi_cfg_def(). I didn't perform a full bisect, but I was able to test against 6.1.77 kernel and that ice driver works fine for suspend/resume with no panic, so sometime since then, this problem was introduced. Also clean up an un-needed init of a local variable in the function being modified. PANIC from 6.8.0-rc1: [1026674.915596] PM: suspend exit [1026675.664697] ice 0000:17:00.1: PTP reset successful [1026675.664707] ice 0000:17:00.1: 2755 msecs passed between update to cached PHC time [1026675.667660] ice 0000:b1:00.0: PTP reset successful [1026675.675944] ice 0000:b1:00.0: 2832 msecs passed between update to cached PHC time [1026677.137733] ixgbe 0000:31:00.0 ens787: NIC Link is Up 1 Gbps, Flow Control: None [1026677.190201] BUG: kernel NULL pointer dereference, address: 0000000000000010 [1026677.192753] ice 0000:17:00.0: PTP reset successful [1026677.192764] ice 0000:17:00.0: 4548 msecs passed between update to cached PHC time [1026677.197928] #PF: supervisor read access in kernel mode [1026677.197933] #PF: error_code(0x0000) - not-present page [1026677.197937] PGD 1557a7067 P4D 0 [1026677.212133] ice 0000:b1:00.1: PTP reset successful [1026677.212143] ice 0000:b1:00.1: 4344 msecs passed between update to cached PHC time [1026677.212575] [1026677.243142] Oops: 0000 [#1] PREEMPT SMP NOPTI [1026677.247918] CPU: 23 PID: 42790 Comm: kworker/23:0 Kdump: loaded Tainted: G W 6.8.0-rc1+ #1 [1026677.257989] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [1026677.269367] Workqueue: ice ice_service_task [ice] [1026677.274592] RIP: 0010:ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice] [1026677.281421] Code: 0f 84 3a ff ff ff 41 0f b7 74 ec 02 66 89 b0 22 02 00 00 81 e6 ff 1f 00 00 e8 ec fd ff ff e9 35 ff ff ff 48 8b 43 30 49 63 ed <41> 0f b7 34 24 41 83 c5 01 48 8b 3c e8 66 89 b7 aa 02 00 00 81 e6 [1026677.300877] RSP: 0018:ff3be62a6399bcc0 EFLAGS: 00010202 [1026677.306556] RAX: ff28691e28980828 RBX: ff28691e41099828 RCX: 0000000000188000 [1026677.314148] RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff28691e41099828 [1026677.321730] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [1026677.329311] R10: 0000000000000007 R11: ffffffffffffffc0 R12: 0000000000000010 [1026677.336896] R13: 0000000000000000 R14: 0000000000000000 R15: ff28691e0eaa81a0 [1026677.344472] FS: 0000000000000000(0000) GS:ff28693cbffc0000(0000) knlGS:0000000000000000 [1026677.353000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1026677.359195] CR2: 0000000000000010 CR3: 0000000128df4001 CR4: 0000000000771ef0 [1026677.366779] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1026677.374369] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1026677.381952] PKRU: 55555554 [1026677.385116] Call Trace: [1026677.388023] <TASK> [1026677.390589] ? __die+0x20/0x70 [1026677.394105] ? page_fault_oops+0x82/0x160 [1026677.398576] ? do_user_addr_fault+0x65/0x6a0 [1026677.403307] ? exc_page_fault+0x6a/0x150 [1026677.407694] ? asm_exc_page_fault+0x22/0x30 [1026677.412349] ? ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice] [1026677.4186 ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35911.html
CVE-2024-35911
https://bugzilla.suse.com/1224486
SUSE Bug 1224486

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: rfi: fix potential response leaks If the rx payload length check fails, or if kmemdup() fails, we still need to free the command response. Fix that.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35912.html
CVE-2024-35912
https://bugzilla.suse.com/1224487
SUSE Bug 1224487

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix error cleanup path in nfsd_rename() Commit a8b0026847b8 ("rename(): avoid a deadlock in the case of parents having no common ancestor") added an error bail out path. However this path does not drop the remount protection that has been acquired. Fix the cleanup path to properly drop the remount protection.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35914.html
CVE-2024-35914
https://bugzilla.suse.com/1224482
SUSE Bug 1224482

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet syzbot reported the following uninit-value access issue [1][2]: nci_rx_work() parses and processes received packet. When the payload length is zero, each message type handler reads uninitialized payload and KMSAN detects this issue. The receipt of a packet with a zero-size payload is considered unexpected, and therefore, such packets should be silently discarded. This patch resolved this issue by checking payload size before calling each message type handler codes.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35915.html
CVE-2024-35915
https://bugzilla.suse.com/1224479
SUSE Bug 1224479

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-buf: Fix NULL pointer dereference in sanitycheck() If due to a memory allocation failure mock_chain() returns NULL, it is passed to dma_fence_enable_sw_signaling() resulting in NULL pointer dereference there. Call dma_fence_enable_sw_signaling() only if mock_chain() succeeds. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35916.html
CVE-2024-35916
https://bugzilla.suse.com/1224480
SUSE Bug 1224480

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_plt pointer arithmetic Kui-Feng Lee reported a crash on s390x triggered by the dummy_st_ops/dummy_init_ptr_arg test [1]: [<0000000000000002>] 0x2 [<00000000009d5cde>] bpf_struct_ops_test_run+0x156/0x250 [<000000000033145a>] __sys_bpf+0xa1a/0xd00 [<00000000003319dc>] __s390x_sys_bpf+0x44/0x50 [<0000000000c4382c>] __do_syscall+0x244/0x300 [<0000000000c59a40>] system_call+0x70/0x98 This is caused by GCC moving memcpy() after assignments in bpf_jit_plt(), resulting in NULL pointers being written instead of the return and the target addresses. Looking at the GCC internals, the reordering is allowed because the alias analysis thinks that the memcpy() destination and the assignments' left-hand-sides are based on different objects: new_plt and bpf_plt_ret/bpf_plt_target respectively, and therefore they cannot alias. This is in turn due to a violation of the C standard: When two pointers are subtracted, both shall point to elements of the same array object, or one past the last element of the array object ... From the C's perspective, bpf_plt_ret and bpf_plt are distinct objects and cannot be subtracted. In the practical terms, doing so confuses the GCC's alias analysis. The code was written this way in order to let the C side know a few offsets defined in the assembly. While nice, this is by no means necessary. Fix the noncompliance by hardcoding these offsets. [1] https://lore.kernel.org/bpf/c9923c1d-971d-4022-8dc8-1364e929d34c@gmail.com/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35917.html
CVE-2024-35917
https://bugzilla.suse.com/1224481
SUSE Bug 1224481

Описание

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder saves the instance pointer in the context regardless if the initialization worked or not. This caused a use after free, when the pointer is freed in case of a failure in the deinit function. Only store the instance pointer when the initialization was successful, to solve this issue. Hardware name: Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp : ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f (f9400400)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35921.html
CVE-2024-35921
https://bugzilla.suse.com/1224477
SUSE Bug 1224477

Описание

In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero in fb_videomode_from_videomode() The expression htotal * vtotal can have a zero value on overflow. It is necessary to prevent division by zero like in fb_var_to_videomode(). Found by Linux Verification Center (linuxtesting.org) with Svace.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35922.html
CVE-2024-35922
https://bugzilla.suse.com/1224660
SUSE Bug 1224660

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Limit read size on v1.2 Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was increased from 16 to 256. In order to avoid overflowing reads for older systems, add a mechanism to use the read UCSI version to truncate read sizes on UCSI v1.2.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35924.html
CVE-2024-35924
https://bugzilla.suse.com/1224657
SUSE Bug 1224657

Описание

In the Linux kernel, the following vulnerability has been resolved: block: prevent division by zero in blk_rq_stat_sum() The expression dst->nr_samples + src->nr_samples may have zero value on overflow. It is necessary to add a check to avoid division by zero. Found by Linux Verification Center (linuxtesting.org) with Svace.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35925.html
CVE-2024-35925
https://bugzilla.suse.com/1224661
SUSE Bug 1224661

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix async_disable descriptor leak The disable_async paths of iaa_compress/decompress() don't free idxd descriptors in the async_disable case. Currently this only happens in the testcases where req->dst is set to null. Add a test to free them in those paths.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35926.html
CVE-2024-35926
https://bugzilla.suse.com/1224655
SUSE Bug 1224655

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: Check output polling initialized before disabling In drm_kms_helper_poll_disable() check if output polling support is initialized before disabling polling. If not flag this as a warning. Additionally in drm_mode_config_helper_suspend() and drm_mode_config_helper_resume() calls, that re the callers of these functions, avoid invoking them if polling is not initialized. For drivers like hyperv-drm, that do not initialize connector polling, if suspend is called without this check, it leads to suspend failure with following stack [ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug) [ 770.948823] ------------[ cut here ]------------ [ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230 [ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod [ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1 [ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230 [ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00 [ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246 [ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857 [ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330 [ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10 [ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330 [ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000 [ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0 [ 770.948879] Call Trace: [ 770.948880] <TASK> [ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948886] ? __cancel_work_timer+0x103/0x190 [ 770.948887] ? __flush_work.isra.0+0x212/0x230 [ 770.948889] ? __warn+0x81/0x110 [ 770.948891] ? __flush_work.isra.0+0x212/0x230 [ 770.948892] ? report_bug+0x10a/0x140 [ 770.948895] ? handle_bug+0x3c/0x70 [ 770.948898] ? exc_invalid_op+0x14/0x70 [ 770.948899] ? asm_exc_invalid_op+0x16/0x20 [ 770.948903] ? __flush_work.isra.0+0x212/0x230 [ 770.948905] __cancel_work_timer+0x103/0x190 [ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30 [ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper] [ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper] [ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm] [ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948951] dpm_run_callback+0x4c/0x140 [ 770.948954] __device_suspend_noir ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35927.html
CVE-2024-35927
https://bugzilla.suse.com/1224654
SUSE Bug 1224654

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35928.html
CVE-2024-35928
https://bugzilla.suse.com/1224653
SUSE Bug 1224653

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an unsuccessful status. In such cases, the elsiocb is not issued, the completion is not called, and thus the elsiocb resource is leaked. Check return value after calling lpfc_sli4_resume_rpi() and conditionally release the elsiocb resource.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35930.html
CVE-2024-35930
https://bugzilla.suse.com/1224651
SUSE Bug 1224651

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip do PCI error slot reset during RAS recovery Why: The PCI error slot reset maybe triggered after inject ue to UMC multi times, this caused system hang. [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume [ 557.373718] [drm] PCIE GART of 512M enabled. [ 557.373722] [drm] PTB located at 0x0000031FED700000 [ 557.373788] [drm] VRAM is lost due to GPU reset! [ 557.373789] [drm] PSP is resuming... [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset [ 557.547067] [drm] PCI error: detected callback, state(1)!! [ 557.547069] [drm] No support for XGMI hive yet... [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered [ 557.610492] [drm] PCI error: slot reset callback!! ... [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded! [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded! [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023 [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu] [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu] [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00 [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202 [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0 [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010 [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08 [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000 [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000 [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000 [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0 [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 560.843444] PKRU: 55555554 [ 560.846480] Call Trace: [ 560.849225] <TASK> [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu] [ 560.867778] ? show_regs.part.0+0x23/0x29 [ 560.872293] ? __die_body.cold+0x8/0xd [ 560.876502] ? die_addr+0x3e/0x60 [ 560.880238] ? exc_general_protection+0x1c5/0x410 [ 560.885532] ? asm_exc_general_protection+0x27/0x30 [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu] [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu] [ 560.904520] process_one_work+0x228/0x3d0 How: In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35931.html
CVE-2024-35931
https://bugzilla.suse.com/1224652
SUSE Bug 1224652

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: don't check if plane->state->fb == state->fb Currently, when using non-blocking commits, we can see the following kernel warning: [ 110.908514] ------------[ cut here ]------------ [ 110.908529] refcount_t: underflow; use-after-free. [ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0 [ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32 [ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) [ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0 [ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0 [ 110.909170] sp : ffffffc00913b9c0 [ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60 [ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480 [ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78 [ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000 [ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004 [ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003 [ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00 [ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572 [ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000 [ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001 [ 110.909434] Call trace: [ 110.909441] refcount_dec_not_one+0xb8/0xc0 [ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4] [ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4] [ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper] [ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4] [ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper] [ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper] [ 110.911716] drm_atomic_commit+0xb0/0xdc [drm] [ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm] [ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm] [ 110.914091] drm_ioctl+0x24c/0x3b0 [drm] [ 110.914850] __arm64_sys_ioctl+0x9c/0xd4 [ 110.914873] invoke_syscall+0x4c/0x114 [ 110.914897] el0_svc_common+0xd0/0x118 [ 110.914917] do_el0_svc+0x38/0xd0 [ 110.914936] el0_svc+0x30/0x8c [ 110.914958] el0t_64_sync_handler+0x84/0xf0 [ 110.914979] el0t_64_sync+0x18c/0x190 [ 110.914996] ---[ end trace 0000000000000000 ]--- This happens because, although `prepare_fb` and `cleanup_fb` are perfectly balanced, we cannot guarantee consistency in the check plane->state->fb == state->fb. This means that sometimes we can increase the refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The opposite can also be true. In fact, the struct drm_plane .state shouldn't be accessed directly but instead, the `drm_atomic_get_new_plane_state()` helper function should be used. So, we could stick to this check, but using `drm_atomic_get_new_plane_state()`. But actually, this check is not re ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35932.html
CVE-2024-35932
https://bugzilla.suse.com/1224650
SUSE Bug 1224650

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Fix null ptr deref in btintel_read_version If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL, which will cause this issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35933.html
CVE-2024-35933
https://bugzilla.suse.com/1224640
SUSE Bug 1224640

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Many syzbot reports show extreme rtnl pressure, and many of them hint that smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_pnet_net_init() if there is no netdevice yet. I am not even sure why smc_pnet_create_pnetids_list() even exists, because smc_pnet_netdev_event() is also calling smc_pnet_add_base_pnetid() when handling NETDEV_UP event. [1] extract of typical syzbot reports 2 locks held by syz-executor.3/12252: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12253: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12257: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12261: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.0/12265: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.3/12268: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12271: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12274: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12280: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35934.html
CVE-2024-35934
https://bugzilla.suse.com/1224641
SUSE Bug 1224641

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: send: handle path ref underflow in header iterate_inode_ref() Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35935.html
CVE-2024-35935
https://bugzilla.suse.com/1224645
SUSE Bug 1224645

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption, as it could be caused only by two impossible conditions: - at first the search key is set up to look for a chunk tree item, with offset -1, this is an inexact search and the key->offset will contain the correct offset upon a successful search, a valid chunk tree item cannot have an offset -1 - after first successful search, the found_key corresponds to a chunk item, the offset is decremented by 1 before the next loop, it's impossible to find a chunk item there due to alignment and size constraints

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35936.html
CVE-2024-35936
https://bugzilla.suse.com/1224644
SUSE Bug 1224644

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: check A-MSDU format more carefully If it looks like there's another subframe in the A-MSDU but the header isn't fully there, we can end up reading data out of bounds, only to discard later. Make this a bit more careful and check if the subframe header can even be present.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35937.html
CVE-2024-35937
https://bugzilla.suse.com/1224526
SUSE Bug 1224526

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: decrease MHI channel buffer length to 8KB Currently buf_len field of ath11k_mhi_config_qca6390 is assigned with 0, making MHI use a default size, 64KB, to allocate channel buffers. This is likely to fail in some scenarios where system memory is highly fragmented and memory compaction or reclaim is not allowed. There is a fail report which is caused by it: kworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 CPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb Workqueue: events_unbound async_run_entry_fn Call Trace: <TASK> dump_stack_lvl+0x47/0x60 warn_alloc+0x13a/0x1b0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __alloc_pages_direct_compact+0xab/0x210 __alloc_pages_slowpath.constprop.0+0xd3e/0xda0 __alloc_pages+0x32d/0x350 ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] __kmalloc_large_node+0x72/0x110 __kmalloc+0x37c/0x480 ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] device_for_each_child+0x5c/0xa0 ? __pfx_pci_pm_resume+0x10/0x10 ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e] ? srso_alias_return_thunk+0x5/0xfbef5 ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec] ? srso_alias_return_thunk+0x5/0xfbef5 dpm_run_callback+0x8c/0x1e0 device_resume+0x104/0x340 ? __pfx_dpm_watchdog_handler+0x10/0x10 async_resume+0x1d/0x30 async_run_entry_fn+0x32/0x120 process_one_work+0x168/0x330 worker_thread+0x2f5/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe8/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Actually those buffers are used only by QMI target -> host communication. And for WCN6855 and QCA6390, the largest packet size for that is less than 6KB. So change buf_len field to 8KB, which results in order 1 allocation if page size is 4KB. In this way, we can at least save some memory, and as well as decrease the possibility of allocation failure in those scenarios. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35938.html
CVE-2024-35938
https://bugzilla.suse.com/1224643
SUSE Bug 1224643

Описание

In the Linux kernel, the following vulnerability has been resolved: pstore/zone: Add a null pointer check to the psz_kmsg_read kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35940.html
CVE-2024-35940
https://bugzilla.suse.com/1224537
SUSE Bug 1224537

Описание

In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain According to i.MX8MP RM and HDMI ADD, the fdcc clock is part of hdmi rx verification IP that should not enable for HDMI TX. But actually if the clock is disabled before HDMI/LCDIF probe, LCDIF will not get pixel clock from HDMI PHY and print the error logs: [CRTC:39:crtc-2] vblank wait timed out WARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260 Add fdcc clock to LCDIF and HDMI TX power domains to fix the issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35942.html
CVE-2024-35942
https://bugzilla.suse.com/1224589
SUSE Bug 1224589

Описание

In the Linux kernel, the following vulnerability has been resolved: pmdomain: ti: Add a null pointer check to the omap_prm_domain_init devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35943.html
CVE-2024-35943
https://bugzilla.suse.com/1224649
SUSE Bug 1224649

Описание

In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 Some code commentry, based on my understanding: 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) /// This is 24 + payload_size memcpy(&dg_info->msg, dg, dg_size); Destination = dg_info->msg ---> this is a 24 byte structure(struct vmci_datagram) Source = dg --> this is a 24 byte structure (struct vmci_datagram) Size = dg_size = 24 + payload_size {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. 35 struct delayed_datagram_info { 36 struct datagram_entry *entry; 37 struct work_struct work; 38 bool in_dg_host_queue; 39 /* msg and msg_payload must be together. */ 40 struct vmci_datagram msg; 41 u8 msg_payload[]; 42 }; So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller. One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload. Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35944.html
CVE-2024-35944
https://bugzilla.suse.com/1224648
SUSE Bug 1224648

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: phy_device: Prevent nullptr exceptions on ISR If phydev->irq is set unconditionally, check for valid interrupt handler or fall back to polling mode to prevent nullptr exceptions in interrupt service routine.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35945.html
CVE-2024-35945
https://bugzilla.suse.com/1224639
SUSE Bug 1224639

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix null pointer access when abort scan During cancel scan we might use vif that weren't scanning. Fix this by using the actual scanning vif.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35946.html
CVE-2024-35946
https://bugzilla.suse.com/1224646
SUSE Bug 1224646

Описание

In the Linux kernel, the following vulnerability has been resolved: dyndbg: fix old BUG_ON in >control parser Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn't really look), lets make sure by removing it, doing pr_err and return -EINVAL instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35947.html
CVE-2024-35947
https://bugzilla.suse.com/1224647
SUSE Bug 1224647

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35950.html
CVE-2024-35950
https://bugzilla.suse.com/1224703
SUSE Bug 1224703
https://bugzilla.suse.com/1225310
SUSE Bug 1225310

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35951.html
CVE-2024-35951
https://bugzilla.suse.com/1224701
SUSE Bug 1224701

