Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:4316-1

Опубликовано: 13 дек. 2024
Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP6 Azure kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

  • CVE-2023-52778: mptcp: deal with large GSO size (bsc#1224948).
  • CVE-2023-52920: bpf: support non-r10 register spill/fill to/from stack in precision tracking (bsc#1232823).
  • CVE-2024-26596: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events (bsc#1220355).
  • CVE-2024-26741: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished() (bsc#1222587).
  • CVE-2024-26782: mptcp: fix double-free on socket dismantle (bsc#1222590).
  • CVE-2024-26953: net: esp: fix bad handling of pages from page_pool (bsc#1223656).
  • CVE-2024-27017: netfilter: nft_set_pipapo: walk over current view on netlink dump (bsc#1223733).
  • CVE-2024-35888: erspan: make sure erspan_base_hdr is present in skb->head (bsc#1224518).
  • CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge (bsc#1224548).
  • CVE-2024-36883: net: fix out-of-bounds access in ops_init (bsc#1225725).
  • CVE-2024-36886: tipc: fix UAF in error path (bsc#1225730).
  • CVE-2024-36905: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets (bsc#1225742).
  • CVE-2024-36927: ipv4: Fix uninit-value access in __ip_make_skb() (bsc#1225813).
  • CVE-2024-36954: tipc: fix a possible memleak in tipc_buf_append (bsc#1225764).
  • CVE-2024-36968: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() (bsc#1226130).
  • CVE-2024-38589: netrom: fix possible dead-lock in nr_rt_ioctl() (bsc#1226748).
  • CVE-2024-40914: mm/huge_memory: do not unpoison huge_zero_folio (bsc#1227842).
  • CVE-2024-41023: sched/deadline: Fix task_struct reference leak (bsc#1228430).
  • CVE-2024-42102: Revert 'mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again' (bsc#1233132).
  • CVE-2024-44995: net: hns3: fix a deadlock problem when config TC during resetting (bsc#1230231).
  • CVE-2024-46680: Bluetooth: btnxpuart: Fix random crash seen while removing driver (bsc#1230557).
  • CVE-2024-46681: pktgen: use cpus_read_lock() in pg_net_init() (bsc#1230558).
  • CVE-2024-46765: ice: protect XDP configuration with a mutex (bsc#1230807).
  • CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
  • CVE-2024-47679: vfs: fix race between evice_inodes() and find_inode()&iput() (bsc#1231930).
  • CVE-2024-47701: ext4: avoid OOB when system.data xattr changes underneath the filesystem (bsc#1231920).
  • CVE-2024-47703: bpf, lsm: add check for BPF LSM return value (bsc#1231946).
  • CVE-2024-49868: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion (bsc#1232272).
  • CVE-2024-49888: bpf: Fix a sdiv overflow issue (bsc#1232208).
  • CVE-2024-49899: drm/amd/display: Initialize denominators' default to 1 (bsc#1232358).
  • CVE-2024-49911: drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func (bsc#1232366).
  • CVE-2024-49912: drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' (bsc#1232367).
  • CVE-2024-49921: drm/amd/display: Check null pointers before used (bsc#1232371).
  • CVE-2024-49922: drm/amd/display: Check null pointers before using them (bsc#1232374).
  • CVE-2024-49923: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags (bsc#1232361).
  • CVE-2024-49925: fbdev: efifb: Register sysfs groups through driver core (bsc#1232224)
  • CVE-2024-49933: blk_iocost: fix more out of bound shifts (bsc#1232368).
  • CVE-2024-49934: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name (bsc#1232387).
  • CVE-2024-49944: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start (bsc#1232166).
  • CVE-2024-49945: net/ncsi: Disable the ncsi work before freeing the associated structure (bsc#1232165).
  • CVE-2024-49952: netfilter: nf_tables: prevent nf_skb_duplicated corruption (bsc#1232157).
  • CVE-2024-49968: ext4: filesystems without casefold feature cannot be mounted with siphash (bsc#1232264).
  • CVE-2024-49983: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free (bsc#1232096).
  • CVE-2024-49987: bpftool: Fix undefined behavior in qsort(NULL, 0, ...) (bsc#1232258).
  • CVE-2024-49989: drm/amd/display: fix double free issue during amdgpu module unload (bsc#1232483).
  • CVE-2024-50003: drm/amd/display: Fix system hang while resume with TBT monitor (bsc#1232385).
  • CVE-2024-50004: drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 (bsc#1232396).
  • CVE-2024-50006: ext4: fix i_data_sem unlock order in ext4_ind_migrate() (bsc#1232442).
  • CVE-2024-50009: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value (bsc#1232318).
  • CVE-2024-50012: cpufreq: Avoid a bad reference count on CPU node (bsc#1232386).
  • CVE-2024-50014: ext4: fix access to uninitialised lock in fc replay path (bsc#1232446).
  • CVE-2024-50082: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race (bsc#1232500).
  • CVE-2024-50084: net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() (bsc#1232494).
  • CVE-2024-50087: btrfs: fix uninitialized pointer free on read_alloc_one_name() error (bsc#1232499).
  • CVE-2024-50088: btrfs: fix uninitialized pointer free in add_inode_ref() (bsc#1232498).
  • CVE-2024-50098: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down (bsc#1232881).
  • CVE-2024-50110: xfrm: fix one more kernel-infoleak in algo dumping (bsc#1232885).
  • CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1232919).
  • CVE-2024-50124: Bluetooth: ISO: Fix UAF on iso_sock_timeout (bsc#1232926).
  • CVE-2024-50125: Bluetooth: SCO: Fix UAF on sco_sock_timeout (bsc#1232928).
  • CVE-2024-50127: net: sched: fix use-after-free in taprio_change() (bsc#1232907).
  • CVE-2024-50128: net: wwan: fix global oob in wwan_rtnl_policy (bsc#1232905).
  • CVE-2024-50130: netfilter: bpf: must hold reference on net namespace (bsc#1232894).