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/ast: Fix soft lockup There is a while-loop in ast_dp_set_on_off() that could lead to infinite-loop. This is because the register, VGACRI-Dx, checked in this API is a scratch register actually controlled by a MCU, named DPMCU, in BMC. These scratch registers are protected by scu-lock. If suc-lock is not off, DPMCU can not update these registers and then host will have soft lockup due to never updated status. DPMCU is used to control DP and relative registers to handshake with host's VGA driver. Even the most time-consuming task, DP's link training, is less than 100ms. 200ms should be enough.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35952.html
CVE-2024-35952
https://bugzilla.suse.com/1224705
SUSE Bug 1224705

Описание

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix deadlock in context_xa ivpu_device->context_xa is locked both in kernel thread and IRQ context. It requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization otherwise the lock could be acquired from a thread and interrupted by an IRQ that locks it for the second time causing the deadlock. This deadlock was reported by lockdep and observed in internal tests.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35953.html
CVE-2024-35953
https://bugzilla.suse.com/1224704
SUSE Bug 1224704

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Avoid sg device teardown race sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling scsi_device_put(). sg_device_destroy() is accessing the parent scsi_device request_queue which will already be set to NULL when the preceding call to scsi_device_put() removed the last reference to the parent scsi_device. The resulting NULL pointer exception will then crash the kernel.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35954.html
CVE-2024-35954
https://bugzilla.suse.com/1224675
SUSE Bug 1224675

Описание

In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35955.html
CVE-2024-35955
https://bugzilla.suse.com/1224676
SUSE Bug 1224676

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation. The fix is to ensure that every qgroup PREALLOC reservation observes the following properties: 1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation. 2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation. This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35956.html
CVE-2024-35956
https://bugzilla.suse.com/1224674
SUSE Bug 1224674

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? intel_iommu_probe_device+0x319/0xd90 ? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0 ? up_write+0xa2/0x1b0 ? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0 ? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0 ? kmalloc_trace+0x21e/0x280 ? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35957.html
CVE-2024-35957
https://bugzilla.suse.com/1224673
SUSE Bug 1224673

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ena: Fix incorrect descriptor free behavior ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35958.html
CVE-2024-35958
https://bugzilla.suse.com/1224677
SUSE Bug 1224677

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix mlx5e_priv_init() cleanup flow When mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which calls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using lockdep_is_held(). Acquire the state_lock in mlx5e_selq_cleanup(). Kernel log: ============================= WARNING: suspicious RCU usage 6.8.0-rc3_net_next_841a9b5 #1 Not tainted ----------------------------- drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by systemd-modules/293: #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core] #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core] stack backtrace: CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x8a/0xa0 lockdep_rcu_suspicious+0x154/0x1a0 mlx5e_selq_apply+0x94/0xa0 [mlx5_core] mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core] mlx5e_priv_init+0x2be/0x2f0 [mlx5_core] mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core] rdma_init_netdev+0x4e/0x80 [ib_core] ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core] ipoib_intf_init+0x64/0x550 [ib_ipoib] ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib] ipoib_add_one+0xb0/0x360 [ib_ipoib] add_client_context+0x112/0x1c0 [ib_core] ib_register_client+0x166/0x1b0 [ib_core] ? 0xffffffffa0573000 ipoib_init_module+0xeb/0x1a0 [ib_ipoib] do_one_initcall+0x61/0x250 do_init_module+0x8a/0x270 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x17d/0x230 __x64_sys_finit_module+0x61/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x46/0x4e </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35959.html
CVE-2024-35959
https://bugzilla.suse.com/1224666
SUSE Bug 1224666

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35960.html
CVE-2024-35960
https://bugzilla.suse.com/1224588
SUSE Bug 1224588

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Register devlink first under devlink lock In case device is having a non fatal FW error during probe, the driver will report the error to user via devlink. This will trigger a WARN_ON, since mlx5 is calling devlink_register() last. In order to avoid the WARN_ON[1], change mlx5 to invoke devl_register() first under devlink lock. [1] WARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0 CPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core] RIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0 Call Trace: <TASK> ? __warn+0x79/0x120 ? devlink_recover_notify.constprop.0+0xb8/0xc0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? devlink_recover_notify.constprop.0+0xb8/0xc0 devlink_health_report+0x4a/0x1c0 mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core] process_one_work+0x1bb/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x4d/0x3c0 ? process_one_work+0x3c0/0x3c0 kthread+0xc6/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35961.html
CVE-2024-35961
https://bugzilla.suse.com/1224585
SUSE Bug 1224585

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: complete validation of user input In my recent commit, I missed that do_replace() handlers use copy_from_sockptr() (which I fixed), followed by unsafe copy_from_sockptr_offset() calls. In all functions, we can perform the @optlen validation before even calling xt_alloc_table_info() with the following check: if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL;

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35962.html
CVE-2024-35962
https://bugzilla.suse.com/1224583
SUSE Bug 1224583

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35963.html
CVE-2024-35963
https://bugzilla.suse.com/1224582
SUSE Bug 1224582

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not validating setsockopt user input Check user input length before copying data.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35964.html
CVE-2024-35964
https://bugzilla.suse.com/1224581
SUSE Bug 1224581

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35965.html
CVE-2024-35965
https://bugzilla.suse.com/1224579
SUSE Bug 1224579

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35966.html
CVE-2024-35966
https://bugzilla.suse.com/1224576
SUSE Bug 1224576

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35967.html
CVE-2024-35967
https://bugzilla.suse.com/1224587
SUSE Bug 1224587

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it still means hlist_for_each_entry_rcu can return an item that got removed from the list. The memory itself of such item is not freed thanks to RCU but nothing guarantees the actual content of the memory is sane. In particular, the reference count can be zero. This can happen if ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough timing, this can happen: 1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry. 2. Then, the whole ipv6_del_addr is executed for the given entry. The reference count drops to zero and kfree_rcu is scheduled. 3. ipv6_get_ifaddr continues and tries to increments the reference count (in6_ifa_hold). 4. The rcu is unlocked and the entry is freed. 5. The freed entry is returned. Prevent increasing of the reference count in such case. The name in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe. [ 41.506330] refcount_t: addition on 0; use-after-free. [ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130 [ 41.507413] Modules linked in: veth bridge stp llc [ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14 [ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) [ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130 [ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff [ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282 [ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000 [ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900 [ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff [ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000 [ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48 [ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000 [ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0 [ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.516799] Call Trace: [ 41.517037] <TASK> [ 41.517249] ? __warn+0x7b/0x120 [ 41.517535] ? refcount_warn_saturate+0xa5/0x130 [ 41.517923] ? report_bug+0x164/0x190 [ 41.518240] ? handle_bug+0x3d/0x70 [ 41.518541] ? exc_invalid_op+0x17/0x70 [ 41.520972] ? asm_exc_invalid_op+0x1a/0x20 [ 41.521325] ? refcount_warn_saturate+0xa5/0x130 [ 41.521708] ipv6_get_ifaddr+0xda/0xe0 [ 41.522035] inet6_rtm_getaddr+0x342/0x3f0 [ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10 [ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0 [ 41.523102] ? netlink_unicast+0x30f/0x390 [ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 41.523832] netlink_rcv_skb+0x53/0x100 [ 41.524157] netlink_unicast+0x23b/0x390 [ 41.524484] netlink_sendmsg+0x1f2/0x440 [ 41.524826] __sys_sendto+0x1d8/0x1f0 [ 41.525145] __x64_sys_sendto+0x1f/0x30 [ 41.525467] do_syscall_64+0xa5/0x1b0 [ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a [ 41.526213] RIP: 0033:0x7fbc4cfcea9a [ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 41.527942] RSP: 002b:00007f ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35969.html
CVE-2024-35969
https://bugzilla.suse.com/1224580
SUSE Bug 1224580

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Clear stale u->oob_skb. syzkaller started to report deadlock of unix_gc_lock after commit 4090fa373f0e ("af_unix: Replace garbage collection algorithm."), but it just uncovers the bug that has been there since commit 314001f0bf92 ("af_unix: Add OOB support"). The repro basically does the following. from socket import * from array import array c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array("i", [c2.fileno()]))], MSG_OOB) c2.recv(1) # blocked as no normal data in recv queue c2.close() # done async and unblock recv() c1.close() # done async and trigger GC A socket sends its file descriptor to itself as OOB data and tries to receive normal data, but finally recv() fails due to async close(). The problem here is wrong handling of OOB skb in manage_oob(). When recvmsg() is called without MSG_OOB, manage_oob() is called to check if the peeked skb is OOB skb. In such a case, manage_oob() pops it out of the receive queue but does not clear unix_sock(sk)->oob_skb. This is wrong in terms of uAPI. Let's say we send "hello" with MSG_OOB, and "world" without MSG_OOB. The 'o' is handled as OOB data. When recv() is called twice without MSG_OOB, the OOB data should be lost. >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0) >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data 5 >>> c1.send(b'world') 5 >>> c2.recv(5) # OOB data is not received b'hell' >>> c2.recv(5) # OOB date is skipped b'world' >>> c2.recv(5, MSG_OOB) # This should return an error b'o' In the same situation, TCP actually returns -EINVAL for the last recv(). Also, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set EPOLLPRI even though the data has passed through by previous recv(). To avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing it from recv queue. The reason why the old GC did not trigger the deadlock is because the old GC relied on the receive queue to detect the loop. When it is triggered, the socket with OOB data is marked as GC candidate because file refcount == inflight count (1). However, after traversing all inflight sockets, the socket still has a positive inflight count (1), thus the socket is excluded from candidates. Then, the old GC lose the chance to garbage-collect the socket. With the old GC, the repro continues to create true garbage that will never be freed nor detected by kmemleak as it's linked to the global inflight list. That's why we couldn't even notice the issue.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35970.html
CVE-2024-35970
https://bugzilla.suse.com/1224584
SUSE Bug 1224584

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Handle softirqs at the end of IRQ thread to fix hang The ks8851_irq() thread may call ks8851_rx_pkts() in case there are any packets in the MAC FIFO, which calls netif_rx(). This netif_rx() implementation is guarded by local_bh_disable() and local_bh_enable(). The local_bh_enable() may call do_softirq() to run softirqs in case any are pending. One of the softirqs is net_rx_action, which ultimately reaches the driver .start_xmit callback. If that happens, the system hangs. The entire call chain is below: ks8851_start_xmit_par from netdev_start_xmit netdev_start_xmit from dev_hard_start_xmit dev_hard_start_xmit from sch_direct_xmit sch_direct_xmit from __dev_queue_xmit __dev_queue_xmit from __neigh_update __neigh_update from neigh_update neigh_update from arp_process.constprop.0 arp_process.constprop.0 from __netif_receive_skb_one_core __netif_receive_skb_one_core from process_backlog process_backlog from __napi_poll.constprop.0 __napi_poll.constprop.0 from net_rx_action net_rx_action from __do_softirq __do_softirq from call_with_stack call_with_stack from do_softirq do_softirq from __local_bh_enable_ip __local_bh_enable_ip from netif_rx netif_rx from ks8851_irq ks8851_irq from irq_thread_fn irq_thread_fn from irq_thread irq_thread from kthread kthread from ret_from_fork The hang happens because ks8851_irq() first locks a spinlock in ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...) and with that spinlock locked, calls netif_rx(). Once the execution reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again which attempts to claim the already locked spinlock again, and the hang happens. Move the do_softirq() call outside of the spinlock protected section of ks8851_irq() by disabling BHs around the entire spinlock protected section of ks8851_irq() handler. Place local_bh_enable() outside of the spinlock protected section, so that it can trigger do_softirq() without the ks8851_par.c ks8851_lock_par() spinlock being held, and safely call ks8851_start_xmit_par() without attempting to lock the already locked spinlock. Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable() now, replace netif_rx() with __netif_rx() which is not duplicating the local_bh_disable()/local_bh_enable() calls.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35971.html
CVE-2024-35971
https://bugzilla.suse.com/1224578
SUSE Bug 1224578

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() If ulp = kzalloc() fails, the allocated edev will leak because it is not properly assigned and the cleanup path will not be able to free it. Fix it by assigning it properly immediately after allocation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35972.html
CVE-2024-35972
https://bugzilla.suse.com/1224577
SUSE Bug 1224577

Описание

In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35973.html
CVE-2024-35973
https://bugzilla.suse.com/1224586
SUSE Bug 1224586

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix q->blkg_list corruption during disk rebind Multiple gendisk instances can allocated/added for single request queue in case of disk rebind. blkg may still stay in q->blkg_list when calling blkcg_init_disk() for rebind, then q->blkg_list becomes corrupted. Fix the list corruption issue by: - add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only - move calling blkg_init_queue() into blk_alloc_queue() The list corruption should be started since commit f1c006f1c685 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()") which delays removing blkg from q->blkg_list into blkg_free_workfn().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35974.html
CVE-2024-35974
https://bugzilla.suse.com/1224573
SUSE Bug 1224573

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix transmit scheduler resource leak Inorder to support shaping and scheduling, Upon class creation Netdev driver allocates trasmit schedulers. The previous patch which added support for Round robin scheduling has a bug due to which driver is not freeing transmit schedulers post class deletion. This patch fixes the same.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35975.html
CVE-2024-35975
https://bugzilla.suse.com/1224569
SUSE Bug 1224569

Описание

In the Linux kernel, the following vulnerability has been resolved: xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING syzbot reported an illegal copy in xsk_setsockopt() [1] Make sure to validate setsockopt() @optlen parameter. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549 CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fb40587de69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69 RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006 RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08 </TASK> Allocated by task 7549: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3966 [inline] __kmalloc+0x233/0x4a0 mm/slub.c:3979 kmalloc include/linux/slab.h:632 [inline] __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 The buggy address belongs to the object at ffff888028c6cde0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 1 bytes to the right of allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2) The buggy address belongs to the physical page: page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001 raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c: ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35976.html
CVE-2024-35976
https://bugzilla.suse.com/1224575
SUSE Bug 1224575

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_uart: properly fix race condition The cros_ec_uart_probe() function calls devm_serdev_device_open() before it calls serdev_device_set_client_ops(). This can trigger a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ... ? ttyport_receive_buf A simplified version of crashing code is as follows: static inline size_t serdev_controller_receive_buf(struct serdev_controller *ctrl, const u8 *data, size_t count) { struct serdev_device *serdev = ctrl->serdev; if (!serdev || !serdev->ops->receive_buf) // CRASH! return 0; return serdev->ops->receive_buf(serdev, data, count); } It assumes that if SERPORT_ACTIVE is set and serdev exists, serdev->ops will also exist. This conflicts with the existing cros_ec_uart_probe() logic, as it first calls devm_serdev_device_open() (which sets SERPORT_ACTIVE), and only later sets serdev->ops via serdev_device_set_client_ops(). Commit 01f95d42b8f4 ("platform/chrome: cros_ec_uart: fix race condition") attempted to fix a similar race condition, but while doing so, made the window of error for this race condition to happen much wider. Attempt to fix the race condition again, making sure we fully setup before calling devm_serdev_device_open().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35977.html
CVE-2024-35977
https://bugzilla.suse.com/1224568
SUSE Bug 1224568

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix memory leak in hci_req_sync_complete() In 'hci_req_sync_complete()', always free the previous sync request state before assigning reference to a new one.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35978.html
CVE-2024-35978
https://bugzilla.suse.com/1224571
SUSE Bug 1224571

Описание

In the Linux kernel, the following vulnerability has been resolved: raid1: fix use-after-free for original bio in raid1_write_request() r1_bio->bios[] is used to record new bios that will be issued to underlying disks, however, in raid1_write_request(), r1_bio->bios[] will set to the original bio temporarily. Meanwhile, if blocked rdev is set, free_r1bio() will be called causing that all r1_bio->bios[] to be freed: raid1_write_request() r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL for (i = 0; i < disks; i++) -> for each rdev in conf // first rdev is normal r1_bio->bios[0] = bio; -> set to original bio // second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break if (blocked_rdev) free_r1bio() put_all_bios() bio_put(r1_bio->bios[0]) -> original bio is freed Test scripts: mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state Test result: BUG bio-264 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869 kmem_cache_alloc+0x324/0x480 mempool_alloc_slab+0x24/0x50 mempool_alloc+0x6e/0x220 bio_alloc_bioset+0x1af/0x4d0 blkdev_direct_IO+0x164/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 io_submit_one+0x5ca/0xb70 __do_sys_io_submit+0x86/0x270 __x64_sys_io_submit+0x22/0x30 do_syscall_64+0xb1/0x210 entry_SYSCALL_64_after_hwframe+0x6c/0x74 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869 kmem_cache_free+0x28c/0x550 mempool_free_slab+0x1f/0x30 mempool_free+0x40/0x100 bio_free+0x59/0x80 bio_put+0xf0/0x220 free_r1bio+0x74/0xb0 raid1_make_request+0xadf/0x1150 md_handle_request+0xc7/0x3b0 md_submit_bio+0x76/0x130 __submit_bio+0xd8/0x1d0 submit_bio_noacct_nocheck+0x1eb/0x5c0 submit_bio_noacct+0x169/0xd40 submit_bio+0xee/0x1d0 blkdev_direct_IO+0x322/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 Since that bios for underlying disks are not allocated yet, fix this problem by using mempool_free() directly to free the r1_bio.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35979.html
CVE-2024-35979
https://bugzilla.suse.com/1224572
SUSE Bug 1224572

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio_net: Do not send RSS key if it is not supported There is a bug when setting the RSS options in virtio_net that can break the whole machine, getting the kernel into an infinite loop. Running the following command in any QEMU virtual machine with virtionet will reproduce this problem: # ethtool -X eth0 hfunc toeplitz This is how the problem happens: 1) ethtool_set_rxfh() calls virtnet_set_rxfh() 2) virtnet_set_rxfh() calls virtnet_commit_rss_command() 3) virtnet_commit_rss_command() populates 4 entries for the rss scatter-gather 4) Since the command above does not have a key, then the last scatter-gatter entry will be zeroed, since rss_key_size == 0. sg_buf_size = vi->rss_key_size; 5) This buffer is passed to qemu, but qemu is not happy with a buffer with zero length, and do the following in virtqueue_map_desc() (QEMU function): if (!sz) { virtio_error(vdev, "virtio: zero sized buffers are not allowed"); 6) virtio_error() (also QEMU function) set the device as broken vdev->broken = true; 7) Qemu bails out, and do not repond this crazy kernel. 8) The kernel is waiting for the response to come back (function virtnet_send_command()) 9) The kernel is waiting doing the following : while (!virtqueue_get_buf(vi->cvq, &tmp) && !virtqueue_is_broken(vi->cvq)) cpu_relax(); 10) None of the following functions above is true, thus, the kernel loops here forever. Keeping in mind that virtqueue_is_broken() does not look at the qemu `vdev->broken`, so, it never realizes that the vitio is broken at QEMU side. Fix it by not sending RSS commands if the feature is not available in the device.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35981.html
CVE-2024-35981
https://bugzilla.suse.com/1224565
SUSE Bug 1224565

Описание

In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid infinite loop trying to resize local TT If the MTU of one of an attached interface becomes too small to transmit the local translation table then it must be resized to fit inside all fragments (when enabled) or a single packet. But if the MTU becomes too low to transmit even the header + the VLAN specific part then the resizing of the local TT will never succeed. This can for example happen when the usable space is 110 bytes and 11 VLANs are on top of batman-adv. In this case, at least 116 byte would be needed. There will just be an endless spam of batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110) in the log but the function will never finish. Problem here is that the timeout will be halved all the time and will then stagnate at 0 and therefore never be able to reduce the table even more. There are other scenarios possible with a similar result. The number of BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too high to fit inside a packet. Such a scenario can therefore happen also with only a single VLAN + 7 non-purgable addresses - requiring at least 120 bytes. While this should be handled proactively when: * interface with too low MTU is added * VLAN is added * non-purgeable local mac is added * MTU of an attached interface is reduced * fragmentation setting gets disabled (which most likely requires dropping attached interfaces) not all of these scenarios can be prevented because batman-adv is only consuming events without the the possibility to prevent these actions (non-purgable MAC address added, MTU of an attached interface is reduced). It is therefore necessary to also make sure that the code is able to handle also the situations when there were already incompatible system configuration are present.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35982.html
CVE-2024-35982
https://bugzilla.suse.com/1224566
SUSE Bug 1224566

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: smbus: fix NULL function pointer dereference Baruch reported an OOPS when using the designware controller as target only. Target-only modes break the assumption of one transfer function always being available. Fix this by always checking the pointer in __i2c_transfer. [wsa: dropped the simplification in core-smbus to avoid theoretical regressions]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35984.html
CVE-2024-35984
https://bugzilla.suse.com/1224567
SUSE Bug 1224567

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered The power_supply frame-work is not really designed for there to be long living in kernel references to power_supply devices. Specifically unregistering a power_supply while some other code has a reference to it triggers a WARN in power_supply_unregister(): WARN_ON(atomic_dec_return(&psy->use_cnt)); Folllowed by the power_supply still getting removed and the backing data freed anyway, leaving the tusb1210 charger-detect code with a dangling reference, resulting in a crash the next time tusb1210_get_online() is called. Fix this by only holding the reference in tusb1210_get_online() freeing it at the end of the function. Note this still leaves a theoretical race window, but it avoids the issue when manually rmmod-ing the charger chip driver during development.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35986.html
CVE-2024-35986
https://bugzilla.suse.com/1224562
SUSE Bug 1224562

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix oops during rmmod on single-CPU platforms During the removal of the idxd driver, registered offline callback is invoked as part of the clean up process. However, on systems with only one CPU online, no valid target is available to migrate the perf context, resulting in a kernel oops: BUG: unable to handle page fault for address: 000000000002a2b8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1470e1067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57 Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 RIP: 0010:mutex_lock+0x2e/0x50 ... Call Trace: <TASK> __die+0x24/0x70 page_fault_oops+0x82/0x160 do_user_addr_fault+0x65/0x6b0 __pfx___rdmsr_safe_on_cpu+0x10/0x10 exc_page_fault+0x7d/0x170 asm_exc_page_fault+0x26/0x30 mutex_lock+0x2e/0x50 mutex_lock+0x1e/0x50 perf_pmu_migrate_context+0x87/0x1f0 perf_event_cpu_offline+0x76/0x90 [idxd] cpuhp_invoke_callback+0xa2/0x4f0 __pfx_perf_event_cpu_offline+0x10/0x10 [idxd] cpuhp_thread_fun+0x98/0x150 smpboot_thread_fn+0x27/0x260 smpboot_thread_fn+0x1af/0x260 __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x103/0x140 __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 <TASK> Fix the issue by preventing the migration of the perf context to an invalid target.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35989.html
CVE-2024-35989
https://bugzilla.suse.com/1224558
SUSE Bug 1224558

Описание

In the Linux kernel, the following vulnerability has been resolved: dma: xilinx_dpdma: Fix locking There are several places where either chan->lock or chan->vchan.lock was not held. Add appropriate locking. This fixes lockdep warnings like [ 31.077578] ------------[ cut here ]------------ [ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0 [ 31.077953] Modules linked in: [ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98 [ 31.078102] Hardware name: xlnx,zynqmp (DT) [ 31.078169] Workqueue: events_unbound deferred_probe_work_func [ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0 [ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0 [ 31.078550] sp : ffffffc083bb2e10 [ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168 [ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480 [ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000 [ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000 [ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001 [ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def [ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516 [ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff [ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000 [ 31.080307] Call trace: [ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0 [ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120 [ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac [ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c [ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684 [ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0 [ 31.081139] commit_tail+0x234/0x294 [ 31.081246] drm_atomic_helper_commit+0x1f8/0x210 [ 31.081363] drm_atomic_commit+0x100/0x140 [ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384 [ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c [ 31.081725] drm_client_modeset_commit+0x34/0x5c [ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168 [ 31.081899] drm_fb_helper_set_par+0x50/0x70 [ 31.081971] fbcon_init+0x538/0xc48 [ 31.082047] visual_init+0x16c/0x23c [ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634 [ 31.082320] do_take_over_console+0x24c/0x33c [ 31.082429] do_fbcon_takeover+0xbc/0x1b0 [ 31.082503] fbcon_fb_registered+0x2d0/0x34c [ 31.082663] register_framebuffer+0x27c/0x38c [ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c [ 31.082939] drm_fb_helper_initial_config+0x50/0x74 [ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108 [ 31.083115] drm_client_register+0xa0/0xf4 [ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc [ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0 [ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0 [ 31.083616] platform_probe+0x8c/0x13c [ 31.083713] really_probe+0x258/0x59c [ 31.083793] __driver_probe_device+0xc4/0x224 [ 31.083878] driver_probe_device+0x70/0x1c0 [ 31.083961] __device_attach_driver+0x108/0x1e0 [ 31.084052] bus_for_each_drv+0x9c/0x100 [ 31.084125] __device_attach+0x100/0x298 [ 31.084207] device_initial_probe+0x14/0x20 [ 31.084292] bus_probe_device+0xd8/0xdc [ 31.084368] deferred_probe_work_func+0x11c/0x180 [ 31.084451] process_one_work+0x3ac/0x988 [ 31.084643] worker_thread+0x398/0x694 [ 31.084752] kthread+0x1bc/0x1c0 [ 31.084848] ret_from_fork+0x10/0x20 [ 31.084932] irq event stamp: 64549 [ 31.084970] hardirqs last enabled at (64548): [<ffffffc081adf35c>] _raw_spin_unlock_irqrestore+0x80/0x90 [ 31.085157] ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35990.html
CVE-2024-35990
https://bugzilla.suse.com/1224559
SUSE Bug 1224559

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue drain_workqueue() cannot be called safely in a spinlocked context due to possible task rescheduling. In the multi-task scenario, calling queue_work() while drain_workqueue() will lead to a Call Trace as pushing a work on a draining workqueue is not permitted in spinlocked context. Call Trace: <TASK> ? __warn+0x7d/0x140 ? __queue_work+0x2b2/0x440 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __queue_work+0x2b2/0x440 queue_work_on+0x28/0x30 idxd_misc_thread+0x303/0x5a0 [idxd] ? __schedule+0x369/0xb40 ? __pfx_irq_thread_fn+0x10/0x10 ? irq_thread+0xbc/0x1b0 irq_thread_fn+0x21/0x70 irq_thread+0x102/0x1b0 ? preempt_count_add+0x74/0xa0 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0x103/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The current implementation uses a spinlock to protect event log workqueue and will lead to the Call Trace due to potential task rescheduling. To address the locking issue, convert the spinlock to mutex, allowing the drain_workqueue() to be called in a safe mutex-locked context. This change ensures proper synchronization when accessing the event log workqueue, preventing potential Call Trace and improving the overall robustness of the code.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35991.html
CVE-2024-35991
https://bugzilla.suse.com/1224553
SUSE Bug 1224553

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: marvell: a3700-comphy: Fix out of bounds read There is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr' every iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'. Make sure 'gbe_phy_init[addr]' is used when all elements of 'gbe_phy_init_fix' array are handled. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35992.html
CVE-2024-35992
https://bugzilla.suse.com/1224555
SUSE Bug 1224555

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Use access_width over bit_width for system memory accesses To align with ACPI 6.3+, since bit_width can be any 8-bit value, it cannot be depended on to be always on a clean 8b boundary. This was uncovered on the Cobalt 100 platform. SError Interrupt on CPU26, code 0xbe000011 -- SError CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : cppc_get_perf_caps+0xec/0x410 lr : cppc_get_perf_caps+0xe8/0x410 sp : ffff8000155ab730 x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION Call trace: dump_backtrace+0x0/0x1e0 show_stack+0x24/0x30 dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 panic+0x16c/0x384 add_taint+0x0/0xc0 arm64_serror_panic+0x7c/0x90 arm64_is_fatal_ras_serror+0x34/0xa4 do_serror+0x50/0x6c el1h_64_error_handler+0x40/0x74 el1h_64_error+0x7c/0x80 cppc_get_perf_caps+0xec/0x410 cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] cpufreq_online+0x2dc/0xa30 cpufreq_add_dev+0xc0/0xd4 subsys_interface_register+0x134/0x14c cpufreq_register_driver+0x1b0/0x354 cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] do_one_initcall+0x50/0x250 do_init_module+0x60/0x27c load_module+0x2300/0x2570 __do_sys_finit_module+0xa8/0x114 __arm64_sys_finit_module+0x2c/0x3c invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x180/0x1a0 do_el0_svc+0x84/0xa0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8 Instead, use access_width to determine the size and use the offset and width to shift and mask the bits to read/write out. Make sure to add a check for system memory since pcc redefines the access_width to subspace id. If access_width is not set, then fall back to using bit_width. [ rjw: Subject and changelog edits, comment adjustments ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35995.html
CVE-2024-35995
https://bugzilla.suse.com/1224557
SUSE Bug 1224557

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up The flag I2C_HID_READ_PENDING is used to serialize I2C operations. However, this is not necessary, because I2C core already has its own locking for that. More importantly, this flag can cause a lock-up: if the flag is set in i2c_hid_xfer() and an interrupt happens, the interrupt handler (i2c_hid_irq) will check this flag and return immediately without doing anything, then the interrupt handler will be invoked again in an infinite loop. Since interrupt handler is an RT task, it takes over the CPU and the flag-clearing task never gets scheduled, thus we have a lock-up. Delete this unnecessary flag.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35997.html
CVE-2024-35997
https://bugzilla.suse.com/1224552
SUSE Bug 1224552

Описание

In the Linux kernel, the following vulnerability has been resolved: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result Coverity spotted that the cifs_sync_mid_result function could deadlock "Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock" Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)")

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35998.html
CVE-2024-35998
https://bugzilla.suse.com/1224549
SUSE Bug 1224549

Описание

In the Linux kernel, the following vulnerability has been resolved: smb3: missing lock when picking channel Coverity spotted a place where we should have been holding the channel lock when accessing the ses channel index. Addresses-Coverity: 1582039 ("Data race condition (MISSING_LOCK)")

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35999.html
CVE-2024-35999
https://bugzilla.suse.com/1224550
SUSE Bug 1224550

Описание

In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to dpll_pin_on_pin_unregister(..) would cause a call trace, as it tries to use already released registration resources (due to fix introduced in b446631f355e). In this scenario pin was registered twice, so resources are not yet expected to be release until each registered pin/pin pair is unregistered. Currently, the following crash/call trace is produced when ice driver is removed on the system with installed E810T NIC which includes dpll device: WARNING: CPU: 51 PID: 9155 at drivers/dpll/dpll_core.c:809 dpll_pin_ops+0x20/0x30 RIP: 0010:dpll_pin_ops+0x20/0x30 Call Trace: ? __warn+0x7f/0x130 ? dpll_pin_ops+0x20/0x30 dpll_msg_add_pin_freq+0x37/0x1d0 dpll_cmd_pin_get_one+0x1c0/0x400 ? __nlmsg_put+0x63/0x80 dpll_pin_event_send+0x93/0x140 dpll_pin_on_pin_unregister+0x3f/0x100 ice_dpll_deinit_pins+0xa1/0x230 [ice] ice_remove+0xf1/0x210 [ice] Fix by adding a parent pointer as a cookie when creating a registration, also when searching for it. For the regular pins pass NULL, this allows to create separated registration for each parent the pin is registered with.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36002.html
CVE-2024-36002
https://bugzilla.suse.com/1224546
SUSE Bug 1224546

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: fix LAG and VF lock dependency in ice_reset_vf() 9f74a3dfcf83 ("ice: Fix VF Reset paths when interface in a failed over aggregate"), the ice driver has acquired the LAG mutex in ice_reset_vf(). The commit placed this lock acquisition just prior to the acquisition of the VF configuration lock. If ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK flag, this could deadlock with ice_vc_cfg_qs_msg() because it always acquires the locks in the order of the VF configuration lock and then the LAG mutex. Lockdep reports this violation almost immediately on creating and then removing 2 VF: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-rc6 #54 Tainted: G W O ------------------------------------------------------ kworker/60:3/6771 is trying to acquire lock: ff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice] but task is already holding lock: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&pf->lag_mutex){+.+.}-{3:3}: __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_vc_cfg_qs_msg+0x45/0x690 [ice] ice_vc_process_vf_msg+0x4f5/0x870 [ice] __ice_clean_ctrlq+0x2b5/0x600 [ice] ice_service_task+0x2c9/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 -> #0 (&vf->cfg_lock){+.+.}-{3:3}: check_prev_add+0xe2/0xc50 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_reset_vf+0x22f/0x4d0 [ice] ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pf->lag_mutex); lock(&vf->cfg_lock); lock(&pf->lag_mutex); lock(&vf->cfg_lock); *** DEADLOCK *** 4 locks held by kworker/60:3/6771: #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice] #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] stack backtrace: CPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54 Hardware name: Workqueue: ice ice_service_task [ice] Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 check_noncircular+0x12d/0x150 check_prev_add+0xe2/0xc50 ? save_trace+0x59/0x230 ? add_chain_cache+0x109/0x450 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 ? lockdep_hardirqs_on+0x7d/0x100 lock_acquire+0xd4/0x2d0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? lock_is_held_type+0xc7/0x120 __mutex_lock+0x9b/0xbf0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? ice_reset_vf+0x22f/0x4d0 [ice] ? rcu_is_watching+0x11/0x50 ? ice_reset_vf+0x22f/0x4d0 [ice] ice_reset_vf+0x22f/0x4d0 [ice] ? process_one_work+0x176/0x4d0 ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x104/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> To avoid deadlock, we must acquire the LAG ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36003.html
CVE-2024-36003
https://bugzilla.suse.com/1224544
SUSE Bug 1224544

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Issue reported by customer during SRIOV testing, call trace: When both i40e and the i40iw driver are loaded, a warning in check_flush_dependency is being triggered. This seems to be because of the i40e driver workqueue is allocated with the WQ_MEM_RECLAIM flag, and the i40iw one is not. Similar error was encountered on ice too and it was fixed by removing the flag. Do the same for i40e too. [Feb 9 09:08] ------------[ cut here ]------------ [ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:0x0 [ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+0x10b/0x120 [ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4 nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror dm_region_hash dm_log dm_mod fuse [ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1 [ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 [ +0.000001] Workqueue: i40e i40e_service_task [i40e] [ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120 [ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48 81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90 [ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282 [ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX: 0000000000000027 [ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI: ffff94d47f620bc0 [ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffff7fff [ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12: ffff94c5451ea180 [ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15: ffff94c5f1330ab0 [ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000) knlGS:0000000000000000 [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4: 00000000007706f0 [ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace: [ +0.000001] <TASK> [ +0.000002] ? __warn+0x80/0x130 [ +0.000003] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? report_bug+0x195/0x1a0 [ +0.000005] ? handle_bug+0x3c/0x70 [ +0.000003] ? exc_invalid_op+0x14/0x70 [ +0.000002] ? asm_exc_invalid_op+0x16/0x20 [ +0.000006] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? check_flush_dependency+0x10b/0x120 [ +0.000002] __flush_workqueue+0x126/0x3f0 [ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core] [ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core] [ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core] [ +0.000020] i40iw_close+0x4b/0x90 [irdma] [ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e] [ +0.000035] i40e_service_task+0x126/0x190 [i40e] [ +0.000024] process_one_work+0x174/0x340 [ +0.000003] worker_th ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36004.html
CVE-2024-36004
https://bugzilla.suse.com/1224545
SUSE Bug 1224545

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor table dormant flag from netdev release event path Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260 [...] [524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365 [524854.858869] Workqueue: netns cleanup_net [524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260 [524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41 [524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246 [524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a [524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438 [524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34 [524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005 [524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00 [524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0 [524854.859000] Call Trace: [524854.859006] <TASK> [524854.859013] ? __warn+0x9f/0x1a0 [524854.859027] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859044] ? report_bug+0x1b1/0x1e0 [524854.859060] ? handle_bug+0x3c/0x70 [524854.859071] ? exc_invalid_op+0x17/0x40 [524854.859083] ? asm_exc_invalid_op+0x1a/0x20 [524854.859100] ? __nf_unregister_net_hook+0x6a/0x260 [524854.859116] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables] [524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859461] ? packet_notifier+0xb3/0x360 [524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40 [524854.859489] ? dcbnl_netdevice_event+0x35/0x140 [524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859661] notifier_call_chain+0x7d/0x140 [524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36005.html
CVE-2024-36005
https://bugzilla.suse.com/1224539
SUSE Bug 1224539

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix incorrect list API usage Both the function that migrates all the chunks within a region and the function that migrates all the entries within a chunk call list_first_entry() on the respective lists without checking that the lists are not empty. This is incorrect usage of the API, which leads to the following warning [1]. Fix by returning if the lists are empty as there is nothing to migrate in this case. [1] WARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0> Modules linked in: CPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0 [...] Call Trace: <TASK> mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36006.html
CVE-2024-36006
https://bugzilla.suse.com/1224541
SUSE Bug 1224541

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix warning during rehash As previously explained, the rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. When the work runs out of credits it stores the current chunk and entry as markers in the per-work context so that it would know where to resume the migration from the next time the work is scheduled. Upon error, the chunk marker is reset to NULL, but without resetting the entry markers despite being relative to it. This can result in migration being resumed from an entry that does not belong to the chunk being migrated. In turn, this will eventually lead to a chunk being iterated over as if it is an entry. Because of how the two structures happen to be defined, this does not lead to KASAN splats, but to warnings such as [1]. Fix by creating a helper that resets all the markers and call it from all the places the currently only reset the chunk marker. For good measures also call it when starting a completely new rehash. Add a warning to avoid future cases. [1] WARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0 Modules linked in: CPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_afk_encode+0x242/0x2f0 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290 mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36007.html
CVE-2024-36007
https://bugzilla.suse.com/1224543
SUSE Bug 1224543

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree [1]. It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result. [1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425 Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf RSP: 0018:ffffc900015fee40 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0 RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0 RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000 R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000 FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 __netif_receive_skb_list net/core/dev.c:5672 [inline] netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 xdp_recv_frames net/bpf/test_run.c:257 [inline] xdp_test_run_batch net/bpf/test_run.c:335 [inline] bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36008.html
CVE-2024-36008
https://bugzilla.suse.com/1224540
SUSE Bug 1224540

Описание

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix netdev refcount issue The dev_tracker is added to ax25_cb in ax25_bind(). When the ax25 device is detaching, the dev_tracker of ax25_cb should be deallocated in ax25_kill_by_device() instead of the dev_tracker of ax25_dev. The log reported by ref_tracker is shown below: [ 80.884935] ref_tracker: reference already released. [ 80.885150] ref_tracker: allocated in: [ 80.885349] ax25_dev_device_up+0x105/0x540 [ 80.885730] ax25_device_event+0xa4/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] __dev_notify_flags+0x138/0x280 [ 80.885730] dev_change_flags+0xd7/0x180 [ 80.885730] dev_ifsioc+0x6a9/0xa30 [ 80.885730] dev_ioctl+0x4d8/0xd90 [ 80.885730] sock_do_ioctl+0x1c2/0x2d0 [ 80.885730] sock_ioctl+0x38b/0x4f0 [ 80.885730] __se_sys_ioctl+0xad/0xf0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.885730] ref_tracker: freed in: [ 80.885730] ax25_device_event+0x272/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] dev_close_many+0x272/0x370 [ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180 [ 80.885730] unregister_netdev+0xcf/0x120 [ 80.885730] sixpack_close+0x11f/0x1b0 [ 80.885730] tty_ldisc_kill+0xcb/0x190 [ 80.885730] tty_ldisc_hangup+0x338/0x3d0 [ 80.885730] __tty_hangup+0x504/0x740 [ 80.885730] tty_release+0x46e/0xd80 [ 80.885730] __fput+0x37f/0x770 [ 80.885730] __x64_sys_close+0x7b/0xb0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.893739] ------------[ cut here ]------------ [ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0 [ 80.894297] Modules linked in: [ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11 [ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4 [ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0 [ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9 [ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286 [ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000 [ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518 [ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a [ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4 [ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518 [ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000 [ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0 ... [ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at [ 80.935774] ax25_bind+0x424/0x4e0 [ 80.935774] __sys_bind+0x1d9/0x270 [ 80.935774] __x64_sys_bind+0x75/0x80 [ 80.935774] do_syscall_64+0xc4/0x1b0 [ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb in order to mitigate the bug.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36009.html
CVE-2024-36009
https://bugzilla.suse.com/1224542
SUSE Bug 1224542