  • CVE-2024-50138: bpf: Use raw_spinlock_t in ringbuf (bsc#1232935).
  • CVE-2024-50139: KVM: arm64: Fix shift-out-of-bounds bug (bsc#1233062).
  • CVE-2024-50145: octeon_ep: add SKB allocation failures handling in __octep_oq_process_rx() (bsc#1233044).
  • CVE-2024-50153: scsi: target: core: Fix null-ptr-deref in target_alloc_device() (bsc#1233061).
  • CVE-2024-50154: tcp/dccp: Do not use timer_pending() in reqsk_queue_unlink() (bsc#1233070).
  • CVE-2024-50166: fsl/fman: Fix refcount handling of fman-related devices (bsc#1233050).
  • CVE-2024-50167: be2net: fix potential memory leak in be_xmit() (bsc#1233049).
  • CVE-2024-50169: vsock: Update rx_bytes on read_skb() (bsc#1233320).
  • CVE-2024-50171: net: systemport: fix potential memory leak in bcm_sysport_xmit() (bsc#1233057).
  • CVE-2024-50177: drm/amd/display: fix a UBSAN warning in DML2.1 (bsc#1233115).
  • CVE-2024-50182: secretmem: disable memfd_secret() if arch cannot set direct map (bsc#1233129).
  • CVE-2024-50184: virtio_pmem: Check device status before requesting flush (bsc#1233135).
  • CVE-2024-50186: net: explicitly clear the sk pointer, when pf->create fails (bsc#1233110).
  • CVE-2024-50192: irqchip/gic-v4: Do not allow a VMOVP on a dying VPE (bsc#1233106).
  • CVE-2024-50225: btrfs: fix error propagation of split bios (bsc#1233193).
  • CVE-2024-50228: mm: shmem: fix data-race in shmem_getattr() (bsc#1233204).
  • CVE-2024-50230: nilfs2: fix kernel bug due to missing clearing of checked flag (bsc#1233206).
  • CVE-2024-50245: fs/ntfs3: Fix possible deadlock in mi_read (bsc#1233203).
  • CVE-2024-50246: fs/ntfs3: Add rough attr alloc_size check (bsc#1233207).
  • CVE-2024-50248: ntfs3: add bounds checking to mi_enum_attr() (bsc#1233219).
  • CVE-2024-50250: fsdax: dax_unshare_iter needs to copy entire blocks (bsc#1233226).
  • CVE-2024-50252: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address (bsc#1233201).
  • CVE-2024-50257: netfilter: Fix use-after-free in get_info() (bsc#1233244).
  • CVE-2024-50261: macsec: Fix use-after-free while sending the offloading packet (bsc#1233253).
  • CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233453).
  • CVE-2024-50271: signal: restore the override_rlimit logic (bsc#1233460).
  • CVE-2024-50273: btrfs: reinitialize delayed ref list after deleting it from the list (bsc#1233462).
  • CVE-2024-50274: idpf: avoid vport access in idpf_get_link_ksettings (bsc#1233463).
  • CVE-2024-50275: arm64/sve: Discard stale CPU state when handling SVE traps (bsc#1233464).
  • CVE-2024-50276: net: vertexcom: mse102x: Fix possible double free of TX skb (bsc#1233465).
  • CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233468).
  • CVE-2024-50289: media: av7110: fix a spectre vulnerability (bsc#1233478).
  • CVE-2024-50295: net: arc: fix the device for dma_map_single/dma_unmap_single (bsc#1233484).
  • CVE-2024-50296: net: hns3: fix kernel crash when uninstalling driver (bsc#1233485).
  • CVE-2024-50298: net: enetc: allocate vf_state during PF probes (bsc#1233487).
  • CVE-2024-53042: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() (bsc#1233540).
  • CVE-2024-53043: mctp i2c: handle NULL header address (bsc#1233523).
  • CVE-2024-53048: ice: fix crash on probe for DPLL enabled E810 LOM (bsc#1233721).
  • CVE-2024-53051: drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability (bsc#1233547).
  • CVE-2024-53055: wifi: iwlwifi: mvm: fix 6 GHz scan construction (bsc#1233550).
  • CVE-2024-53056: drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy() (bsc#1233568).
  • CVE-2024-53058: net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data (bsc#1233552).
  • CVE-2024-53079: mm/thp: fix deferred split unqueue naming and locking (bsc#1233570).
  • CVE-2024-53082: virtio_net: Add hash_key_length check (bsc#1233573).
  • CVE-2024-53095: smb: client: Fix use-after-free of network namespace (bsc#1233642).
  • CVE-2024-53110: vp_vdpa: fix id_table array not null terminated error (bsc#1234085).
  • CVE-2024-53121: net/mlx5: fs, lock FTE when checking if active (bsc#1234078).
  • CVE-2024-53138: net/mlx5e: kTLS, Fix incorrect page refcounting (bsc#1234223).

The following non-security bugs were fixed:

  • ACPI: CPPC: Fix _CPC register setting issue (git-fixes).
  • ALSA: 6fire: Release resources at card release (git-fixes).
  • ALSA: ac97: bus: Fix the mistake in the comment (git-fixes).
  • ALSA: caiaq: Use snd_card_free_when_closed() at disconnection (git-fixes).
  • ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() (git-fixes).
  • ALSA: hda/conexant: fix Z60MR100 startup pop issue (stable-fixes).
  • ALSA: hda/realtek - Fixed Clevo platform headset Mic issue (stable-fixes).
  • ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 (git-fixes).
  • ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) (stable-fixes).
  • ALSA: hda/realtek: Apply quirk for Medion E15433 (bsc#1233298).
  • ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 (stable-fixes).
  • ALSA: hda/realtek: Enable speaker pins for Medion E15443 platform (bsc#1233298).
  • ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max (bsc#1233298).
  • ALSA: hda/realtek: Set PCBeep to default value for ALC274 (stable-fixes).