Описание

In the Linux kernel, the following vulnerability has been resolved: igb: Fix string truncation warnings in igb_set_fw_version Commit 1978d3ead82c ("intel: fix string truncation warnings") fixes '-Wformat-truncation=' warnings in igb_main.c by using kasprintf. drivers/net/ethernet/intel/igb/igb_main.c:3092:53: warning:'%d' directive output may be truncated writing between 1 and 5 bytes into a region of size between 1 and 13 [-Wformat-truncation=] 3092 | "%d.%d, 0x%08x, %d.%d.%d", | ^~ drivers/net/ethernet/intel/igb/igb_main.c:3092:34: note:directive argument in the range [0, 65535] 3092 | "%d.%d, 0x%08x, %d.%d.%d", | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/intel/igb/igb_main.c:3092:34: note:directive argument in the range [0, 65535] drivers/net/ethernet/intel/igb/igb_main.c:3090:25: note:'snprintf' output between 23 and 43 bytes into a destination of size 32 kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fix this warning by using a larger space for adapter->fw_version, and then fall back and continue to use snprintf.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36010.html
CVE-2024-36010
https://bugzilla.suse.com/1225594
SUSE Bug 1225594

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Fix potential null-ptr-deref Fix potential null-ptr-deref in hci_le_big_sync_established_evt().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36011.html
CVE-2024-36011
https://bugzilla.suse.com/1225579
SUSE Bug 1225579

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: fix slab-use-after-free in msft_do_close() Tying the msft->data lifetime to hdev by freeing it in hci_release_dev() to fix the following case: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36012.html
CVE-2024-36012
https://bugzilla.suse.com/1225502
SUSE Bug 1225502

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect mutex_lock(&conn->chan_lock); | chan = pchan->ops->new_connection(pchan); <- alloc chan | __l2cap_chan_add(conn, chan); | l2cap_chan_hold(chan); | list_add(&chan->list, &conn->chan_l); ... (1) mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del mutex_lock(&conn->chan_lock); | foreach chan in conn->chan_l: ... (2) | l2cap_chan_put(chan); | l2cap_chan_destroy | kfree(chan) ... (3) <- chan freed mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36013.html
CVE-2024-36013
https://bugzilla.suse.com/1225578
SUSE Bug 1225578

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/arm/malidp: fix a possible null pointer dereference In malidp_mw_connector_reset, new memory is allocated with kzalloc, but no check is performed. In order to prevent null pointer dereferencing, ensure that mw_state is checked before calling __drm_atomic_helper_connector_reset.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36014.html
CVE-2024-36014
https://bugzilla.suse.com/1225593
SUSE Bug 1225593

Описание

In the Linux kernel, the following vulnerability has been resolved: ppdev: Add an error check in register_device In register_device, the return value of ida_simple_get is unchecked, in witch ida_simple_get will use an invalid index value. To address this issue, index should be checked after ida_simple_get. When the index value is abnormal, a warning message should be printed, the port should be dropped, and the value should be recorded.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36015.html
CVE-2024-36015
https://bugzilla.suse.com/1225640
SUSE Bug 1225640

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36016.html
CVE-2024-36016
https://bugzilla.suse.com/1225642
SUSE Bug 1225642

Описание

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a struct ifla_vf_vlan_info so the size of such attribute needs to be at least of sizeof(struct ifla_vf_vlan_info) which is 14 bytes. The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes) which is less than sizeof(struct ifla_vf_vlan_info) so this validation is not enough and a too small attribute might be cast to a struct ifla_vf_vlan_info, this might result in an out of bands read access when accessing the saved (casted) entry in ivvl.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36017.html
CVE-2024-36017
https://bugzilla.suse.com/1225681
SUSE Bug 1225681

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau/uvmm: fix addr/range calcs for remap operations dEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8 was causing a remap operation like the below. op_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000 op_remap: next: op_remap: unmap: 0000003fffed0000 0000000000100000 0 op_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000 This was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000 which was corrupting the pagetables and oopsing the kernel. Fixes the prev + unmap range calcs to use start/end and map back to addr/range.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36018.html
CVE-2024-36018
https://bugzilla.suse.com/1225694
SUSE Bug 1225694

Описание

In the Linux kernel, the following vulnerability has been resolved: regmap: maple: Fix cache corruption in regcache_maple_drop() When keeping the upper end of a cache block entry, the entry[] array must be indexed by the offset from the base register of the block, i.e. max - mas.index. The code was indexing entry[] by only the register address, leading to an out-of-bounds access that copied some part of the kernel memory over the cache contents. This bug was not detected by the regmap KUnit test because it only tests with a block of registers starting at 0, so mas.index == 0.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36019.html
CVE-2024-36019
https://bugzilla.suse.com/1225695
SUSE Bug 1225695

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: fix vf may be used uninitialized in this function warning To fix the regression introduced by commit 52424f974bc5, which causes servers hang in very hard to reproduce conditions with resets races. Using two sources for the information is the root cause. In this function before the fix bumping v didn't mean bumping vf pointer. But the code used this variables interchangeably, so stale vf could point to different/not intended vf. Remove redundant "v" variable and iterate via single VF pointer across whole function instead to guarantee VF pointer validity.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36020.html
CVE-2024-36020
https://bugzilla.suse.com/1225698
SUSE Bug 1225698

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when devlink reload during pf initialization The devlink reload process will access the hardware resources, but the register operation is done before the hardware is initialized. So, processing the devlink reload during initialization may lead to kernel crash. This patch fixes this by taking devl_lock during initialization.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36021.html
CVE-2024-36021
https://bugzilla.suse.com/1225699
SUSE Bug 1225699

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable idle reallow as part of command/gpint execution [Why] Workaroud for a race condition where DMCUB is in the process of committing to IPS1 during the handshake causing us to miss the transition into IPS2 and touch the INBOX1 RPTR causing a HW hang. [How] Disable the reallow to ensure that we have enough of a gap between entry and exit and we're not seeing back-to-back wake_and_executes.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36024.html
CVE-2024-36024
https://bugzilla.suse.com/1225702
SUSE Bug 1225702

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() The app_reply->elem[] array is allocated earlier in this function and it has app_req.num_ports elements. Thus this > comparison needs to be >= to prevent memory corruption.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36025.html
CVE-2024-36025
https://bugzilla.suse.com/1225704
SUSE Bug 1225704

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11 While doing multiple S4 stress tests, GC/RLC/PMFW get into an invalid state resulting into hard hangs. Adding a GFX reset as workaround just before sending the MP1_UNLOAD message avoids this failure.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36026.html
CVE-2024-36026
https://bugzilla.suse.com/1225705
SUSE Bug 1225705

Описание

In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-msm: pervent access to suspended controller Generic sdhci code registers LED device and uses host->runtime_suspended flag to protect access to it. The sdhci-msm driver doesn't set this flag, which causes a crash when LED is accessed while controller is runtime suspended. Fix this by setting the flag correctly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36029.html
CVE-2024-36029
https://bugzilla.suse.com/1225708
SUSE Bug 1225708

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: fix the double free in rvu_npc_freemem() Clang static checker(scan-build) warning: drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c:line 2184, column 2 Attempt to free released memory. npc_mcam_rsrcs_deinit() has released 'mcam->counters.bmap'. Deleted this redundant kfree() to fix this double free problem.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36030.html
CVE-2024-36030
https://bugzilla.suse.com/1225712
SUSE Bug 1225712
https://bugzilla.suse.com/1226326
SUSE Bug 1226326

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix info leak when fetching fw build id Add the missing sanity checks and move the 255-byte build-id buffer off the stack to avoid leaking stack data through debugfs in case the build-info reply is malformed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36032.html
CVE-2024-36032
https://bugzilla.suse.com/1225720
SUSE Bug 1225720

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules rx_create no longer allocates a modify_hdr instance that needs to be cleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer dereference. A leak in the rules also previously occurred since there are now two rules populated related to status. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 109907067 P4D 109907067 PUD 116890067 PMD 0 Oops: 0000 [#1] SMP CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70 <snip> Call Trace: <TASK> ? show_regs+0x60/0x70 ? __die+0x24/0x70 ? page_fault_oops+0x15f/0x430 ? free_to_partial_list.constprop.0+0x79/0x150 ? do_user_addr_fault+0x2c9/0x5c0 ? exc_page_fault+0x63/0x110 ? asm_exc_page_fault+0x27/0x30 ? mlx5_modify_header_dealloc+0xd/0x70 rx_create+0x374/0x590 rx_add_rule+0x3ad/0x500 ? rx_add_rule+0x3ad/0x500 ? mlx5_cmd_exec+0x2c/0x40 ? mlx5_create_ipsec_obj+0xd6/0x200 mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0 mlx5e_xfrm_add_state+0x426/0xc00 <snip>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36281.html
CVE-2024-36281
https://bugzilla.suse.com/1226799
SUSE Bug 1226799

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN. Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36477.html
CVE-2024-36477
https://bugzilla.suse.com/1226840
SUSE Bug 1226840

Описание

In the Linux kernel, the following vulnerability has been resolved: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36478.html
CVE-2024-36478
https://bugzilla.suse.com/1226841
SUSE Bug 1226841

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: bridge: add owner module and take its refcount The current implementation of the fpga bridge assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the bridge if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_bridge struct and use it to take the module's refcount. Modify the function for registering a bridge to take an additional owner module parameter and rename it to avoid conflicts. Use the old function name for a helper macro that automatically sets the module that registers the bridge as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a bridge without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga bridge. Other changes: opportunistically move put_device() from __fpga_bridge_get() to fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since the bridge device is taken in these functions.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36479.html
CVE-2024-36479
https://bugzilla.suse.com/1226949
SUSE Bug 1226949

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: add missing firmware sanity checks Add the missing sanity checks when parsing the firmware files before downloading them to avoid accessing and corrupting memory beyond the vmalloced buffer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36880.html
CVE-2024-36880
https://bugzilla.suse.com/1225722
SUSE Bug 1225722

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: use memalloc_nofs_save() in page_cache_ra_order() See commit f2c817bed58d ("mm: use memalloc_nofs_save in readahead path"), ensure that page_cache_ra_order() do not attempt to reclaim file-backed pages too, or it leads to a deadlock, found issue when test ext4 large folio. INFO: task DataXceiver for:7494 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:DataXceiver for state:D stack:0 pid:7494 ppid:1 flags:0x00000200 Call trace: __switch_to+0x14c/0x240 __schedule+0x82c/0xdd0 schedule+0x58/0xf0 io_schedule+0x24/0xa0 __folio_lock+0x130/0x300 migrate_pages_batch+0x378/0x918 migrate_pages+0x350/0x700 compact_zone+0x63c/0xb38 compact_zone_order+0xc0/0x118 try_to_compact_pages+0xb0/0x280 __alloc_pages_direct_compact+0x98/0x248 __alloc_pages+0x510/0x1110 alloc_pages+0x9c/0x130 folio_alloc+0x20/0x78 filemap_alloc_folio+0x8c/0x1b0 page_cache_ra_order+0x174/0x308 ondemand_readahead+0x1c8/0x2b8 page_cache_async_ra+0x68/0xb8 filemap_readahead.isra.0+0x64/0xa8 filemap_get_pages+0x3fc/0x5b0 filemap_splice_read+0xf4/0x280 ext4_file_splice_read+0x2c/0x48 [ext4] vfs_splice_read.part.0+0xa8/0x118 splice_direct_to_actor+0xbc/0x288 do_splice_direct+0x9c/0x108 do_sendfile+0x328/0x468 __arm64_sys_sendfile64+0x8c/0x148 invoke_syscall+0x4c/0x118 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x4c/0x1f8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36882.html
CVE-2024-36882
https://bugzilla.suse.com/1225723
SUSE Bug 1225723

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36885.html
CVE-2024-36885
https://bugzilla.suse.com/1225728
SUSE Bug 1225728

Описание

In the Linux kernel, the following vulnerability has been resolved: e1000e: change usleep_range to udelay in PHY mdic access This is a partial revert of commit 6dbdd4de0362 ("e1000e: Workaround for sporadic MDI error on Meteor Lake systems"). The referenced commit used usleep_range inside the PHY access routines, which are sometimes called from an atomic context. This can lead to a kernel panic in some scenarios, such as cable disconnection and reconnection on vPro systems. Solve this by changing the usleep_range calls back to udelay.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36887.html
CVE-2024-36887
https://bugzilla.suse.com/1225731
SUSE Bug 1225731

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe <0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Call Trace: <TASK> __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline] mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline] __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767 process_one_work+0x1e0/0x560 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread.c:388 ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 </TASK> When fallback to TCP happens early on a client socket, snd_nxt is not yet initialized and any incoming ack will copy such value into snd_una. If the mptcp worker (dumbly) tries mptcp-level re-injection after such ack, that would unconditionally trigger a send buffer cleanup using 'bad' snd_una values. We could easily disable re-injection for fallback sockets, but such dumb behavior already helped catching a few subtle issues and a very low to zero impact in practice. Instead address the issue always initializing snd_nxt (and write_seq, for consistency) at connect time.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36889.html
CVE-2024-36889
https://bugzilla.suse.com/1225746
SUSE Bug 1225746

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/slab: make __free(kfree) accept error pointers Currently, if an automatically freed allocation is an error pointer that will lead to a crash. An example of this is in wm831x_gpio_dbg_show(). 171 char *label __free(kfree) = gpiochip_dup_line_label(chip, i); 172 if (IS_ERR(label)) { 173 dev_err(wm831x->dev, "Failed to duplicate label\n"); 174 continue; 175 } The auto clean up function should check for error pointers as well, otherwise we're going to keep hitting issues like this.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36890.html
CVE-2024-36890
https://bugzilla.suse.com/1225714
SUSE Bug 1225714

Описание

In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix mas_empty_area_rev() null pointer dereference Currently the code calls mas_start() followed by mas_data_end() if the maple state is MA_START, but mas_start() may return with the maple state node == NULL. This will lead to a null pointer dereference when checking information in the NULL node, which is done in mas_data_end(). Avoid setting the offset if there is no node by waiting until after the maple state is checked for an empty or single entry state. A user could trigger the events to cause a kernel oops by unmapping all vmas to produce an empty maple tree, then mapping a vma that would cause the scenario described above.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36891.html
CVE-2024-36891
https://bugzilla.suse.com/1225710
SUSE Bug 1225710

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Check for port partner validity before consuming it typec_register_partner() does not guarantee partner registration to always succeed. In the event of failure, port->partner is set to the error value or NULL. Given that port->partner validity is not checked, this results in the following crash: Unable to handle kernel NULL pointer dereference at virtual address xx pc : run_state_machine+0x1bc8/0x1c08 lr : run_state_machine+0x1b90/0x1c08 .. Call trace: run_state_machine+0x1bc8/0x1c08 tcpm_state_machine_work+0x94/0xe4 kthread_worker_fn+0x118/0x328 kthread+0x1d0/0x23c ret_from_fork+0x10/0x20 To prevent the crash, check for port->partner validity before derefencing it in all the call sites.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36893.html
CVE-2024-36893
https://bugzilla.suse.com/1225748
SUSE Bug 1225748

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36894.html
CVE-2024-36894
https://bugzilla.suse.com/1225749
SUSE Bug 1225749
https://bugzilla.suse.com/1226139
SUSE Bug 1226139

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36895.html
CVE-2024-36895
https://bugzilla.suse.com/1225750
SUSE Bug 1225750

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix access violation during port device removal Testing with KASAN and syzkaller revealed a bug in port.c:disable_store(): usb_hub_to_struct_hub() can return NULL if the hub that the port belongs to is concurrently removed, but the function does not check for this possibility before dereferencing the returned value. It turns out that the first dereference is unnecessary, since hub->intfdev is the parent of the port device, so it can be changed easily. Adding a check for hub == NULL prevents further problems. The same bug exists in the disable_show() routine, and it can be fixed the same way.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36896.html
CVE-2024-36896
https://bugzilla.suse.com/1225734
SUSE Bug 1225734

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Atom Integrated System Info v2_2 for DCN35 New request from KMD/VBIOS in order to support new UMA carveout model. This fixes a null dereference from accessing Ctx->dc_bios->integrated_info while it was NULL. DAL parses through the BIOS and extracts the necessary integrated_info but was missing a case for the new BIOS version 2.3.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36897.html
CVE-2024-36897
https://bugzilla.suse.com/1225735
SUSE Bug 1225735

Описание

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: fix uninitialised kfifo If a line is requested with debounce, and that results in debouncing in software, and the line is subsequently reconfigured to enable edge detection then the allocation of the kfifo to contain edge events is overlooked. This results in events being written to and read from an uninitialised kfifo. Read events are returned to userspace. Initialise the kfifo in the case where the software debounce is already active.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36898.html
CVE-2024-36898
https://bugzilla.suse.com/1225736
SUSE Bug 1225736

Описание

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36899.html
CVE-2024-36899
https://bugzilla.suse.com/1225737
SUSE Bug 1225737
https://bugzilla.suse.com/1225739
SUSE Bug 1225739

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when devlink reload during initialization The devlink reload process will access the hardware resources, but the register operation is done before the hardware is initialized. So, processing the devlink reload during initialization may lead to kernel crash. This patch fixes this by registering the devlink after hardware initialization.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36900.html
CVE-2024-36900
https://bugzilla.suse.com/1225726
SUSE Bug 1225726

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36901.html
CVE-2024-36901
https://bugzilla.suse.com/1225711
SUSE Bug 1225711

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline] ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36902.html
CVE-2024-36902
https://bugzilla.suse.com/1225719
SUSE Bug 1225719

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix potential uninit-value access in __ip6_make_skb() As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36903.html
CVE-2024-36903
https://bugzilla.suse.com/1225741
SUSE Bug 1225741

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36904.html
CVE-2024-36904
https://bugzilla.suse.com/1225732
SUSE Bug 1225732
https://bugzilla.suse.com/1225733
SUSE Bug 1225733

Описание

In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ================================================================== [ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0 [ 33.455515] [ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1 [ 33.456880] Hardware name: Generic DT based system [ 33.457555] unwind_backtrace from show_stack+0x18/0x1c [ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c [ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4 [ 33.459863] print_report from kasan_report+0x9c/0x148 [ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0 [ 33.461424] kasan_check_range from memset+0x20/0x3c [ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c [ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354 [ 33.465029] do_idle from cpu_startup_entry+0x20/0x24 [ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4 [ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18 [ 33.467397] [ 33.467644] The buggy address belongs to stack of task swapper/0/0 [ 33.468493] and is located at offset 112 in frame: [ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec [ 33.469917] [ 33.470165] This frame has 2 objects: [ 33.470696] [32, 76) 'global_zone_diff' [ 33.470729] [112, 276) 'global_node_diff' [ 33.471294] [ 33.472095] The buggy address belongs to the physical page: [ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03 [ 33.473944] flags: 0x1000(reserved|zone=0) [ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001 [ 33.475656] raw: 00000000 [ 33.476050] page dumped because: kasan: bad access detected [ 33.476816] [ 33.477061] Memory state around the buggy address: [ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1 [ 33.480415] ^ [ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 [ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.482978] ================================================================== We find the root cause of this OOB is that arm does not clear stale stack poison in the case of cpuidle. This patch refer to arch/arm64/kernel/sleep.S to resolve this issue. From cited commit [1] that explain the problem Functions which the compiler has instrumented for KASAN place poison on the stack shadow upon entry and remove this poison prior to returning. In the case of cpuidle, CPUs exit the kernel a number of levels deep in C code. Any instrumented functions on this critical path will leave portions of the stack shadow poisoned. If CPUs lose context and return to the kernel via a cold path, we restore a prior context saved in __cpu_suspend_enter are forgotten, and we never remove the poison they placed in the stack shadow area by functions calls between this and the actual exit of the kernel. Thus, (depending on stackframe layout) subsequent calls to instrumented functions may hit this stale poison, resulting in (spurious) KASAN splats to the console. To avoid this, clear any stale poison from the idle thread for a CPU prior to bringing a CPU online. From cited commit [2] Extend to check for CONFIG_KASAN_STACK [1] commit 0d97e6d8024c ("arm64: kasan: clear stale stack poison") [2] commit d56a9ef84bd0 ("kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK")

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36906.html
CVE-2024-36906
https://bugzilla.suse.com/1225715
SUSE Bug 1225715

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus ring buffer code could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the struct vmbus_gpadl for the ring buffers to decide whether to free the memory.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36909.html
CVE-2024-36909
https://bugzilla.suse.com/1225744
SUSE Bug 1225744

Описание

In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus device UIO driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36910.html
CVE-2024-36910
https://bugzilla.suse.com/1225717
SUSE Bug 1225717

Описание

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36911.html
CVE-2024-36911
https://bugzilla.suse.com/1225745
SUSE Bug 1225745

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure callers of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffers. This will allow the callers to know if they should free or leak the pages.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36912.html
CVE-2024-36912
https://bugzilla.suse.com/1225752
SUSE Bug 1225752

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36913.html
CVE-2024-36913
https://bugzilla.suse.com/1225753
SUSE Bug 1225753

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY] dynamic memory safety error detector (KASAN) catches and generates error messages "BUG: KASAN: slab-out-of-bounds" as writeback connector does not support certain features which are not initialized. [HOW] Skip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36914.html
CVE-2024-36914
https://bugzilla.suse.com/1225757
SUSE Bug 1225757

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078 CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36915.html
CVE-2024-36915
https://bugzilla.suse.com/1225758
SUSE Bug 1225758

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 Call Trace: <IRQ> dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80 __run_timer_base+0x1b6/0x250 ... Avoid that undefined behavior by simply taking the "delay = 0" branch if the shift is too large. I am not sure what the symptoms of an undefined value delay will be, but I suspect it could be more than a little annoying to debug.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36916.html
CVE-2024-36916
https://bugzilla.suse.com/1225759
SUSE Bug 1225759

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard(). Hung task occurs if submit an discard ioctl with the following param: start = 0x80000000000ff000, len = 0x8000000000fff000; Add the overflow validation now.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36917.html
CVE-2024-36917
https://bugzilla.suse.com/1225770
SUSE Bug 1225770

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Check bloom filter map value size This patch adds a missing check to bloom filter creating, rejecting values above KMALLOC_MAX_SIZE. This brings the bloom map in line with many other map types. The lack of this protection can cause kernel crashes for value sizes that overflow int's. Such a crash was caught by syzkaller. The next patch adds more guard-rails at a lower level.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36918.html
CVE-2024-36918
https://bugzilla.suse.com/1225766
SUSE Bug 1225766

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload The session resources are used by FW and driver when session is offloaded, once session is uploaded these resources are not used. The lock is not required as these fields won't be used any longer. The offload and upload calls are sequential, hence lock is not required. This will suppress following BUG_ON(): [ 449.843143] ------------[ cut here ]------------ [ 449.848302] kernel BUG at mm/vmalloc.c:2727! [ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1 Rebooting. [ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016 [ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc] [ 449.882910] RIP: 0010:vunmap+0x2e/0x30 [ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41 [ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206 [ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005 [ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000 [ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf [ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000 [ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0 [ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000 [ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0 [ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 449.993028] Call Trace: [ 449.995756] __iommu_dma_free+0x96/0x100 [ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc] [ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc] [ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc] [ 450.018136] fc_rport_work+0x103/0x5b0 [libfc] [ 450.023103] process_one_work+0x1e8/0x3c0 [ 450.027581] worker_thread+0x50/0x3b0 [ 450.031669] ? rescuer_thread+0x370/0x370 [ 450.036143] kthread+0x149/0x170 [ 450.039744] ? set_kthread_struct+0x40/0x40 [ 450.044411] ret_from_fork+0x22/0x30 [ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls [ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler [ 450.159753] ---[ end trace 712de2c57c64abc8 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36919.html
CVE-2024-36919
https://bugzilla.suse.com/1225767
SUSE Bug 1225767

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: guard against invalid STA ID on removal Guard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would result in out-of-bounds array accesses. This prevents issues should the driver get into a bad state during error handling.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36921.html
CVE-2024-36921
https://bugzilla.suse.com/1225769
SUSE Bug 1225769
https://bugzilla.suse.com/1225850
SUSE Bug 1225850

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the same value twice, then obtain the lock, and reclaim from there to two different places, but crucially reclaim the same entry twice, resulting in the WARN_ONCE() a little later. Fix that by reading txq->read_ptr under lock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36922.html
CVE-2024-36922
https://bugzilla.suse.com/1225805
SUSE Bug 1225805

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix uninitialized values during inode evict If an iget fails due to not being able to retrieve information from the server then the inode structure is only partially initialized. When the inode gets evicted, references to uninitialized structures (like fscache cookies) were being made. This patch checks for a bad_inode before doing anything other than clearing the inode from the cache. Since the inode is bad, it shouldn't have any state associated with it that needs to be written back (and there really isn't a way to complete those anyways).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36923.html
CVE-2024-36923
https://bugzilla.suse.com/1225815
SUSE Bug 1225815

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the hbalock. Thus, lpfc_worker_wake_up() should not be called while holding the hbalock to avoid potential deadlock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36924.html
CVE-2024-36924
https://bugzilla.suse.com/1225820
SUSE Bug 1225820

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE At the time of LPAR boot up, partition firmware provides Open Firmware property ibm,dma-window for the PE. This property is provided on the PCI bus the PE is attached to. There are execptions where the partition firmware might not provide this property for the PE at the time of LPAR boot up. One of the scenario is where the firmware has frozen the PE due to some error condition. This PE is frozen for 24 hours or unless the whole system is reinitialized. Within this time frame, if the LPAR is booted, the frozen PE will be presented to the LPAR but ibm,dma-window property could be missing. Today, under these circumstances, the LPAR oopses with NULL pointer dereference, when configuring the PCI bus the PE is attached to. BUG: Kernel NULL pointer dereference on read at 0x000000c8 Faulting instruction address: 0xc0000000001024c0 Oops: Kernel access of bad area, sig: 7 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: Supported: Yes CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1 Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450 REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default) MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28000822 XER: 00000000 CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0 ... NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0 LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 Call Trace: pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable) pcibios_setup_bus_self+0x1c0/0x370 __of_scan_bus+0x2f8/0x330 pcibios_scan_phb+0x280/0x3d0 pcibios_init+0x88/0x12c do_one_initcall+0x60/0x320 kernel_init_freeable+0x344/0x3e4 kernel_init+0x34/0x1d0 ret_from_kernel_user_thread+0x14/0x1c

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36926.html
CVE-2024-36926
https://bugzilla.suse.com/1225829
SUSE Bug 1225829

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/qeth: Fix kernel panic after setting hsuid Symptom: When the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already UP, the kernel will try to execute a napi function pointer that is NULL. Example: --------------------------------------------------------------------------- [ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP [ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod qdio ccwgroup pkey zcrypt [ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1 [ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR) [ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2) [ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000 [ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80 [ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8 [ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68 [ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal >0000000000000002: 0000 illegal 0000000000000004: 0000 illegal 0000000000000006: 0000 illegal 0000000000000008: 0000 illegal 000000000000000a: 0000 illegal 000000000000000c: 0000 illegal 000000000000000e: 0000 illegal [ 2057.572800] Call Trace: [ 2057.572801] ([<00000000ec639700>] 0xec639700) [ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398 [ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0 [ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58 [ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60) [ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98 [ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70 [ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv] [ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv] [ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv] [ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8 [ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348 [ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8 [ 2057.572843] Last Breaking-Event-Address: [ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8 [ 2057.572846] [ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt ------------------------------------------------------------------------------------------- Analysis: There is one napi structure per out_q: card->qdio.out_qs[i].napi The napi.poll functions are set during qeth_open(). Since commit 1cfef80d4c2b ("s390/qeth: Don't call dev_close/dev_open (DOWN/UP)") qeth_set_offline()/qeth_set_online() no longer call dev_close()/ dev_open(). So if qeth_free_qdio_queues() cleared card->qdio.out_qs[i].napi.poll while the network interface was UP and the card was offline, they are not set again. Reproduction: chzdev -e $devno layer2=0 ip link set dev $network_interface up echo 0 > /sys/bus/ccw ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36928.html
CVE-2024-36928
https://bugzilla.suse.com/1225775
SUSE Bug 1225775

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: fix null pointer dereference within spi_sync If spi_sync() is called with the non-empty queue and the same spi_message is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spi_finalize_current_message(). With function inlining disabled, the call stack might look like this: _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58 complete_with_flags from spi_complete+0x8/0xc spi_complete from spi_finalize_current_message+0xec/0x184 spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474 spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230 __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4 __spi_transfer_message_noqueue from __spi_sync+0x204/0x248 __spi_sync from spi_sync+0x24/0x3c spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd] mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154 _regmap_raw_read from _regmap_bus_read+0x44/0x70 _regmap_bus_read from _regmap_read+0x60/0xd8 _regmap_read from regmap_read+0x3c/0x5c regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd] mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd] mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78 irq_thread_fn from irq_thread+0x118/0x1f4 irq_thread from kthread+0xd8/0xf4 kthread from ret_from_fork+0x14/0x28 Fix this by also setting message->complete to NULL when the transfer is complete.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36930.html
CVE-2024-36930
https://bugzilla.suse.com/1225830
SUSE Bug 1225830

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/cio: Ensure the copied buf is NUL terminated Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from userspace to that buffer. Later, we use scanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using scanf. Fix this issue by using memdup_user_nul instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36931.html
CVE-2024-36931
https://bugzilla.suse.com/1225747
SUSE Bug 1225747

Описание

In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36934.html
CVE-2024-36934
https://bugzilla.suse.com/1225760
SUSE Bug 1225760

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count bytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36935.html
CVE-2024-36935
https://bugzilla.suse.com/1225763
SUSE Bug 1225763

Описание

In the Linux kernel, the following vulnerability has been resolved: efi/unaccepted: touch soft lockup during memory accept Commit 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused by parallel memory acceptance") has released the spinlock so other CPUs can do memory acceptance in parallel and not triggers softlockup on other CPUs. However the softlock up was intermittent shown up if the memory of the TD guest is large, and the timeout of softlockup is set to 1 second: RIP: 0010:_raw_spin_unlock_irqrestore Call Trace: ? __hrtimer_run_queues <IRQ> ? hrtimer_interrupt ? watchdog_timer_fn ? __sysvec_apic_timer_interrupt ? __pfx_watchdog_timer_fn ? sysvec_apic_timer_interrupt </IRQ> ? __hrtimer_run_queues <TASK> ? hrtimer_interrupt ? asm_sysvec_apic_timer_interrupt ? _raw_spin_unlock_irqrestore ? __sysvec_apic_timer_interrupt ? sysvec_apic_timer_interrupt accept_memory try_to_accept_memory do_huge_pmd_anonymous_page get_page_from_freelist __handle_mm_fault __alloc_pages __folio_alloc ? __tdx_hypercall handle_mm_fault vma_alloc_folio do_user_addr_fault do_huge_pmd_anonymous_page exc_page_fault ? __do_huge_pmd_anonymous_page asm_exc_page_fault __handle_mm_fault When the local irq is enabled at the end of accept_memory(), the softlockup detects that the watchdog on single CPU has not been fed for a while. That is to say, even other CPUs will not be blocked by spinlock, the current CPU might be stunk with local irq disabled for a while, which hurts not only nmi watchdog but also softlockup. Chao Gao pointed out that the memory accept could be time costly and there was similar report before. Thus to avoid any softlocup detection during this stage, give the softlockup a flag to skip the timeout check at the end of accept_memory(), by invoking touch_softlockup_watchdog().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36936.html
CVE-2024-36936
https://bugzilla.suse.com/1225773
SUSE Bug 1225773

Описание

In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36937.html
CVE-2024-36937
https://bugzilla.suse.com/1225834
SUSE Bug 1225834

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36938.html
CVE-2024-36938
https://bugzilla.suse.com/1225761
SUSE Bug 1225761

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36940.html
CVE-2024-36940
https://bugzilla.suse.com/1225840
SUSE Bug 1225840
https://bugzilla.suse.com/1225841
SUSE Bug 1225841

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36942.html
CVE-2024-36942
https://bugzilla.suse.com/1225843
SUSE Bug 1225843

Описание

In the Linux kernel, the following vulnerability has been resolved: Reapply "drm/qxl: simplify qxl_fence_wait" This reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea. Stephen Rostedt reports: "I went to run my tests on my VMs and the tests hung on boot up. Unfortunately, the most I ever got out was: [ 93.607888] Testing event system initcall: OK [ 93.667730] Running tests on all trace events: [ 93.669757] Testing all events: OK [ 95.631064] ------------[ cut here ]------------ Timed out after 60 seconds" and further debugging points to a possible circular locking dependency between the console_owner locking and the worker pool locking. Reverting the commit allows Steve's VM to boot to completion again. [ This may obviously result in the "[TTM] Buffer eviction failed" messages again, which was the reason for that original revert. But at this point this seems preferable to a non-booting system... ]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36944.html
CVE-2024-36944
https://bugzilla.suse.com/1225847
SUSE Bug 1225847

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix neighbour and rtable leak in smc_ib_find_route() In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable resolved by ip_route_output_flow() are not released or put before return. It may cause the refcount leak, so fix it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36945.html
CVE-2024-36945
https://bugzilla.suse.com/1225823
SUSE Bug 1225823

Описание

In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() skb allocation fill_route() stores three components in the skb: - struct rtmsg - RTA_DST (u8) - RTA_OIF (u32) Therefore, rtm_phonet_notify() should use NLMSG_ALIGN(sizeof(struct rtmsg)) + nla_total_size(1) + nla_total_size(4)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36946.html
CVE-2024-36946
https://bugzilla.suse.com/1225851
SUSE Bug 1225851

Описание

In the Linux kernel, the following vulnerability has been resolved: qibfs: fix dentry leak simple_recursive_removal() drops the pinning references to all positives in subtree. For the cases when its argument has been kept alive by the pinning alone that's exactly the right thing to do, but here the argument comes from dcache lookup, that needs to be balanced by explicit dput(). Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36947.html
CVE-2024-36947
https://bugzilla.suse.com/1225856
SUSE Bug 1225856

Описание

In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the first device will call kfd_suspend_all_processes() to evict all processes on all devices, this call takes time to finish. other device will start reset and recover without waiting. if the process has not been evicted before doing recover, it will be restored, then caused page fault.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36949.html
CVE-2024-36949
https://bugzilla.suse.com/1225894
SUSE Bug 1225894

Описание

In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36950.html
CVE-2024-36950
https://bugzilla.suse.com/1225895
SUSE Bug 1225895

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: range check cp bad op exception interrupts Due to a CP interrupt bug, bad packet garbage exception codes are raised. Do a range check so that the debugger and runtime do not receive garbage codes. Update the user api to guard exception code type checking as well.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36951.html
CVE-2024-36951
https://bugzilla.suse.com/1225896
SUSE Bug 1225896

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Move NPIV's transport unregistration to after resource clean up There are cases after NPIV deletion where the fabric switch still believes the NPIV is logged into the fabric. This occurs when a vport is unregistered before the Remove All DA_ID CT and LOGO ELS are sent to the fabric. Currently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including the fabric D_ID, removes the last ndlp reference and frees the ndlp rport object. This sometimes causes the race condition where the final DA_ID and LOGO are skipped from being sent to the fabric switch. Fix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID and LOGO are sent.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36952.html
CVE-2024-36952
https://bugzilla.suse.com/1225898
SUSE Bug 1225898

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node() The documentation for device_get_named_child_node() mentions this important point: " The caller is responsible for calling fwnode_handle_put() on the returned fwnode pointer. " Add fwnode_handle_put() to avoid a leaked reference.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36955.html
CVE-2024-36955
https://bugzilla.suse.com/1225810
SUSE Bug 1225810

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: avoid off-by-one read from userspace We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36957.html
CVE-2024-36957
https://bugzilla.suse.com/1225762
SUSE Bug 1225762

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36959.html
CVE-2024-36959
https://bugzilla.suse.com/1225839
SUSE Bug 1225839

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36960.html
CVE-2024-36960
https://bugzilla.suse.com/1225872
SUSE Bug 1225872

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs Currently the driver uses local_bh_disable()/local_bh_enable() in its IRQ handler to avoid triggering net_rx_action() softirq on exit from netif_rx(). The net_rx_action() could trigger this driver .start_xmit callback, which is protected by the same lock as the IRQ handler, so calling the .start_xmit from netif_rx() from the IRQ handler critical section protected by the lock could lead to an attempt to claim the already claimed lock, and a hang. The local_bh_disable()/local_bh_enable() approach works only in case the IRQ handler is protected by a spinlock, but does not work if the IRQ handler is protected by mutex, i.e. this works for KS8851 with Parallel bus interface, but not for KS8851 with SPI bus interface. Remove the BH manipulation and instead of calling netif_rx() inside the IRQ handler code protected by the lock, queue all the received SKBs in the IRQ handler into a queue first, and once the IRQ handler exits the critical section protected by the lock, dequeue all the queued SKBs and push them all into netif_rx(). At this point, it is safe to trigger the net_rx_action() softirq, since the netif_rx() call is outside of the lock that protects the IRQ handler.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36962.html
CVE-2024-36962
https://bugzilla.suse.com/1225827
SUSE Bug 1225827

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36964.html
CVE-2024-36964
https://bugzilla.suse.com/1225866
SUSE Bug 1225866
https://bugzilla.suse.com/1226325
SUSE Bug 1226325

Описание

In the Linux kernel, the following vulnerability has been resolved: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM The IPI buffer location is read from the firmware that we load to the System Companion Processor, and it's not granted that both the SRAM (L2TCM) size that is defined in the devicetree node is large enough for that, and while this is especially true for multi-core SCP, it's still useful to check on single-core variants as well. Failing to perform this check may make this driver perform R/W operations out of the L2TCM boundary, resulting (at best) in a kernel panic. To fix that, check that the IPI buffer fits, otherwise return a failure and refuse to boot the relevant SCP core (or the SCP at all, if this is single core).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36965.html
CVE-2024-36965
https://bugzilla.suse.com/1226149
SUSE Bug 1226149

Описание

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak in tpm2_key_encode() 'scratch' is never freed. Fix this by calling kfree() in the success, and in the error case.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36967.html
CVE-2024-36967
https://bugzilla.suse.com/1226131
SUSE Bug 1226131

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix division by zero in setup_dsc_config When slice_height is 0, the division by slice_height in the calculation of the number of slices will cause a division by zero driver crash. This leaves the kernel in a state that requires a reboot. This patch adds a check to avoid the division by zero. The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor connected via Thunderbolt. The amdgpu driver crashed with this exception when I rebooted the system with the monitor connected. kernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) kernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2)) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu After applying this patch, the driver no longer crashes when the monitor is connected and the system is rebooted. I believe this is the same issue reported for 3113.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36969.html
CVE-2024-36969
https://bugzilla.suse.com/1226155
SUSE Bug 1226155

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36971.html
CVE-2024-36971
https://bugzilla.suse.com/1226145
SUSE Bug 1226145
https://bugzilla.suse.com/1226324
SUSE Bug 1226324

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36972.html
CVE-2024-36972
https://bugzilla.suse.com/1226163
SUSE Bug 1226163

Описание

In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function gp_auxiliary_device_release() calls ida_free() and kfree(aux_device_wrapper) to free memory. We should't call them again in the error handling path. Fix this by skipping the redundant cleanup functions.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36973.html
CVE-2024-36973
https://bugzilla.suse.com/1226457
SUSE Bug 1226457

Описание

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Do not use WARN when encode fails When asn1_encode_sequence() fails, WARN is not the correct solution. 1. asn1_encode_sequence() is not an internal function (located in lib/asn1_encode.c). 2. Location is known, which makes the stack trace useless. 3. Results a crash if panic_on_warn is set. It is also noteworthy that the use of WARN is undocumented, and it should be avoided unless there is a carefully considered rationale to use it. Replace WARN with pr_err, and print the return value instead, which is only useful piece of information.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36975.html
CVE-2024-36975
https://bugzilla.suse.com/1226520
SUSE Bug 1226520