  • ALSA: hda/realtek: Update ALC225 depop procedure (git-fixes).
  • ALSA: hda/realtek: Update ALC256 depop procedure (git-fixes).
  • ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 (stable-fixes).
  • ALSA: hda: Poll jack events for LS7A HD-Audio (stable-fixes).
  • ALSA: hda: Show the codec quirk info at probing (stable-fixes).
  • ALSA: ice1712: Remove redundant code in stac9460_dac_vol_put (stable-fixes).
  • ALSA: pcm: Add sanity NULL check for the default mmap fault handler (stable-fixes).
  • ALSA: ump: Fix evaluation of MIDI 1.0 FB info (git-fixes).
  • ALSA: us122l: Use snd_card_free_when_closed() at disconnection (git-fixes).
  • ALSA: usb-audio: Add Pioneer DJ/AlphaTheta DJM-A9 Mixer (stable-fixes).
  • ALSA: usb-audio: Fix Yamaha P-125 Quirk Entry (stable-fixes).
  • ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes).
  • ALSA: usb-audio: Fix out of bounds reads when finding clock sources (stable-fixes).
  • ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (git-fixes).
  • ALSA: usb-audio: Make mic volume workarounds globally applicable (stable-fixes).
  • ALSA: usb-audio: Use snprintf instead of sprintf in build_mixer_unit_ctl (stable-fixes).
  • ALSA: usb-audio: add mixer mapping for Corsair HS80 (stable-fixes).
  • ALSA: usx2y: Use snd_card_free_when_closed() at disconnection (git-fixes).
  • ASoC: Intel: avs: da7219: Remove suspend_pre() and resume_post() (stable-fixes).
  • ASoC: SOF: Add i2s bt dai configuration support for AMD platforms (bsc#1233305).
  • ASoC: SOF: Add support for configuring PDM interface from topology (bsc#1233305).
  • ASoC: SOF: Deprecate invalid enums in IPC3 (bsc#1233305).
  • ASoC: SOF: IPC4: get pipeline priority from topology (bsc#1233305).
  • ASoC: SOF: IPC4: synchronize fw_config_params with fw definitions (bsc#1233305).
  • ASoC: SOF: Refactor sof_i2s_tokens reading to update acpbt dai (bsc#1233305).
  • ASoC: SOF: Rename amd_bt sof_dai_type (bsc#1233305).
  • ASoC: SOF: Wire up buffer flags (bsc#1233305).
  • ASoC: SOF: add alignment for topology header file struct definition (bsc#1233305).
  • ASoC: SOF: align topology header file with sof topology header (bsc#1233305).
  • ASoC: SOF: ipc3-topology: Convert the topology pin index to ALH dai index (git-fixes).
  • ASoC: SOF: ipc3-topology: fix resource leaks in sof_ipc3_widget_setup_comp_dai() (git-fixes).
  • ASoC: SOF: ipc4-control: Add support for ALSA enum control (bsc#1233305).
  • ASoC: SOF: ipc4-control: Add support for ALSA switch control (bsc#1233305).
  • ASoC: SOF: ipc4-mtrace: move debug slot related definitions to header.h (bsc#1233305).
  • ASoC: SOF: ipc4-topology: Add deep buffer size to debug prints (bsc#1233305).
  • ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control (bsc#1233305).
  • ASoC: SOF: ipc4-topology: Add module ID print during module set up (bsc#1233305).
  • ASoC: SOF: ipc4-topology: Helper to find an swidget by module/instance id (bsc#1233305).
  • ASoC: SOF: ipc4-topology: Only handle dai_config with HW_PARAMS for ChainDMA (bsc#1233305).
  • ASoC: SOF: ipc4-topology: change chain_dma handling in dai_config (bsc#1233305).
  • ASoC: SOF: ipc4-topology: export sof_ipc4_copier_is_single_format (bsc#1233305).
  • ASoC: SOF: ipc4-topology: set config_length based on device_count (bsc#1233305).
  • ASoC: SOF: ipc4: Add data struct for module notification message from firmware (bsc#1233305).
  • ASoC: SOF: ipc4: Add new message type: SOF_IPC4_GLB_LOAD_LIBRARY_PREPARE (bsc#1233305).
  • ASoC: SOF: sof-client-probes-ipc4: Set param_size extension bits (git-fixes).
  • ASoC: SOF: topology: Parse DAI type token for dspless mode (bsc#1233305).
  • ASoC: SOF: topology: dynamically allocate and store DAI widget->private (bsc#1233305).
  • ASoC: amd: yc: Add quirk for ASUS Vivobook S15 M3502RA (stable-fixes).
  • ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry (git-fixes).
  • ASoC: amd: yc: Fix non-functional mic on ASUS E1404FA (stable-fixes).
  • ASoC: amd: yc: Support dmic on another model of Lenovo Thinkpad E14 Gen 6 (stable-fixes).
  • ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022 (stable-fixes).
  • ASoC: audio-graph-card2: Purge absent supplies for device tree nodes (stable-fixes).
  • ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() (git-fixes).
  • ASoC: fsl_micfil: Add sample rate constraint (stable-fixes).
  • ASoC: fsl_micfil: fix regmap_write_bits usage (git-fixes).
  • ASoC: mediatek: mt8188-mt6359: Remove hardcoded dmic codec (git-fixes).
  • ASoC: rt722-sdca: Remove logically deadcode in rt722-sdca.c (git-fixes).
  • ASoC: rt722-sdca: increase clk_stop_timeout to fix clock stop issue (stable-fixes).
  • ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove (git-fixes).
  • ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div() (stable-fixes).
  • ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate() (stable-fixes).
  • ASoC: tas2781: Add new driver version for tas2563 & tas2781 qfn chip (stable-fixes).
  • Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync (git-fixes).
  • Bluetooth: btintel: Direct exception event to bluetooth stack (git-fixes).
  • Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test (bsc#1230557)
  • Bluetooth: fix use-after-free in device_for_each_child() (git-fixes).
  • Bluetooth: hci_core: Fix calling mgmt_device_connected (git-fixes).
  • Documentation: kgdb: Correct parameter error (git-fixes).
  • Drop OCFS2 patch causing a regression (bsc#1233255)
  • HID: core: zero-initialize the report buffer (git-fixes).
  • HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard (stable-fixes).
  • HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad (stable-fixes).
  • HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad (stable-fixes).
  • HID: multitouch: Add support for B2402FVA track point (stable-fixes).
  • HID: wacom: Interpret tilt data from Intuos Pro BT as signed values (git-fixes).
  • HID: wacom: fix when get product name maybe null pointer (git-fixes).
  • Input: hideep - add missing dependency on REGMAP_I2C (git-fixes).
  • Input: hycon-hy46xx - add missing dependency on REGMAP_I2C (git-fixes).
  • Input: xpad - add GameSir T4 Kaleid Controller support (git-fixes).
  • Input: xpad - add GameSir VID for Xbox One controllers (git-fixes).
  • Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller (git-fixes).
  • Input: xpad - add support for MSI Claw A1M (git-fixes).
  • Input: xpad - add support for Machenike G5 Pro Controller (git-fixes).
  • Input: xpad - fix support for some third-party controllers (git-fixes).
  • Input: xpad - sort xpad_device by vendor and product ID (git-fixes).
  • Input: xpad - spelling fixes for 'Xbox' (git-fixes).
  • KVM: PPC: Book3S HV: Avoid returning to nested hypervisor on pending doorbells (bsc#1215199).
  • KVM: PPC: Book3S HV: Stop using vc->dpdes for nested KVM guests (bsc#1215199).
  • KVM: PPC: Book3S HV: remove unused varible (bsc#1194869).
  • KVM: SEV-ES: Fix svm_get_msr()/svm_set_msr() for KVM_SEV_ES_INIT guests (bsc#1232207).
  • KVM: SEV-ES: Prevent MSR access post VMSA encryption (bsc#1232207).
  • Move kabi netfilter fix into patches.kabi
  • Move upstreamed crypto patches into sorted section
  • Move upstreamed patches into sorted section
  • NFS: remove revoked delegation from server's delegation list (git-fixes).
  • PCI: Add T_PVPERL macro (git-fixes).
  • PCI: Fix reset_method_store() memory leak (git-fixes).
  • PCI: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() (git-fixes).
  • PCI: j721e: Deassert PERST# after a delay of PCIE_T_PVPERL_MS milliseconds (git-fixes).
  • PCI: keystone: Add link up check to ks_pcie_other_map_bus() (git-fixes).
  • PCI: keystone: Set mode as Root Complex for 'ti,keystone-pcie' compatible (git-fixes).
  • PCI: rockchip-ep: Fix address translation unit programming (git-fixes).
  • RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey (git-fixes)
  • RDMA/hns: Add mutex_destroy() (git-fixes)
  • RDMA/hns: Disassociate mmap pages for all uctx when HW is being reset (git-fixes)
  • RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() (git-fixes)
  • RDMA/hns: Fix an AEQE overflow error caused by untimely update of eq_db_ci (git-fixes)
  • RDMA/hns: Fix cpu stuck caused by printings during reset (git-fixes)
  • RDMA/hns: Fix different dgids mapping to the same dip_idx (git-fixes)
  • RDMA/hns: Fix flush cqe error when racing with destroy qp (git-fixes)
  • RDMA/hns: Fix out-of-order issue of requester when setting FENCE (git-fixes)
  • RDMA/hns: Use dev_* printings in hem code instead of ibdev_* (git-fixes)
  • RDMA/hns: Use macro instead of magic number (git-fixes)
  • RDMA/mlx5: Move events notifier registration to be after device registration (git-fixes)
  • RDMA/rxe: Fix the qp flush warnings in req (git-fixes)
  • RDMA/rxe: Set queue pair cur_qp_state when being queried (git-fixes)
  • RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES (git-fixes)
  • Revert 'KVM: PPC: Book3S HV Nested: Stop forwarding all HFUs to L1' (bsc#1215199).
  • Revert 'RDMA/core: Fix ENODEV error for iWARP test over vlan' (git-fixes)
  • Revert 'cgroup: Fix memory leak caused by missing cgroup_bpf_offline' (bsc#1234108).
  • Revert 'cpufreq: brcmstb-avs-cpufreq: Fix initial command check' (stable-fixes).
  • Revert 'mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K' (git-fixes).
  • Revert 'usb: gadget: composite: fix OS descriptors w_value logic' (git-fixes).
  • SUNRPC: Remove BUG_ON call sites (git-fixes).
  • USB: chaoskey: Fix possible deadlock chaoskey_list_lock (git-fixes).
  • USB: chaoskey: fail open after removal (git-fixes).
  • USB: gadget: dummy-hcd: Fix 'task hung' problem (git-fixes).
  • USB: serial: ftdi_sio: Fix atomicity violation in get_serial_info() (git-fixes).
  • USB: serial: io_edgeport: fix use after free in debug printk (git-fixes).
  • USB: serial: option: add Fibocom FG132 0x0112 composition (stable-fixes).
  • USB: serial: option: add Quectel RG650V (stable-fixes).
  • USB: serial: qcserial: add support for Sierra Wireless EM86xx (stable-fixes).
  • Update config files (bsc#1218644).
  • Update config files. Enabled IDPF for ARM64 (bsc#1221309)
  • accel: Use XArray instead of IDR for minors (jsc#PED-11580).
  • acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() (git-fixes).
  • ad7780: fix division by zero in ad7780_write_raw() (git-fixes).
  • add bugreference to a hv_netvsc patch (bsc#1232413).
  • aes-gcm-p10: Use the correct bit to test for P10 (bsc#1232704).
  • amd-pstate: Set min_perf to nominal_perf for active mode performance gov (git-fixes).
  • apparmor: fix 'Do simple duplicate message elimination' (git-fixes).
  • apparmor: test: Fix memory leak for aa_unpack_strdup() (git-fixes).
  • apparmor: use kvfree_sensitive to free data->data (git-fixes).
  • arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer (git-fixes)
  • arm64: dts: freescale: imx8mm-verdin: Fix SD regulator startup delay (git-fixes)
  • arm64: dts: freescale: imx8mp-verdin: Fix SD regulator startup delay (git-fixes)
  • arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs (git-fixes)
  • arm64: dts: imx8qxp: Add VPU subsystem file (git-fixes)
  • arm64: dts: imx93: add nvmem property for eqos (git-fixes)
  • arm64: dts: imx93: add nvmem property for fec1 (git-fixes)
  • arm64: dts: imx93: add ocotp node (git-fixes)
  • arm64: dts: rockchip: Add DTS for FriendlyARM NanoPi R2S Plus (git-fixes)
  • arm64: dts: rockchip: Correct GPIO polarity on brcm BT nodes (git-fixes)
  • arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc (git-fixes)
  • arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards (git-fixes)
  • arm64: dts: rockchip: Fix bluetooth properties on rk3566 box demo (git-fixes)
  • arm64: dts: rockchip: Fix reset-gpios property on brcm BT nodes (git-fixes)
  • arm64: dts: rockchip: Fix rt5651 compatible value on (git-fixes)
  • arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610 (git-fixes)
  • arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node (git-fixes)
  • arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma (git-fixes)
  • arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328 (git-fixes)
  • arm64: dts: rockchip: Remove undocumented supports-emmc property (git-fixes)
  • arm64: dts: rockchip: fix i2c2 pinctrl-names property on (git-fixes)
  • arm64: dts: rockchip: remove num-slots property from (git-fixes)
  • arm64: dts: rockchip: remove orphaned pinctrl-names from pinephone (git-fixes)
  • arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG (git-fixes)
  • arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint (git-fixes)
  • arm64: smccc: replace custom COUNT_ARGS() & CONCATENATE() (git-fixes)
  • arm64: tegra: Move AGX Orin nodes to correct location (git-fixes)
  • arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled (git-fixes)
  • bpf, arm64: Fix address emission with tag-based KASAN enabled (git-fixes)
  • bpf, arm64: Remove garbage frame for struct_ops trampoline (git-fixes)
  • bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock (git-fixes).
  • bpf, vsock: Drop static vsock_bpf_prot initialization (git-fixes).
  • btrfs: merge btrfs_orig_bbio_end_io() into btrfs_bio_end_io() (bsc#1233193)
  • can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails (git-fixes).
  • can: c_can: fix {rx,tx}_errors statistics (git-fixes).
  • can: dev: can_set_termination(): allow sleeping GPIOs (git-fixes).
  • can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics (git-fixes).
  • can: hi311x: hi3110_can_ist(): fix potential use-after-free (git-fixes).
  • can: hi311x: hi3110_can_ist(): fix {rx,tx}_errors statistics (git-fixes).
  • can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics (git-fixes).
  • can: j1939: j1939_session_new(): fix skb reference counting (git-fixes).
  • can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics (git-fixes).
  • can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation (git-fixes).
  • can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6 (git-fixes).
  • can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes (git-fixes).
  • can: sja1000: sja1000_err(): fix {rx,tx}_errors statistics (git-fixes).
  • can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL (git-fixes).
  • can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics (git-fixes).
  • cgroup/bpf: only cgroup v2 can be attached by bpf programs (bsc#1234108).
  • clk: clk-apple-nco: Add NULL check in applnco_probe (git-fixes).
  • clk: clk-axi-clkgen: make sure to enable the AXI bus clock (git-fixes).
  • clk: imx: clk-scu: fix clk enable state save and restore (git-fixes).
  • clk: imx: fracn-gppll: correct PLL initialization flow (git-fixes).
  • clk: imx: fracn-gppll: fix pll power up (git-fixes).
  • clk: imx: lpcg-scu: SW workaround for errata (e10858) (git-fixes).
  • clk: qcom: clk-alpha-pll: drop lucid-evo pll enabled warning (git-fixes).
  • clk: qcom: clk-alpha-pll: fix lucid 5lpe pll enabled check (git-fixes).
  • clk: qcom: gcc-qcs404: fix initial rate of GPLL3 (git-fixes).
  • clk: renesas: rzg2l: Fix FOUTPOSTDIV clk (git-fixes).
  • clk: sunxi-ng: d1: Fix PLL_AUDIO0 preset (git-fixes).
  • comedi: Flush partial mappings in error case (git-fixes).
  • cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() (git-fixes).
  • cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() (git-fixes).
  • cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost() (git-fixes).
  • cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power() (git-fixes).
  • cpufreq: loongson2: Unregister platform_driver on failure (git-fixes).
  • cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() (git-fixes).
  • crypto: aes-gcm-p10 - Use the correct bit to test for P10 (bsc#1232704).
  • crypto: api - Fix liveliness check in crypto_alg_tested (stable-fixes).
  • crypto: bcm - add error check in the ahash_hmac_init function (git-fixes).
  • crypto: caam - Fix the pointer passed to caam_qi_shutdown() (git-fixes).
  • crypto: caam - add error check to caam_rsa_set_priv_key_form (git-fixes).
  • crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() (git-fixes).
  • crypto: cavium - Fix the if condition to exit loop after timeout (git-fixes).
  • crypto: inside-secure - Fix the return value of safexcel_xcbcmac_cra_init() (git-fixes).
  • crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY (git-fixes).
  • crypto: qat - remove check after debugfs_create_dir() (git-fixes).
  • crypto: qat - remove faulty arbiter config reset (git-fixes).
  • crypto: qat/qat_4xxx - fix off by one in uof_get_name() (git-fixes).