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Wait unconditionally after issuing EndXfer command Currently all controller IP/revisions except DWC3_usb3 >= 310a wait 1ms unconditionally for ENDXFER completion when IOC is not set. This is because DWC_usb3 controller revisions >= 3.10a supports GUCTL2[14: Rst_actbitlater] bit which allows polling CMDACT bit to know whether ENDXFER command is completed. Consider a case where an IN request was queued, and parallelly soft_disconnect was called (due to ffs_epfile_release). This eventually calls stop_active_transfer with IOC cleared, hence send_gadget_ep_cmd() skips waiting for CMDACT cleared during EndXfer. For DWC3 controllers with revisions >= 310a, we don't forcefully wait for 1ms either, and we proceed by unmapping the requests. If ENDXFER didn't complete by this time, it leads to SMMU faults since the controller would still be accessing those requests. Fix this by ensuring ENDXFER completion by adding 1ms delay in __dwc3_stop_active_transfer() unconditionally.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36977.html
CVE-2024-36977
https://bugzilla.suse.com/1226513
SUSE Bug 1226513

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36978.html
CVE-2024-36978
https://bugzilla.suse.com/1226514
SUSE Bug 1226514

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: manager: add owner module and take its refcount The current implementation of the fpga manager assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the manager if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_manager struct and use it to take the module's refcount. Modify the functions for registering the manager to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the manager as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a manager without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga manager. Other changes: opportunistically move put_device() from __fpga_mgr_get() to fpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the manager device is taken in these functions.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37021.html
CVE-2024-37021
https://bugzilla.suse.com/1226950
SUSE Bug 1226950

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential kernel bug due to lack of writeback flag waiting Destructive writes to a block device on which nilfs2 is mounted can cause a kernel bug in the folio/page writeback start routine or writeback end routine (__folio_start_writeback in the log below): kernel BUG at mm/page-writeback.c:3070! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI ... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Call Trace: <TASK> nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> This is because when the log writer starts a writeback for segment summary blocks or a super root block that use the backing device's page cache, it does not wait for the ongoing folio/page writeback, resulting in an inconsistent writeback state. Fix this issue by waiting for ongoing writebacks when putting folios/pages on the backing device into writeback state.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37078.html
CVE-2024-37078
https://bugzilla.suse.com/1227066
SUSE Bug 1227066

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37353.html
CVE-2024-37353
https://bugzilla.suse.com/1226875
SUSE Bug 1226875

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) So we're logging a changed extent from fsync, which is splitting an extent in the log tree. But this split part already exists in the tree, triggering the BUG(). This is the state of the log tree at the time of the crash, dumped with drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ... So the real problem happened earlier: notice that items 4 (4k-12k) and 5 (8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and item 5 starts at i_size. Here is the state of ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37354.html
CVE-2024-37354
https://bugzilla.suse.com/1227101
SUSE Bug 1227101

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38381.html
CVE-2024-38381
https://bugzilla.suse.com/1226878
SUSE Bug 1226878

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix list corruption from reorder of WRITE ->lqueued __blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start is being executed. If WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in the loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one stat instance being added in blk_cgroup_bio_start(), then the local list in __blkcg_rstat_flush() could be corrupted. Fix the issue by adding one barrier.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38384.html
CVE-2024-38384
https://bugzilla.suse.com/1226938
SUSE Bug 1226938

Описание

In the Linux kernel, the following vulnerability has been resolved: genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference: CPU0 CPU1 desc = mt_find() delayed_free_desc(desc) irq_desc_get_irq(desc) The use-after-free is reported by KASAN: Call trace: irq_get_next_irq+0x58/0x84 show_stat+0x638/0x824 seq_read_iter+0x158/0x4ec proc_reg_read_iter+0x94/0x12c vfs_read+0x1e0/0x2c8 Freed by task 4471: slab_free_freelist_hook+0x174/0x1e0 __kmem_cache_free+0xa4/0x1dc kfree+0x64/0x128 irq_kobj_release+0x28/0x3c kobject_put+0xcc/0x1e0 delayed_free_desc+0x14/0x2c rcu_do_batch+0x214/0x720 Guard the access with a RCU read lock section.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38385.html
CVE-2024-38385
https://bugzilla.suse.com/1227085
SUSE Bug 1227085

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup Use the control private_free callback to free the associated data block. This ensures that the memory won't leak, whatever way the control gets destroyed. The original implementation didn't actually remove the ALSA controls in hda_cs_dsp_control_remove(). It only freed the internal tracking structure. This meant it was possible to remove/unload the amp driver while leaving its ALSA controls still present in the soundcard. Obviously attempting to access them could cause segfaults or at least dereferencing stale pointers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38388.html
CVE-2024-38388
https://bugzilla.suse.com/1226890
SUSE Bug 1226890

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer dereference on: msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL); as gpu->pdev is only assigned in: a6xx_gpu_init() |_ adreno_gpu_init |_ msm_gpu_init() Instead of relying on handwavy null checks down the cleanup chain, explicitly de-allocate the LLC data and free a6xx_gpu instead. Patchwork: https://patchwork.freedesktop.org/patch/588919/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38390.html
CVE-2024-38390
https://bugzilla.suse.com/1226891
SUSE Bug 1226891

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38391.html
CVE-2024-38391
https://bugzilla.suse.com/1226894
SUSE Bug 1226894

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw When running blktests nvme/rdma, the following kmemleak issue will appear. kmemleak: Kernel memory leak detector initialized (mempool available:36041) kmemleak: Automatic memory scanning thread started kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak) unreferenced object 0xffff88855da53400 (size 192): comm "rdma", pid 10630, jiffies 4296575922 hex dump (first 32 bytes): 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7............... 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.].... backtrace (crc 47f66721): [<ffffffff911251bd>] kmalloc_trace+0x30d/0x3b0 [<ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core] [<ffffffffc2642206>] add_modify_gid+0x166/0x930 [ib_core] [<ffffffffc2643468>] ib_cache_update.part.0+0x6d8/0x910 [ib_core] [<ffffffffc2644e1a>] ib_cache_setup_one+0x24a/0x350 [ib_core] [<ffffffffc263949e>] ib_register_device+0x9e/0x3a0 [ib_core] [<ffffffffc2a3d389>] 0xffffffffc2a3d389 [<ffffffffc2688cd8>] nldev_newlink+0x2b8/0x520 [ib_core] [<ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core] [<ffffffffc264648c>] rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core] [<ffffffff9270e7b5>] netlink_unicast+0x445/0x710 [<ffffffff9270f1f1>] netlink_sendmsg+0x761/0xc40 [<ffffffff9249db29>] __sys_sendto+0x3a9/0x420 [<ffffffff9249dc8c>] __x64_sys_sendto+0xdc/0x1b0 [<ffffffff92db0ad3>] do_syscall_64+0x93/0x180 [<ffffffff92e00126>] entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause: rdma_put_gid_attr is not called when sgid_attr is set to ERR_PTR(-ENODEV).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38539.html
CVE-2024-38539
https://bugzilla.suse.com/1226608
SUSE Bug 1226608

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38540.html
CVE-2024-38540
https://bugzilla.suse.com/1226582
SUSE Bug 1226582

Описание

In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38541.html
CVE-2024-38541
https://bugzilla.suse.com/1226587
SUSE Bug 1226587
https://bugzilla.suse.com/1227496
SUSE Bug 1227496

Описание

In the Linux kernel, the following vulnerability has been resolved: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure The kcalloc() in dmirror_device_evict_chunk() will return null if the physical memory has run out. As a result, if src_pfns or dst_pfns is dereferenced, the null pointer dereference bug will happen. Moreover, the device is going away. If the kcalloc() fails, the pages mapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in kcalloc(). Finally, as there is no need to have physically contiguous memory, Switch kcalloc() to kvcalloc() in order to avoid failing allocations.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38543.html
CVE-2024-38543
https://bugzilla.suse.com/1226594
SUSE Bug 1226594

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38544.html
CVE-2024-38544
https://bugzilla.suse.com/1226597
SUSE Bug 1226597

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38546.html
CVE-2024-38546
https://bugzilla.suse.com/1226593
SUSE Bug 1226593

Описание

In the Linux kernel, the following vulnerability has been resolved: media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() is followed with a dereference of mycs->yuv_scaler_binary after the following call chain: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() In unload_video_binaries(), it calls to ia_css_binary_unload with argument &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer dereference is triggered.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38547.html
CVE-2024-38547
https://bugzilla.suse.com/1226632
SUSE Bug 1226632

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38548.html
CVE-2024-38548
https://bugzilla.suse.com/1228202
SUSE Bug 1228202

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38549.html
CVE-2024-38549
https://bugzilla.suse.com/1226735
SUSE Bug 1226735

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: kirkwood: Fix potential NULL dereference In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if CONFIG_PLAT_ORION macro is not defined. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38550.html
CVE-2024-38550
https://bugzilla.suse.com/1226633
SUSE Bug 1226633

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Assign dummy when codec not specified for a DAI link MediaTek sound card drivers are checking whether a DAI link is present and used on a board to assign the correct parameters and this is done by checking the codec DAI names at probe time. If no real codec is present, assign the dummy codec to the DAI link to avoid NULL pointer during string comparison.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38551.html
CVE-2024-38551
https://bugzilla.suse.com/1226761
SUSE Bug 1226761

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential index out of bounds in color transformation function Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38552.html
CVE-2024-38552
https://bugzilla.suse.com/1226767
SUSE Bug 1226767

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38553.html
CVE-2024-38553
https://bugzilla.suse.com/1226744
SUSE Bug 1226744

Описание

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issue of net_device There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38554.html
CVE-2024-38554
https://bugzilla.suse.com/1226742
SUSE Bug 1226742

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace: <IRQ> ? __warn+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0xa0 common_interrupt+0x7b/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38555.html
CVE-2024-38555
https://bugzilla.suse.com/1226607
SUSE Bug 1226607

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore Prevent forced completion handling on an entry that has not yet been assigned an index, causing an out of bounds access on idx = -22. Instead of waiting indefinitely for the sem, blocking flow now waits for index to be allocated or a sem acquisition timeout before beginning the timer for FW completion. Kernel log example: mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38556.html
CVE-2024-38556
https://bugzilla.suse.com/1226774
SUSE Bug 1226774

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Reload only IB representors upon lag disable/enable On lag disable, the bond IB device along with all of its representors are destroyed, and then the slaves' representors get reloaded. In case the slave IB representor load fails, the eswitch error flow unloads all representors, including ethernet representors, where the netdevs get detached and removed from lag bond. Such flow is inaccurate as the lag driver is not responsible for loading/unloading ethernet representors. Furthermore, the flow described above begins by holding lag lock to prevent bond changes during disable flow. However, when reaching the ethernet representors detachment from lag, the lag lock is required again, triggering the following deadlock: Call trace: __switch_to+0xf4/0x148 __schedule+0x2c8/0x7d0 schedule+0x50/0xe0 schedule_preempt_disabled+0x18/0x28 __mutex_lock.isra.13+0x2b8/0x570 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x4c/0x68 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core] mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core] mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] mlx5_disable_lag+0x130/0x138 [mlx5_core] mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 genl_family_rcv_msg_doit.isra.17+0xe8/0x138 genl_rcv_msg+0xe4/0x220 netlink_rcv_skb+0x44/0x108 genl_rcv+0x40/0x58 netlink_unicast+0x198/0x268 netlink_sendmsg+0x1d4/0x418 sock_sendmsg+0x54/0x60 __sys_sendto+0xf4/0x120 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x8c/0x120 do_el0_svc+0x30/0xa0 el0_svc+0x20/0x30 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Thus, upon lag enable/disable, load and unload only the IB representors of the slaves preventing the deadlock mentioned above. While at it, refactor the mlx5_esw_offloads_rep_load() function to have a static helper method for its internal logic, in symmetry with the representor unload design.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38557.html
CVE-2024-38557
https://bugzilla.suse.com/1226781
SUSE Bug 1226781

Описание

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38558.html
CVE-2024-38558
https://bugzilla.suse.com/1226783
SUSE Bug 1226783

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing Before request->channels[] can be used, request->n_channels must be set. Additionally, address calculations for memory after the "channels" array need to be calculated from the allocation base ("request") rather than via the first "out of bounds" index of "channels", otherwise run-time bounds checking will throw a warning.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38562.html
CVE-2024-38562
https://bugzilla.suse.com/1226788
SUSE Bug 1226788

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38564.html
CVE-2024-38564
https://bugzilla.suse.com/1226789
SUSE Bug 1226789
https://bugzilla.suse.com/1228730
SUSE Bug 1228730

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: enable proper endpoint verification Syzkaller reports [1] hitting a warning about an endpoint in use not having an expected type to it. Fix the issue by checking for the existence of all proper endpoints with their according types intact. Sadly, this patch has not been tested on real hardware. [1] Syzkaller report: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5353 [inline] hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] port_event drivers/usb/core/hub.c:5653 [inline] hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38565.html
CVE-2024-38565
https://bugzilla.suse.com/1226747
SUSE Bug 1226747

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix verifier assumptions about socket->sk The verifier assumes that 'sk' field in 'struct socket' is valid and non-NULL when 'socket' pointer itself is trusted and non-NULL. That may not be the case when socket was just created and passed to LSM socket_accept hook. Fix this verifier assumption and adjust tests.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38566.html
CVE-2024-38566
https://bugzilla.suse.com/1226790
SUSE Bug 1226790

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes:

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38567.html
CVE-2024-38567
https://bugzilla.suse.com/1226769
SUSE Bug 1226769

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38568.html
CVE-2024-38568
https://bugzilla.suse.com/1226771
SUSE Bug 1226771

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38569.html
CVE-2024-38569
https://bugzilla.suse.com/1226772
SUSE Bug 1226772

Описание

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38570.html
CVE-2024-38570
https://bugzilla.suse.com/1226775
SUSE Bug 1226775

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/tsens: Fix null pointer dereference compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null pointer dereference (if DEBUG or DYNAMIC_DEBUG set). Fix this bug by adding null pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38571.html
CVE-2024-38571
https://bugzilla.suse.com/1226737
SUSE Bug 1226737

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence facing below KASAN warning, ================================================================== BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148 Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273 CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0 Workqueue: qmi_msg_handler qmi_data_ready_work Call trace: dump_backtrace+0x0/0x20c show_stack+0x14/0x1c dump_stack+0xe0/0x138 print_address_description.isra.5+0x30/0x330 __kasan_report+0x16c/0x1bc kasan_report+0xc/0x14 __asan_load8+0xa8/0xb0 qmi_invoke_handler+0xa4/0x148 qmi_handle_message+0x18c/0x1bc qmi_data_ready_work+0x4ec/0x528 process_one_work+0x2c0/0x440 worker_thread+0x324/0x4b8 kthread+0x210/0x228 ret_from_fork+0x10/0x18 The address belongs to the variable: ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k] [...] ================================================================== Add a dummy terminator entry at the end to assist the qmi_invoke_handler() in traversing up to the terminator entry without accessing an out-of-boundary index. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38572.html
CVE-2024-38572
https://bugzilla.suse.com/1226776
SUSE Bug 1226776

Описание

In the Linux kernel, the following vulnerability has been resolved: cppc_cpufreq: Fix possible null pointer dereference cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from different places with various parameters. So cpufreq_cpu_get() can return null as 'policy' in some circumstances. Fix this bug by adding null return check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38573.html
CVE-2024-38573
https://bugzilla.suse.com/1226739
SUSE Bug 1226739

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: pcie: handle randbuf allocation failure The kzalloc() in brcmf_pcie_download_fw_nvram() will return null if the physical memory has run out. As a result, if we use get_random_bytes() to generate random bytes in the randbuf, the null pointer dereference bug will happen. In order to prevent allocation failure, this patch adds a separate function using buffer on kernel stack to generate random bytes in the randbuf, which could prevent the kernel stack from overflow.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38575.html
CVE-2024-38575
https://bugzilla.suse.com/1226612
SUSE Bug 1226612

Описание

In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 __asan_store1+0x62/0x80 ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 ? __alloc_pages+0x2e2/0x540 ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] ? dentry_open+0x8f/0xd0 ecryptfs_write_metadata+0x30a/0x550 ? __pfx_ecryptfs_write_metadata+0x10/0x10 ? ecryptfs_get_lower_file+0x6b/0x190 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x15e/0x290 ? __pfx_do_filp_open+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? _raw_spin_lock+0x86/0xf0 ? __pfx__raw_spin_lock+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? alloc_fd+0xf4/0x330 do_sys_openat2+0x122/0x160 ? __pfx_do_sys_openat2+0x10/0x10 __x64_sys_openat+0xef/0x170 ? __pfx___x64_sys_openat+0x10/0x10 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f00a703fd67 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 </TASK> Allocated by task 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 ecryptfs_write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38578.html
CVE-2024-38578
https://bugzilla.suse.com/1226634
SUSE Bug 1226634

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - Fix pointer arithmetic In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38579.html
CVE-2024-38579
https://bugzilla.suse.com/1226637
SUSE Bug 1226637

Описание

In the Linux kernel, the following vulnerability has been resolved: epoll: be better about file lifetimes epoll can call out to vfs_poll() with a file pointer that may race with the last 'fput()'. That would make f_count go down to zero, and while the ep->mtx locking means that the resulting file pointer tear-down will be blocked until the poll returns, it means that f_count is already dead, and any use of it won't actually get a reference to the file any more: it's dead regardless. Make sure we have a valid ref on the file pointer before we call down to vfs_poll() from the epoll routines.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38580.html
CVE-2024-38580
https://bugzilla.suse.com/1226610
SUSE Bug 1226610

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix use-after-free issue Delete fence fallback timer to fix the ramdom use-after-free issue. v2: move to amdgpu_mes.c

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38581.html
CVE-2024-38581
https://bugzilla.suse.com/1226657
SUSE Bug 1226657

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential hang in nilfs_detach_log_writer() Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38582.html
CVE-2024-38582
https://bugzilla.suse.com/1226658
SUSE Bug 1226658

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38583.html
CVE-2024-38583
https://bugzilla.suse.com/1226777
SUSE Bug 1226777
https://bugzilla.suse.com/1227286
SUSE Bug 1227286

Описание

In the Linux kernel, the following vulnerability has been resolved: r8169: Fix possible ring buffer corruption on fragmented Tx packets. An issue was found on the RTL8125b when transmitting small fragmented packets, whereby invalid entries were inserted into the transmit ring buffer, subsequently leading to calls to dma_unmap_single() with a null address. This was caused by rtl8169_start_xmit() not noticing changes to nr_frags which may occur when small packets are padded (to work around hardware quirks) in rtl8169_tso_csum_v2(). To fix this, postpone inspecting nr_frags until after any padding has been applied.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38586.html
CVE-2024-38586
https://bugzilla.suse.com/1226750
SUSE Bug 1226750

Описание

In the Linux kernel, the following vulnerability has been resolved: speakup: Fix sizeof() vs ARRAY_SIZE() bug The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38587.html
CVE-2024-38587
https://bugzilla.suse.com/1226780
SUSE Bug 1226780

Описание

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38588.html
CVE-2024-38588
https://bugzilla.suse.com/1226837
SUSE Bug 1226837

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Modify the print level of CQE error Too much print may lead to a panic in kernel. Change ibdev_err() to ibdev_err_ratelimited(), and change the printing level of cqe dump to debug level.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38590.html
CVE-2024-38590
https://bugzilla.suse.com/1226839
SUSE Bug 1226839

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix deadlock on SRQ async events. xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/ xa_erase_irq() to avoid deadlock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38591.html
CVE-2024-38591
https://bugzilla.suse.com/1226738
SUSE Bug 1226738