  • crypto: x86/aegis128 - access 32-bit arguments as 32-bit (git-fixes).
  • cxl: downgrade a warning message to debug level in cxl_probe_component_regs() (bsc#1229165).
  • dma-fence: Fix reference leak on fence merge failure path (git-fixes).
  • dma-fence: Use kernel's sort for merging fences (git-fixes).
  • doc: rcu: update printed dynticks counter bits (git-fixes).
  • drivers: soc: xilinx: add the missing kfree in xlnx_add_cb_for_suspend() (git-fixes).
  • drm/amd/display: Adjust VSDB parser for replay feature (stable-fixes).
  • drm/amd/display: Fix brightness level not retained over reboot (git-fixes).
  • drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe (git-fixes).
  • drm/amd/display: Fix null check for pipe_ctx->plane_state in hwss_setup_dpp (git-fixes).
  • drm/amd: Add some missing straps from NBIO 7.11.0 (git-fixes).
  • drm/amd: Fix initialization mistake for NBIO 7.7.0 (stable-fixes).
  • drm/amdgpu: Adjust debugfs eviction and IB access permissions (stable-fixes).
  • drm/amdgpu: Adjust debugfs register access permissions (stable-fixes).
  • drm/amdgpu: Fix DPX valid mode check on GC 9.4.3 (git-fixes).
  • drm/amdgpu: Fix JPEG v4.0.3 register write (git-fixes).
  • drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() (stable-fixes).
  • drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() (git-fixes).
  • drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported (git-fixes).
  • drm/amdkfd: Accounting pdd vram_usage for svm (stable-fixes).
  • drm/amdkfd: Fix wrong usage of INIT_WORK() (git-fixes).
  • drm/bridge: anx7625: Drop EDID cache on bridge power off (git-fixes).
  • drm/bridge: it6505: Drop EDID cache on bridge power off (git-fixes).
  • drm/bridge: tc358767: Fix link properties discovery (git-fixes).
  • drm/bridge: tc358768: Fix DSI command tx (git-fixes).
  • drm/etnaviv: Request pages from DMA32 zone on addressing_limited (git-fixes).
  • drm/etnaviv: hold GPU lock across perfmon sampling (git-fixes).
  • drm/imx/dcss: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • drm/mediatek: Fix child node refcount handling in early exit (git-fixes).
  • drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused (git-fixes).
  • drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • drm/msm/dpu: cast crtc_clk calculation to u64 in _dpu_core_perf_calc_clk() (git-fixes).
  • drm/msm/dpu: drop LM_3 / LM_4 on MSM8998 (git-fixes).
  • drm/msm/dpu: drop LM_3 / LM_4 on SDM845 (git-fixes).
  • drm/msm/dpu: on SDM845 move DSPP_3 to LM_5 block (git-fixes).
  • drm/msm/gpu: Check the status of registration to PM QoS (git-fixes).
  • drm/msm: Fix some typos in comment (git-fixes).
  • drm/nouveau/gr/gf100: Fix missing unlock in gf100_gr_chan_new() (git-fixes).
  • drm/omap: Fix locking in omap_gem_new_dmabuf() (git-fixes).
  • drm/omap: Fix possible NULL dereference (git-fixes).
  • drm/panfrost: Add missing OPP table refcnt decremental (git-fixes).
  • drm/panfrost: Remove unused id_mask from struct panfrost_model (git-fixes).
  • drm/rockchip: vop: Fix a dereferenced before check warning (git-fixes).
  • drm/sti: Add __iomem for mixer_dbg_mxn's parameter (git-fixes).
  • drm/sti: avoid potential dereference of error pointers (git-fixes).
  • drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check (git-fixes).
  • drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check (git-fixes).
  • drm/v3d: Address race-condition in MMU flush (git-fixes).
  • drm/v3d: Enable Performance Counters before clearing them (git-fixes).
  • drm/vc4: Match drm_dev_enter and exit calls in vc4_hvs_atomic_flush (git-fixes).
  • drm/vc4: Match drm_dev_enter and exit calls in vc4_hvs_lut_load (git-fixes).
  • drm/vc4: hdmi: Avoid hang with debug registers when suspended (git-fixes).
  • drm/vc4: hvs: Correct logic on stopping an HVS channel (git-fixes).
  • drm/vc4: hvs: Do not write gamma luts on 2711 (git-fixes).
  • drm/vc4: hvs: Fix dlist debug not resetting the next entry pointer (git-fixes).
  • drm/vc4: hvs: Remove incorrect limit from hvs_dlist debugfs function (git-fixes).
  • drm/vkms: Drop unnecessary call to drm_crtc_cleanup() (git-fixes).
  • drm/vmwgfx: Limit display layout ioctl array size to VMWGFX_NUM_DISPLAY_UNITS (stable-fixes).
  • drm: Expand max DRM device number to full MINORBITS (jsc#PED-11580).
  • drm: Use XArray instead of IDR for minors (jsc#PED-11580).
  • drm: use ATOMIC64_INIT() for atomic64_t (git-fixes).
  • drm: xlnx: zynqmp_dpsub: fix hotplug detection (git-fixes).
  • drm: zynqmp_kms: Unplug DRM device before removal (git-fixes).
  • e1000e: Remove Meteor Lake SMBUS workarounds (git-fixes).
  • efi/libstub: Free correct pointer on failure (git-fixes).
  • efi/libstub: fix efi_parse_options() ignoring the default command line (git-fixes).
  • efi/libstub: zboot.lds: Discard .discard sections (stable-fixes).
  • efi/memattr: Ignore table if the size is clearly bogus (bsc#1231465).
  • ext4: fix unttached inode after power cut with orphan file feature enabled (bsc#1234009).
  • f2fs: get out of a repeat loop when getting a locked data page (bsc#1234011).
  • fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() (git-fixes).
  • firmware: arm_scpi: Check the DVFS OPP count returned by the firmware (git-fixes).