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Init `ddp_comp` with devm_kcalloc() In the case where `conn_routes` is true we allocate an extra slot in the `ddp_comp` array but mtk_drm_crtc_create() never seemed to initialize it in the test case I ran. For me, this caused a later crash when we looped through the array in mtk_drm_crtc_mode_valid(). This showed up for me when I booted with `slub_debug=FZPUA` which poisons the memory initially. Without `slub_debug` I couldn't reproduce, presumably because the later code handles the value being NULL and in most cases (not guaranteed in all cases) the memory the allocator returned started out as 0. It really doesn't hurt to initialize the array with devm_kcalloc() since the array is small and the overhead of initting a handful of elements to 0 is small. In general initting memory to zero is a safer practice and usually it's suggested to only use the non-initting alloc functions if you really need to. Let's switch the function to use an allocation function that zeros the memory. For me, this avoids the crash.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38592.html
CVE-2024-38592
https://bugzilla.suse.com/1226844
SUSE Bug 1226844

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: move the EST lock to struct stmmac_priv Reinitialize the whole EST structure would also reset the mutex lock which is embedded in the EST structure, and then trigger the following warning. To address this, move the lock to struct stmmac_priv. We also need to reacquire the mutex lock when doing this initialization. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 Modules linked in: CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0xd84/0x1068 lr : __mutex_lock+0xd84/0x1068 sp : ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38594.html
CVE-2024-38594
https://bugzilla.suse.com/1226734
SUSE Bug 1226734

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix peer devlink set for SF representor devlink port The cited patch change register devlink flow, and neglect to reflect the changes for peer devlink set logic. Peer devlink set is triggering a call trace if done after devl_register.[1] Hence, align peer devlink set logic with register devlink flow. [1] WARNING: CPU: 4 PID: 3394 at net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180 CPU: 4 PID: 3394 Comm: kworker/u40:1 Not tainted 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_08 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core] RIP: 0010:devlink_rel_nested_in_add+0x177/0x180 Call Trace: <TASK> ? __warn+0x78/0x120 ? devlink_rel_nested_in_add+0x177/0x180 ? report_bug+0x16d/0x180 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? devlink_port_init+0x30/0x30 ? devlink_port_type_clear+0x50/0x50 ? devlink_rel_nested_in_add+0x177/0x180 ? devlink_rel_nested_in_add+0xdd/0x180 mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_sf_dev_probe+0x185/0x3e0 [mlx5_core] auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x64f/0x860 __auxiliary_device_add+0x3b/0xa0 mlx5_sf_dev_add+0x139/0x330 [mlx5_core] mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core] process_one_work+0x13f/0x2e0 worker_thread+0x2bd/0x3c0 ? rescuer_thread+0x410/0x410 kthread+0xc4/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK>

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38595.html
CVE-2024-38595
https://bugzilla.suse.com/1226741
SUSE Bug 1226741

Описание

In the Linux kernel, the following vulnerability has been resolved: eth: sungem: remove .ndo_poll_controller to avoid deadlocks Erhard reports netpoll warnings from sungem: netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c gem_poll_controller() disables interrupts, which may sleep. We can't sleep in netpoll, it has interrupts disabled completely. Strangely, gem_poll_controller() doesn't even poll the completions, and instead acts as if an interrupt has fired so it just schedules NAPI and exits. None of this has been necessary for years, since netpoll invokes NAPI directly.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38597.html
CVE-2024-38597
https://bugzilla.suse.com/1226749
SUSE Bug 1226749

Описание

In the Linux kernel, the following vulnerability has been resolved: md: fix resync softlockup when bitmap size is less than array size Is is reported that for dm-raid10, lvextend + lvchange --syncaction will trigger following softlockup: kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Call Trace: <TASK> md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 And the detailed process is as follows: md_do_sync j = mddev->resync_min while (j < max_sectors) sectors = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync set sync_blocks to 0 return sync_blocks + sectors_skippe; // sectors = 0; j += sectors; // j never change Root cause is that commit 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") return early from md_bitmap_get_counter(), without setting returned blocks. Fix this problem by always set returned blocks from md_bitmap_get_counter"(), as it used to be. Noted that this patch just fix the softlockup problem in kernel, the case that bitmap size doesn't match array size still need to be fixed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38598.html
CVE-2024-38598
https://bugzilla.suse.com/1226757
SUSE Bug 1226757

Описание

In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38599.html
CVE-2024-38599
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1226848
SUSE Bug 1226848
https://bugzilla.suse.com/1227283
SUSE Bug 1227283

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: Fix deadlocks with kctl removals at disconnection In snd_card_disconnect(), we set card->shutdown flag at the beginning, call callbacks and do sync for card->power_ref_sleep waiters at the end. The callback may delete a kctl element, and this can lead to a deadlock when the device was in the suspended state. Namely: * A process waits for the power up at snd_power_ref_and_wait() in snd_ctl_info() or read/write() inside card->controls_rwsem. * The system gets disconnected meanwhile, and the driver tries to delete a kctl via snd_ctl_remove*(); it tries to take card->controls_rwsem again, but this is already locked by the above. Since the sleeper isn't woken up, this deadlocks. An easy fix is to wake up sleepers before processing the driver disconnect callbacks but right after setting the card->shutdown flag. Then all sleepers will abort immediately, and the code flows again. So, basically this patch moves the wait_event() call at the right timing. While we're at it, just to be sure, call wait_event_all() instead of wait_event(), although we don't use exclusive events on this queue for now.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38600.html
CVE-2024-38600
https://bugzilla.suse.com/1226864
SUSE Bug 1226864

Описание

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38601.html
CVE-2024-38601
https://bugzilla.suse.com/1226876
SUSE Bug 1226876

Описание

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38602.html
CVE-2024-38602
https://bugzilla.suse.com/1226613
SUSE Bug 1226613

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() fails, the irq vector is not freed, which leads to a memory leak. Replace the devm_add_action with devm_add_action_or_reset to ensure the irq vector can be destroyed when it fails.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38603.html
CVE-2024-38603
https://bugzilla.suse.com/1226842
SUSE Bug 1226842

Описание

In the Linux kernel, the following vulnerability has been resolved: block: refine the EOF check in blkdev_iomap_begin blkdev_iomap_begin rounds down the offset to the logical block size before stashing it in iomap->offset and checking that it still is inside the inode size. Check the i_size check to the raw pos value so that we don't try a zero size write if iter->pos is unaligned.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38604.html
CVE-2024-38604
https://bugzilla.suse.com/1226866
SUSE Bug 1226866

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: core: Fix NULL module pointer assignment at card init The commit 81033c6b584b ("ALSA: core: Warn on empty module") introduced a WARN_ON() for a NULL module pointer passed at snd_card object creation, and it also wraps the code around it with '#ifdef MODULE'. This works in most cases, but the devils are always in details. "MODULE" is defined when the target code (i.e. the sound core) is built as a module; but this doesn't mean that the caller is also built-in or not. Namely, when only the sound core is built-in (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m), the passed module pointer is ignored even if it's non-NULL, and card->module remains as NULL. This would result in the missing module reference up/down at the device open/close, leading to a race with the code execution after the module removal. For addressing the bug, move the assignment of card->module again out of ifdef. The WARN_ON() is still wrapped with ifdef because the module can be really NULL when all sound drivers are built-in. Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would lead to a false-positive NULL module check. Admittedly it won't catch perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no real problem as it's only for debugging, and the condition is pretty rare.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38605.html
CVE-2024-38605
https://bugzilla.suse.com/1226740
SUSE Bug 1226740

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix netif state handling mlx5e_suspend cleans resources only if netif_device_present() returns true. However, mlx5e_resume changes the state of netif, via mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. In the below case, the above leads to NULL-ptr Oops[1] and memory leaks: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( Hence, clean resources in this case as well. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at0xffffffffffffffd6. RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38608.html
CVE-2024-38608
https://bugzilla.suse.com/1226746
SUSE Bug 1226746

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes". Patch #1 fixes a bunch of issues I spotted in the acrn driver. It compiles, that's all I know. I'll appreciate some review and testing from acrn folks. Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding more sanity checks, and improving the documentation. Gave it a quick test on x86-64 using VM_PAT that ends up using follow_pte(). This patch (of 3): We currently miss handling various cases, resulting in a dangerous follow_pte() (previously follow_pfn()) usage. (1) We're not checking PTE write permissions. Maybe we should simply always require pte_write() like we do for pin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for ACRN_MEM_ACCESS_WRITE for now. (2) We're not rejecting refcounted pages. As we are not using MMU notifiers, messing with refcounted pages is dangerous and can result in use-after-free. Let's make sure to reject them. (3) We are only looking at the first PTE of a bigger range. We only lookup a single PTE, but memmap->len may span a larger area. Let's loop over all involved PTEs and make sure the PFN range is actually contiguous. Reject everything else: it couldn't have worked either way, and rather made use access PFNs we shouldn't be accessing.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38610.html
CVE-2024-38610
https://bugzilla.suse.com/1226758
SUSE Bug 1226758
https://bugzilla.suse.com/1227284
SUSE Bug 1227284

Описание

In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38611.html
CVE-2024-38611
https://bugzilla.suse.com/1226760
SUSE Bug 1226760

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional The exit() callback is optional and shouldn't be called without checking a valid pointer first. Also, we must clear freq_table pointer even if the exit() callback isn't present.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38615.html
CVE-2024-38615
https://bugzilla.suse.com/1226592
SUSE Bug 1226592

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: re-fix fortified-memset warning The carl9170_tx_release() function sometimes triggers a fortified-memset warning in my randconfig builds: In file included from include/linux/string.h:254, from drivers/net/wireless/ath/carl9170/tx.c:40: In function 'fortify_memset_chk', inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, inlined from 'kref_put' at include/linux/kref.h:65:3, inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 493 | __write_overflow_field(p_size_field, size); Kees previously tried to avoid this by using memset_after(), but it seems this does not fully address the problem. I noticed that the memset_after() here is done on a different part of the union (status) than the original cast was from (rate_driver_data), which may confuse the compiler. Unfortunately, the memset_after() trick does not work on driver_rates[] because that is part of an anonymous struct, and I could not get struct_group() to do this either. Using two separate memset() calls on the two members does address the warning though.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38616.html
CVE-2024-38616
https://bugzilla.suse.com/1226852
SUSE Bug 1226852

Описание

In the Linux kernel, the following vulnerability has been resolved: kunit/fortify: Fix mismatched kvalloc()/vfree() usage The kv*() family of tests were accidentally freeing with vfree() instead of kvfree(). Use kvfree() instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38617.html
CVE-2024-38617
https://bugzilla.suse.com/1226859
SUSE Bug 1226859

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Set lower bound of start tick time Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38618.html
CVE-2024-38618
https://bugzilla.suse.com/1226754
SUSE Bug 1226754

Описание

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38619.html
CVE-2024-38619
https://bugzilla.suse.com/1226861
SUSE Bug 1226861

Описание

In the Linux kernel, the following vulnerability has been resolved: media: stk1160: fix bounds checking in stk1160_copy_video() The subtract in this condition is reversed. The ->length is the length of the buffer. The ->bytesused is how many bytes we have copied thus far. When the condition is reversed that means the result of the subtraction is always negative but since it's unsigned then the result is a very high positive value. That means the overflow check is never true. Additionally, the ->bytesused doesn't actually work for this purpose because we're not writing to "buf->mem + buf->bytesused". Instead, the math to calculate the destination where we are writing is a bit involved. You calculate the number of full lines already written, multiply by two, skip a line if necessary so that we start on an odd numbered line, and add the offset into the line. To fix this buffer overflow, just take the actual destination where we are writing, if the offset is already out of bounds print an error and return. Otherwise, write up to buf->length bytes.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38621.html
CVE-2024-38621
https://bugzilla.suse.com/1226895
SUSE Bug 1226895

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add callback function pointer check before its call In dpu_core_irq_callback_handler() callback function pointer is compared to NULL, but then callback function is unconditionally called by this pointer. Fix this bug by adding conditional return. Found by Linux Verification Center (linuxtesting.org) with SVACE. Patchwork: https://patchwork.freedesktop.org/patch/588237/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38622.html
CVE-2024-38622
https://bugzilla.suse.com/1226856
SUSE Bug 1226856

Описание

In the Linux kernel, the following vulnerability has been resolved: stm class: Fix a double free in stm_register_device() The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38627.html
CVE-2024-38627
https://bugzilla.suse.com/1226857
SUSE Bug 1226857

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. Hang on to the control IDs instead of pointers since those are correctly handled with locks.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38628.html
CVE-2024-38628
https://bugzilla.suse.com/1226911
SUSE Bug 1226911

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Avoid unnecessary destruction of file_ida file_ida is allocated during cdev open and is freed accordingly during cdev release. This sequence is guaranteed by driver file operations. Therefore, there is no need to destroy an already empty file_ida when the WQ cdev is removed. Worse, ida_free() in cdev release may happen after destruction of file_ida per WQ cdev. This can lead to accessing an id in file_ida after it has been destroyed, resulting in a kernel panic. Remove ida_destroy(&file_ida) to address these issues.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38629.html
CVE-2024-38629
https://bugzilla.suse.com/1226905
SUSE Bug 1226905

Описание

In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38630.html
CVE-2024-38630
https://bugzilla.suse.com/1226908
SUSE Bug 1226908

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Update uart_driver_registered on driver removal The removal of the last MAX3100 device triggers the removal of the driver. However, code doesn't update the respective global variable and after insmod — rmmod — insmod cycle the kernel oopses: max3100 spi-PRP0001:01: max3100_probe: adding port 0 BUG: kernel NULL pointer dereference, address: 0000000000000408 ... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0 Update the actual state so next time UART driver will be registered again. Hugo also noticed, that the error path in the probe also affected by having the variable set, and not cleared. Instead of clearing it move the assignment after the successfull uart_register_driver() call.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38633.html
CVE-2024-38633
https://bugzilla.suse.com/1226867
SUSE Bug 1226867

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Lock port->lock when calling uart_handle_cts_change() uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38634.html
CVE-2024-38634
https://bugzilla.suse.com/1226868
SUSE Bug 1226868

Описание

In the Linux kernel, the following vulnerability has been resolved: soundwire: cadence: fix invalid PDI offset For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and the initial code had problems as well. A follow-up patch completely removes this useless offset.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38635.html
CVE-2024-38635
https://bugzilla.suse.com/1226863
SUSE Bug 1226863

Описание

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with F2FS) [failed] runtime ... 3.752s something found in dmesg: [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13 [ 4378.192349] null_blk: module loaded [ 4378.209860] null_blk: disk nullb0 created [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim poll_queues to 0. poll_q/nr_hw = (0/1) [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520] dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0 [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux scsi_debug 0191 PQ: 0 ANSI: 7 [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20 [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device ... (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg' WARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51 CPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1 RIP: 0010:iomap_iter+0x32b/0x350 Call Trace: <TASK> __iomap_dio_rw+0x1df/0x830 f2fs_file_read_iter+0x156/0x3d0 [f2fs] aio_read+0x138/0x210 io_submit_one+0x188/0x8c0 __x64_sys_io_submit+0x8c/0x1a0 do_syscall_64+0x86/0x170 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Shinichiro Kawasaki helps to analyse this issue and proposes a potential fixing patch in [2]. Quoted from reply of Shinichiro Kawasaki: "I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a look in the commit, but it looks fine to me. So I thought the cause is not in the commit diff. I found the WARN is printed when the f2fs is set up with multiple devices, and read requests are mapped to the very first block of the second device in the direct read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached() modify map->m_pblk as the physical block address from each block device. It becomes zero when it is mapped to the first block of the device. However, f2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the whole f2fs, across the all block devices. It compares map->m_pblk against NULL_ADDR == 0, then go into the unexpected branch and sets the invalid iomap->length. The WARN catches the invalid iomap->length. This WARN is printed even for non-zoned block devices, by following steps. - Create two (non-zoned) null_blk devices memory backed with 128MB size each: nullb0 and nullb1. # mkfs.f2fs /dev/nullb0 -c /dev/nullb1 # mount -t f2fs /dev/nullb0 "${mount_dir}" # dd if=/dev/zero of="${mount_dir}/test.dat" bs=1M count=192 # dd if="${mount_dir}/test.dat" of=/dev/null bs=1M count=192 iflag=direct ..." So, the root cause of this issue is: when multi-devices feature is on, f2fs_map_blocks() may return zero blkaddr in non-primary device, which is a verified valid block address, however, f2fs_iomap_begin() treats it as an invalid block address, and then it triggers the warning in iomap framework code. Finally, as discussed, we decide to use a more simple and direct way that checking (map.m_flags & F2FS_MAP_MAPPED) condition instead of (map.m_pblk != NULL_ADDR) to fix this issue. Thanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this issue. [1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/ [2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38636.html
CVE-2024-38636
https://bugzilla.suse.com/1226879
SUSE Bug 1226879

Описание

In the Linux kernel, the following vulnerability has been resolved: enic: Validate length of nl attributes in enic_set_vf_port enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE is of length PORT_PROFILE_MAX and that the nl attributes IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX. These attributes are validated (in the function do_setlink in rtnetlink.c) using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation using the policy is for the max size of the attributes and not on exact size so the length of these attributes might be less than the sizes that enic_set_vf_port expects. This might cause an out of bands read access in the memcpys of the data of these attributes in enic_set_vf_port.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38659.html
CVE-2024-38659
https://bugzilla.suse.com/1226883
SUSE Bug 1226883

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38661.html
CVE-2024-38661
https://bugzilla.suse.com/1226996
SUSE Bug 1226996

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix list corruption from resetting io stat Since commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()"), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can't reset the stat instance by memset(), otherwise the llist may be corrupted. Fix the issue by only resetting the counter part.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38663.html
CVE-2024-38663
https://bugzilla.suse.com/1226939
SUSE Bug 1226939

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_dpsub: Always register bridge We must always register the DRM bridge, since zynqmp_dp_hpd_work_func calls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be initialized. We do this before zynqmp_dpsub_drm_init since that calls drm_bridge_attach. This fixes the following lockdep warning: [ 19.217084] ------------[ cut here ]------------ [ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [ 19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550 [ 19.241696] Modules linked in: [ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96 [ 19.252046] Hardware name: xlnx,zynqmp (DT) [ 19.256421] Workqueue: events zynqmp_dp_hpd_work_func [ 19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 19.269104] pc : __mutex_lock+0x4bc/0x550 [ 19.273364] lr : __mutex_lock+0x4bc/0x550 [ 19.277592] sp : ffffffc085c5bbe0 [ 19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8 [ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000 [ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000 [ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000 [ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720 [ 19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001 [ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888 [ 19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000 [ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000 [ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880 [ 19.356581] Call trace: [ 19.359160] __mutex_lock+0x4bc/0x550 [ 19.363032] mutex_lock_nested+0x24/0x30 [ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c [ 19.371698] zynqmp_dp_hpd_work_func+0x44/0x54 [ 19.376364] process_one_work+0x3ac/0x988 [ 19.380660] worker_thread+0x398/0x694 [ 19.384736] kthread+0x1bc/0x1c0 [ 19.388241] ret_from_fork+0x10/0x20 [ 19.392031] irq event stamp: 183 [ 19.395450] hardirqs last enabled at (183): [<ffffffc0800b9278>] finish_task_switch.isra.0+0xa8/0x2d4 [ 19.405140] hardirqs last disabled at (182): [<ffffffc081ad3754>] __schedule+0x714/0xd04 [ 19.413612] softirqs last enabled at (114): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c [ 19.423128] softirqs last disabled at (110): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c [ 19.432614] ---[ end trace 0000000000000000 ]--- (cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38664.html
CVE-2024-38664
https://bugzilla.suse.com/1226941
SUSE Bug 1226941

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") by error replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite sync_print_obj() is called from sync_debugfs_show(), lockdep complains inconsistent lock state warning. Use plain spin_{lock,unlock}() for sync_print_obj(), for sync_debugfs_show() is already using spin_{lock,unlock}_irq().