  • firmware: google: Unregister driver_info on failure (git-fixes).
  • firmware_loader: Fix possible resource leak in fw_log_firmware_info() (git-fixes).
  • fs/ntfs3: Add more attributes checks in mi_enum_attr() (bsc#1233207)
  • fs/ntfs3: Fixed overflow check in mi_enum_attr() (bsc#1233207)
  • fs/ntfs3: Sequential field availability check in mi_enum_attr() (bsc#1233207)
  • fs: Fix uninitialized value issue in from_kuid and from_kgid (git-fixes).
  • goldfish: Fix unused const variable 'goldfish_pipe_acpi_match' (git-fixes).
  • gpio: exar: set value when external pull-up or pull-down is present (git-fixes).
  • gpio: zevio: Add missed label initialisation (git-fixes).
  • hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer (git-fixes).
  • hwmon: (nct6775-core) Fix overflows seen when writing limit attributes (git-fixes).
  • hwmon: (tps23861) Fix reporting of negative temperatures (git-fixes).
  • i2c: designware: do not hold SCL low when I2C_DYNAMIC_TAR_UPDATE is not set (git-fixes).
  • i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() (git-fixes).
  • i3c: master: svc: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
  • i40e: fix race condition by adding filter's intermediate sync state (git-fixes).
  • iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call (git-fixes).
  • igb: Disable threaded IRQ for igb_msix_other (git-fixes).
  • iio: Fix fwnode_handle in __fwnode_iio_channel_get_by_name() (git-fixes).
  • iio: accel: kx022a: Fix raw read format (git-fixes).
  • iio: adc: ad7606: Fix typo in the driver name (git-fixes).
  • iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer (git-fixes).
  • iio: gts: Fix uninitialized symbol 'ret' (git-fixes).
  • iio: gts: fix infinite loop for gain_to_scaletables() (git-fixes).
  • iio: light: al3010: Fix an error handling path in al3010_probe() (git-fixes).
  • ima: fix buffer overrun in ima_eventdigest_init_common (git-fixes).
  • initramfs: avoid filename buffer overrun (bsc#1232436).
  • intel_idle: add Granite Rapids Xeon support (bsc#1231630).
  • intel_idle: fix ACPI _CST matching for newer Xeon platforms (bsc#1231630).
  • io_uring/rw: fix missing NOWAIT check for O_DIRECT start write (git-fixes).
  • io_uring/sqpoll: close race on waiting for sqring entries (git-fixes).
  • irqchip/gic-v3-its: Avoid explicit cpumask allocation on stack (git-fixes).
  • jbd2: Move j_transaction_overhead_buffers into a hole (bsc#1234042).
  • jbd2: avoid infinite transaction commit loop (bsc#1234039).
  • jbd2: avoid memleak in jbd2_journal_write_metadata_buffer (bsc#1234043).
  • jbd2: avoid mount failed when commit block is partial submitted (bsc#1234040).
  • jbd2: correct the printing of write_flags in jbd2_write_superblock() (bsc#1234045).
  • jbd2: fix kernel-doc for j_transaction_overhead_buffers (bsc#1234042).
  • jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev (bsc#1234044).
  • jbd2: fix soft lockup in journal_finish_inode_data_buffers() (bsc#1234046).
  • jbd2: make jbd2_journal_get_max_txn_bufs() internal (bsc#1234041).
  • jbd2: precompute number of transaction descriptor blocks (bsc#1234042).
  • kABI workaround for ASoC SOF (bsc#1233305).
  • kABI: Restore exported __arm_smccc_sve_check (git-fixes)
  • kabi, mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling (git-fixes kabi).
  • kasan: move checks to do_strncpy_from_user (git-fixes).
  • kernel-binary: Enable livepatch package only when livepatch is enabled Otherwise the filelist may be empty failing the build (bsc#1218644).
  • kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y (git-fixes).
  • leds: lp55xx: Remove redundant test for invalid channel number (git-fixes).
  • lib: string_helpers: silence snprintf() output truncation warning (git-fixes).
  • mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb() (git-fixes).
  • maple_tree: fix alloc node fail issue (git-fixes).
  • maple_tree: refine mas_store_root() on storing NULL (git-fixes).
  • media: adv7604: prevent underflow condition when reporting colorspace (git-fixes).
  • media: amphion: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
  • media: amphion: Set video drvdata before register video device (git-fixes).
  • media: ar0521: do not overflow when checking PLL values (git-fixes).
  • media: atomisp: Add check for rgby_data memory allocation failure (git-fixes).
  • media: cx24116: prevent overflows on SNR calculus (git-fixes).
  • media: dvb_frontend: do not play tricks with underflow values (git-fixes).
  • media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set (stable-fixes).
  • media: dvbdev: prevent the risk of out of memory access (git-fixes).
  • media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate() (git-fixes).
  • media: i2c: dw9768: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
  • media: i2c: tc358743: Fix crash in the probe error path when using polling (git-fixes).
  • media: imx-jpeg: Ensure power suppliers be suspended before detach them (git-fixes).
  • media: imx-jpeg: Set video drvdata before register video device (git-fixes).
  • media: mantis: remove orphan mantis_core.h (git-fixes).
  • media: mtk-jpeg: Fix null-ptr-deref during unload module (git-fixes).
  • media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() (git-fixes).
  • media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available (git-fixes).
  • media: pulse8-cec: fix data timestamp at pulse8_setup() (git-fixes).
  • media: s5p-jpeg: prevent buffer overflows (git-fixes).
  • media: stb0899_algo: initialize cfr before using it (git-fixes).
  • media: ts2020: fix null-ptr-deref in ts2020_probe() (git-fixes).
  • media: uvcvideo: Require entities to have a non-zero unique ID (git-fixes).
  • media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (git-fixes).
  • media: uvcvideo: Stop stream during unregister (git-fixes).
  • media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() (git-fixes).
  • media: v4l2-tpg: prevent the risk of a division by zero (git-fixes).