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38780.html
CVE-2024-38780
https://bugzilla.suse.com/1226886
SUSE Bug 1226886

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Syzbot reports a warning as follows: ============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 Call Trace: <TASK> ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375 generic_shutdown_super+0x136/0x2d0 fs/super.c:641 kill_block_super+0x44/0x90 fs/super.c:1675 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================ This is because when finding an entry in ext4_xattr_block_cache_find(), if ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown in the __entry_find(), won't be put away, and eventually trigger the above issue in mb_cache_destroy() due to reference count leakage. So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39276.html
CVE-2024-39276
https://bugzilla.suse.com/1226993
SUSE Bug 1226993

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-mapping: benchmark: handle NUMA_NO_NODE correctly cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark() resulting in the following sanitizer report: UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask [64][1]' CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) ubsan_epilogue (lib/ubsan.c:232) __ubsan_handle_out_of_bounds (lib/ubsan.c:429) cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline] do_map_benchmark (kernel/dma/map_benchmark.c:104) map_benchmark_ioctl (kernel/dma/map_benchmark.c:246) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Use cpumask_of_node() in place when binding a kernel thread to a cpuset of a particular node. Note that the provided node id is checked inside map_benchmark_ioctl(). It's just a NUMA_NO_NODE case which is not handled properly later. Found by Linux Verification Center (linuxtesting.org).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39277.html
CVE-2024-39277
https://bugzilla.suse.com/1226909
SUSE Bug 1226909

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode() The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating about potential truncation of output when using the snprintf function. The issue was due to the size of the buffer 'ucode_prefix' being too small to accommodate the maximum possible length of the string being written into it. The string being written is "amdgpu/%s_mec.bin" or "amdgpu/%s_rlc.bin", where %s is replaced by the value of 'chip_name'. The length of this string without the %s is 16 characters. The warning message indicated that 'chip_name' could be up to 29 characters long, resulting in a total of 45 characters, which exceeds the buffer size of 30 characters. To resolve this issue, the size of the 'ucode_prefix' buffer has been reduced from 30 to 15. This ensures that the maximum possible length of the string being written into the buffer will not exceed its size, thus preventing potential buffer overflow and truncation issues. Fixes the below with gcc W=1: drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function 'gfx_v9_4_3_early_init': drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~ ...... 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~ ...... 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39291.html
CVE-2024-39291
https://bugzilla.suse.com/1226934
SUSE Bug 1226934

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: fix oops during rmmod "rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called: bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally: CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root) CPU1 bonding_debug_root = NULL; So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39296.html
CVE-2024-39296
https://bugzilla.suse.com/1226989
SUSE Bug 1226989

Описание

In the Linux kernel, the following vulnerability has been resolved: net/9p: fix uninit-value in p9_client_rpc() Syzbot with the help of KMSAN reported the following error: BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag will not be properly initialized. However, trace_9p_client_res() ends up trying to print it out anyway before p9_client_rpc() finishes. Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39301.html
CVE-2024-39301
https://bugzilla.suse.com/1226994
SUSE Bug 1226994

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39362.html
CVE-2024-39362
https://bugzilla.suse.com/1226995
SUSE Bug 1226995

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39371.html
CVE-2024-39371
https://bugzilla.suse.com/1226990
SUSE Bug 1226990

Описание

In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39463.html
CVE-2024-39463
https://bugzilla.suse.com/1227090
SUSE Bug 1227090
https://bugzilla.suse.com/1227091
SUSE Bug 1227091

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/qcom/lmh: Check for SCM availability at probe Up until now, the necessary scm availability check has not been performed, leading to possible null pointer dereferences (which did happen for me on RB1). Fix that.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39466.html
CVE-2024-39466
https://bugzilla.suse.com/1227089
SUSE Bug 1227089

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39468.html
CVE-2024-39468
https://bugzilla.suse.com/1227103
SUSE Bug 1227103

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors The error handling in nilfs_empty_dir() when a directory folio/page read fails is incorrect, as in the old ext2 implementation, and if the folio/page cannot be read or nilfs_check_folio() fails, it will falsely determine the directory as empty and corrupt the file system. In addition, since nilfs_empty_dir() does not immediately return on a failed folio/page read, but continues to loop, this can cause a long loop with I/O if i_size of the directory's inode is also corrupted, causing the log writer thread to wait and hang, as reported by syzbot. Fix these issues by making nilfs_empty_dir() immediately return a false value (0) if it fails to get a directory folio/page.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39469.html
CVE-2024-39469
https://bugzilla.suse.com/1226992
SUSE Bug 1226992

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add error handle to avoid out-of-bounds if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should be stop to avoid out-of-bounds read, so directly return -EINVAL.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39471.html
CVE-2024-39471
https://bugzilla.suse.com/1227096
SUSE Bug 1227096

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39472.html
CVE-2024-39472
https://bugzilla.suse.com/1227432
SUSE Bug 1227432

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension If a process module does not have base config extension then the same format applies to all of it's inputs and the process->base_config_ext is NULL, causing NULL dereference when specifically crafted topology and sequences used.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39473.html
CVE-2024-39473
https://bugzilla.suse.com/1227433
SUSE Bug 1227433

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc") includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb ("vmalloc: back off when the current task is OOM-killed"). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() --> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; --> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39474.html
CVE-2024-39474
https://bugzilla.suse.com/1227434
SUSE Bug 1227434

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Handle err return when savagefb_check_var failed The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39475.html
CVE-2024-39475
https://bugzilla.suse.com/1227435
SUSE Bug 1227435

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39479.html
CVE-2024-39479
https://bugzilla.suse.com/1227443
SUSE Bug 1227443

Описание

In the Linux kernel, the following vulnerability has been resolved: media: mc: Fix graph walk in media_pipeline_start The graph walk tries to follow all links, even if they are not between pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link. Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK links.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39481.html
CVE-2024-39481
https://bugzilla.suse.com/1227446
SUSE Bug 1227446

Описание

In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs's sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39482.html
CVE-2024-39482
https://bugzilla.suse.com/1227447
SUSE Bug 1227447

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39487.html
CVE-2024-39487
https://bugzilla.suse.com/1227573
SUSE Bug 1227573

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix missing sk_buff release in seg6_input_core The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39490.html
CVE-2024-39490
https://bugzilla.suse.com/1227626
SUSE Bug 1227626

Описание

In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39494.html
CVE-2024-39494
https://bugzilla.suse.com/1227716
SUSE Bug 1227716
https://bugzilla.suse.com/1227901
SUSE Bug 1227901

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39496.html
CVE-2024-39496
https://bugzilla.suse.com/1227719
SUSE Bug 1227719
https://bugzilla.suse.com/1227904
SUSE Bug 1227904

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 [Why] Commit: - commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement") accidently overwrite the commit - commit 54d217406afe ("drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2") which cause regression. [How] Recover the original NULL fix and remove the unnecessary input parameter 'state' for drm_dp_add_payload_part2(). (cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305)

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39498.html
CVE-2024-39498
https://bugzilla.suse.com/1227723
SUSE Bug 1227723

Описание

In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39502.html
CVE-2024-39502
https://bugzilla.suse.com/1227755
SUSE Bug 1227755

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: validate mandatory meta and payload Check for mandatory netlink attributes in payload and meta expression when used embedded from the inner expression, otherwise NULL pointer dereference is possible from userspace.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39504.html
CVE-2024-39504
https://bugzilla.suse.com/1227757
SUSE Bug 1227757

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39507.html
CVE-2024-39507
https://bugzilla.suse.com/1227730
SUSE Bug 1227730

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40901.html
CVE-2024-40901
https://bugzilla.suse.com/1227762
SUSE Bug 1227762

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b ---[ end trace 0000000000000000 ]---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40906.html
CVE-2024-40906
https://bugzilla.suse.com/1227763
SUSE Bug 1227763

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Set run context for rawtp test_run callback syzbot reported crash when rawtp program executed through the test_run interface calls bpf_get_attach_cookie helper or any other helper that touches task->bpf_ctx pointer. Setting the run context (task->bpf_ctx pointer) for test_run callback.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40908.html
CVE-2024-40908
https://bugzilla.suse.com/1227783
SUSE Bug 1227783

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() In case of token is released due to token->state == BNXT_HWRM_DEFERRED, released token (set to NULL) is used in log messages. This issue is expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But this error code is returned by recent firmware. So some firmware may not return it. This may lead to NULL pointer dereference. Adjust this issue by adding token pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40919.html
CVE-2024-40919
https://bugzilla.suse.com/1227779
SUSE Bug 1227779

Описание

In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base, the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset rq->data_ring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception. To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell the hypervisor to disable this feature. [ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? __die_body.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? do_trap+0xca/0x110 [ 95.463973] ? do_error_trap+0x6a/0x90 [ 95.464966] ? skb_panic+0x4d/0x4f [ 95.465901] ? exc_invalid_op+0x50/0x70 [ 95.466849] ? skb_panic+0x4d/0x4f [ 95.467718] ? asm_exc_invalid_op+0x1a/0x20 [ 95.468758] ? skb_panic+0x4d/0x4f [ 95.469655] skb_put.cold+0x10/0x10 [ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3] [ 95.473185] __napi_poll+0x2b/0x160 [ 95.474145] net_rx_action+0x2c6/0x3b0 [ 95.475115] handle_softirqs+0xe7/0x2a0 [ 95.476122] __irq_exit_rcu+0x97/0xb0 [ 95.477109] common_interrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asm_common_interrupt+0x26/0x40 [ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpi_safe_halt+0x14/0x20 [ 95.496127] acpi_idle_do_entry+0x2f/0x50 [ 95.497221] acpi_idle_enter+0x7f/0xd0 [ 95.498272] cpuidle_enter_state+0x81/0x420 [ 95.499375] cpuidle_enter+0x2d/0x40 [ 95.500400] do_idle+0x1e5/0x240 [ 95.501385] cpu_startup_entry+0x29/0x30 [ 95.502422] start_secondary+0x11c/0x140 [ 95.503454] common_startup_64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40923.html
CVE-2024-40923
https://bugzilla.suse.com/1227786
SUSE Bug 1227786

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix request.queuelist usage in flush Friedrich Weber reported a kernel crash problem and bisected to commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine"). The root cause is that we use "list_move_tail(&rq->queuelist, pending)" in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since it's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch(). We don't initialize its queuelist just for this first request, although the queuelist of all later popped requests will be initialized. Fix it by changing to use "list_add_tail(&rq->queuelist, pending)" so rq->queuelist doesn't need to be initialized. It should be ok since rq can't be on any list when PREFLUSH or POSTFLUSH, has no move actually. Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine") also has another requirement that no drivers would touch rq->queuelist after blk_mq_end_request() since we will reuse it to add rq to the post-flush pending list in POSTFLUSH. If this is not true, we will have to revert that commit IMHO. This updated version adds "list_del_init(&rq->queuelist)" in flush rq callback since the dm layer may submit request of a weird invalid format (REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add if without this "list_del_init(&rq->queuelist)". The weird invalid format problem should be fixed in dm layer.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40925.html
CVE-2024-40925
https://bugzilla.suse.com/1227789
SUSE Bug 1227789

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() Clang static checker (scan-build) warning: net/ethtool/ioctl.c:line 2233, column 2 Called function pointer is null (null dereference). Return '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix this typo error.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40928.html
CVE-2024-40928
https://bugzilla.suse.com/1227788
SUSE Bug 1227788

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_una is properly initialized on connect This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt is properly initialized on connect"). It turns out that syzkaller can trigger the retransmit after fallback and before processing any other incoming packet - so that snd_una is still left uninitialized. Address the issue explicitly initializing snd_una together with snd_nxt and write_seq.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40931.html
CVE-2024-40931
https://bugzilla.suse.com/1227780
SUSE Bug 1227780

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task. Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles. Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40935.html
CVE-2024-40935
https://bugzilla.suse.com/1227797
SUSE Bug 1227797

Описание

In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40937.html
CVE-2024-40937
https://bugzilla.suse.com/1227836
SUSE Bug 1227836
https://bugzilla.suse.com/1227903
SUSE Bug 1227903

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail In case of flow rule creation fail in mlx5_lag_create_port_sel_table(), instead of previously created rules, the tainted pointer is deleted deveral times. Fix this bug by using correct flow rules pointers. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40940.html
CVE-2024-40940
https://bugzilla.suse.com/1227800
SUSE Bug 1227800

Описание

In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40947.html
CVE-2024-40947
https://bugzilla.suse.com/1227803
SUSE Bug 1227803

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/page_table_check: fix crash on ZONE_DEVICE Not all pages may apply to pgtable check. One example is ZONE_DEVICE pages: they map PFNs directly, and they don't allocate page_ext at all even if there's struct page around. One may reference devm_memremap_pages(). When both ZONE_DEVICE and page-table-check enabled, then try to map some dax memories, one can trigger kernel bug constantly now when the kernel was trying to inject some pfn maps on the dax device: kernel BUG at mm/page_table_check.c:55! While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page fault resolutions, skip all the checks if page_ext doesn't even exist in pgtable checker, which applies to ZONE_DEVICE but maybe more.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40948.html
CVE-2024-40948
https://bugzilla.suse.com/1227801
SUSE Bug 1227801

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40953.html
CVE-2024-40953
https://bugzilla.suse.com/1227806
SUSE Bug 1227806

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline] rt6_select net/ipv6/route.c:897 [inline] fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline] fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40960.html
CVE-2024-40960
https://bugzilla.suse.com/1227813
SUSE Bug 1227813

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL deref in fib6_nh_init() syzbot reminds us that in6_dev_get() can return NULL. fib6_nh_init() ip6_validate_gw( &idev ) ip6_route_check_nh( idev ) *idev = in6_dev_get(dev); // can be NULL Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606 Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b RSP: 0018:ffffc900032775a0 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8 RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000 R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8 R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000 FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809 ip6_route_add+0x28/0x160 net/ipv6/route.c:3853 ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483 inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f940f07cea9

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40961.html
CVE-2024-40961
https://bugzilla.suse.com/1227814
SUSE Bug 1227814

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: add the option to have a tty reject a new ldisc ... and use it to limit the virtual terminals to just N_TTY. They are kind of special, and in particular, the "con_write()" routine violates the "writes cannot sleep" rule that some ldiscs rely on. This avoids the BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659 when N_GSM has been attached to a virtual console, and gsmld_write() calls con_write() while holding a spinlock, and con_write() then tries to get the console lock.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40966.html
CVE-2024-40966
https://bugzilla.suse.com/1227886
SUSE Bug 1227886

Описание

In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3 segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put() handles the hw_desc considering the descs_allocated, this scenario would result in a kernel panic (hw_desc array will be overrun). To fix this, the proposal is to add a new member to the axi_dma_desc structure, where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in axi_desc_put() to handle the hw_desc array correctly. Additionally I propose to remove the axi_chan_start_first_queued() call after completing the transfer, since it was identified that unbalance can occur (started descriptors can be interrupted and transfer ignored due to DMA channel not being enabled).

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40970.html
CVE-2024-40970
https://bugzilla.suse.com/1227899
SUSE Bug 1227899

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4_xattr_set_entry() into the callers.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40972.html
CVE-2024-40972
https://bugzilla.suse.com/1227910
SUSE Bug 1227910

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Unregister devices in reverse order Not all subsystems support a device getting removed while there are still consumers of the device with a reference to the device. One example of this is the regulator subsystem. If a regulator gets unregistered while there are still drivers holding a reference a WARN() at drivers/regulator/core.c:5829 triggers, e.g.: WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015 RIP: 0010:regulator_unregister Call Trace: <TASK> regulator_unregister devres_release_group i2c_device_remove device_release_driver_internal bus_remove_device device_del device_unregister x86_android_tablet_remove On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides a 5V boost converter output for powering USB devices connected to the micro USB port, the bq24190-charger driver exports this as a Vbus regulator. On the 830 (8") and 1050 ("10") models this regulator is controlled by a platform_device and x86_android_tablet_remove() removes platform_device-s before i2c_clients so the consumer gets removed first. But on the 1380 (13") model there is a lc824206xa micro-USB switch connected over I2C and the extcon driver for that controls the regulator. The bq24190 i2c-client *must* be registered first, because that creates the regulator with the lc824206xa listed as its consumer. If the regulator has not been registered yet the lc824206xa driver will end up getting a dummy regulator. Since in this case both the regulator provider and consumer are I2C devices, the only way to ensure that the consumer is unregistered first is to unregister the I2C devices in reverse order of in which they were created. For consistency and to avoid similar problems in the future change x86_android_tablet_remove() to unregister all device types in reverse order.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40975.html
CVE-2024-40975
https://bugzilla.suse.com/1227926
SUSE Bug 1227926

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix kernel crash during resume Currently during resume, QMI target memory is not properly handled, resulting in kernel crash in case DMA remap is not supported: BUG: Bad page state in process kworker/u16:54 pfn:36e80 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80 page dumped because: nonzero _refcount Call Trace: bad_page free_page_is_bad_report __free_pages_ok __free_pages dma_direct_free dma_free_attrs ath12k_qmi_free_target_mem_chunk ath12k_qmi_msg_mem_request_cb The reason is: Once ath12k module is loaded, firmware sends memory request to host. In case DMA remap not supported, ath12k refuses the first request due to failure in allocating with large segment size: ath12k_pci 0000:04:00.0: qmi firmware request memory request ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144 ath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size ath12k_pci 0000:04:00.0: qmi delays mem_request 2 ath12k_pci 0000:04:00.0: qmi firmware request memory request Later firmware comes back with more but small segments and allocation succeeds: ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 Now ath12k is working. If suspend is triggered, firmware will be reloaded during resume. As same as before, firmware requests two large segments at first. In ath12k_qmi_msg_mem_request_cb() segment count and size are assigned: ab->qmi.mem_seg_count == 2 ab->qmi.target_mem[0].size == 7077888 ab->qmi.target_mem[1].size == 8454144 Then allocation failed like before and ath12k_qmi_free_target_mem_chunk() is called to free all allocated segments. Note the first segment is skipped because its v.addr is cleared due to allocation failure: chunk->v.addr = dma_alloc_coherent() Also note that this leaks that segment because it has not been freed. While freeing the second segment, a size of 8454144 is passed to dma_free_coherent(). However remember that this segment is allocated at the first time firmware is loaded, before suspend. So its real size is 524288, much smaller than 8454144. As a result kernel found we are freeing some memory which is in use and thus cras ---truncated---

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40979.html
CVE-2024-40979
https://bugzilla.suse.com/1227855
SUSE Bug 1227855

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40998.html
CVE-2024-40998
https://bugzilla.suse.com/1227866
SUSE Bug 1227866

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ena: Add validation for completion descriptors consistency Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40999.html
CVE-2024-40999
https://bugzilla.suse.com/1227913
SUSE Bug 1227913

Описание

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41006.html
CVE-2024-41006
https://bugzilla.suse.com/1227862
SUSE Bug 1227862

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41011.html
CVE-2024-41011
https://bugzilla.suse.com/1228114
SUSE Bug 1228114
https://bugzilla.suse.com/1228115
SUSE Bug 1228115

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41013.html
CVE-2024-41013
https://bugzilla.suse.com/1228405
SUSE Bug 1228405

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41014.html
CVE-2024-41014
https://bugzilla.suse.com/1228408
SUSE Bug 1228408

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: don't walk off the end of ealist Add a check before visiting the members of ea to make sure each ea stays within the ealist.

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41017.html
CVE-2024-41017
https://bugzilla.suse.com/1228403
SUSE Bug 1228403

Описание

In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41090.html
CVE-2024-41090
https://bugzilla.suse.com/1228328
SUSE Bug 1228328
https://bugzilla.suse.com/1228714
SUSE Bug 1228714

Описание

In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091

Затронутые продукты

SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_5-rt-1-150600.1.5.1

SUSE Real Time Module 15 SP6:cluster-md-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:dlm-kmp-rt-6.4.0-150600.10.5.1

SUSE Real Time Module 15 SP6:gfs2-kmp-rt-6.4.0-150600.10.5.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41091.html
CVE-2024-41091
https://bugzilla.suse.com/1228327
SUSE Bug 1228327

SUSE-SU-2024:2973-1

Описание

Список пакетов

SUSE Linux Enterprise Live Patching 15 SP6

SUSE Real Time Module 15 SP6

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2021-47432

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2022-48772

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-0160

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-38417

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-47210

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-51780

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52435

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52458

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52472

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52503

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52616

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52618

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52622

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52631

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52635

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52640

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52641

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52645

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-52652