  • media: vb2: Fix comment (git-fixes).
  • media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
  • media: wl128x: Fix atomicity violation in fmc_send_cmd() (git-fixes).
  • mfd: rt5033: Fix missing regmap_del_irq_chip() (git-fixes).
  • mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race (git-fixes).
  • minmax: scsi: fix mis-use of 'clamp()' in sr.c (git-fixes).
  • misc: apds990x: Fix missing pm_runtime_disable() (git-fixes).
  • mlxbf_gige: disable RX filters until RX path initialized (git-fixes).
  • mm/hugetlb: fix nodes huge page allocation when there are surplus pages (bsc#1234012).
  • mm: avoid unsafe VMA hook invocation when error arises on mmap hook (git-fixes).
  • mm: move dummy_vm_ops out of a header (git-fixes prerequisity).
  • mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling (git-fixes).
  • mm: refactor map_deny_write_exec() (git-fixes).
  • mm: resolve faulty mmap_region() error path behaviour (git-fixes).
  • mm: unconditionally close VMAs on error (git-fixes).
  • mmc: core: Further prevent card detect during shutdown (git-fixes).
  • mmc: mmc_spi: drop buggy snprintf() (git-fixes).
  • mmc: sunxi-mmc: Fix A100 compatible description (git-fixes).
  • modpost: remove incorrect code in do_eisa_entry() (git-fixes).
  • mtd: rawnand: atmel: Fix possible memory leak (git-fixes).
  • mtd: spi-nor: core: replace dummy buswidth from addr to data (git-fixes).
  • net: mdio-ipq4019: add missing error check (git-fixes).
  • net: phy: dp83822: Fix reset pin definitions (git-fixes).
  • net: phy: ti: add PHY_RST_AFTER_CLK_EN flag (git-fixes).
  • net: relax socket state check at accept time (git-fixes).
  • net: usb: lan78xx: Fix double free issue with interrupt buffer allocation (git-fixes).
  • net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device (git-fixes).
  • net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration (git-fixes).
  • net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition (stable-fixes).
  • net: wwan: fix global oob in wwan_rtnl_policy (git-fixes).
  • net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc() (git-fixes).
  • net: xfrm: preserve kabi for xfrm_state (bsc#1233754).
  • netdevsim: copy addresses for both in and out paths (git-fixes).
  • netfilter: nf_tables: missing iterator type in lookup walk (git-fixes).
  • nfs: Fix KMSAN warning in decode_getfattr_attrs() (git-fixes).
  • nfs: avoid i_lock contention in nfs_clear_invalid_mapping (git-fixes).
  • nfsd: remove unsafe BUG_ON from set_change_info (bsc#1234121).
  • nilfs2: fix potential deadlock with newly created symlinks (git-fixes).
  • nouveau/dp: handle retries for AUX CH transfers with GSP (git-fixes).
  • nouveau: fw: sync dma after setup is called (git-fixes).
  • nouveau: handle EBUSY and EAGAIN for GSP aux errors (git-fixes).
  • ntfs3: Add bounds checking to mi_enum_attr() (bsc#1233207)
  • nvme-fabrics: fix kernel crash while shutting down controller (git-fixes).
  • nvme-loop: flush off pending I/O while shutting down loop controller (git-fixes).
  • nvme-pci: fix freeing of the HMB descriptor table (git-fixes).
  • nvme-pci: reverse request order in nvme_queue_rqs (git-fixes).
  • nvme/host: Fix RCU list traversal to use SRCU primitive (git-fixes).
  • nvme: tcp: avoid race between queue_lock lock and destroy (git-fixes).
  • ocfs2: fix UBSAN warning in ocfs2_verify_volume() (git-fixes).
  • ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() (git-fixes).
  • ocfs2: uncache inode which has failed entering the group (git-fixes).
  • of: Add cleanup.h based auto release via __free(device_node) markings (bsc#1232386)
  • pinctrl: k210: Undef K210_PC_DEFAULT (git-fixes).
  • pinctrl: qcom: spmi: fix debugfs drive strength (git-fixes).
  • pinctrl: zynqmp: drop excess struct member description (git-fixes).
  • platform/chrome: cros_ec_typec: fix missing fwnode reference decrement (git-fixes).
  • platform/x86/amd/pmc: Detect when STB is not available (git-fixes).
  • platform/x86: panasonic-laptop: Return errno correctly in show callback (git-fixes).
  • posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone (bsc#1234098).
  • power: supply: bq27xxx: Fix registers of bq27426 (git-fixes).
  • power: supply: core: Remove might_sleep() from power_supply_put() (git-fixes).
  • power: supply: rt9471: Fix wrong WDT function regfield declaration (git-fixes).
  • power: supply: rt9471: Use IC status regfield to report real charger status (git-fixes).
  • powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0 (bsc#1215199).
  • powerpc/atomic: Use YZ constraints for DS-form instructions (bsc#1194869).
  • powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() (bsc#1215199).
  • powerpc/fadump: Refactor and prepare fadump_cma_init for late init (bsc#1215199).
  • powerpc/kexec: Fix return of uninitialized variable (bsc#1194869).
  • powerpc/mm/fault: Fix kfence page fault reporting (bsc#1194869).
  • powerpc/mm: Fix boot crash with FLATMEM (bsc#1194869).
  • powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL (bsc#1194869).
  • powerpc/powernv: Free name on error in opal_event_init() (bsc#1194869).
  • powerpc/pseries: Fix KVM guest detection for disabling hardlockup detector (bsc#1194869).
  • powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore (bsc#1194869).
  • powerpc/pseries: Use correct data types from pseries_hp_errorlog struct (bsc#1215199).
  • powerpc/vdso: Inconditionally use CFUNC macro (bsc#1215199).
  • pwm: imx-tpm: Use correct MODULO value for EPWM mode (git-fixes).
  • regmap: detach regmap from dev on regmap_exit (git-fixes).
  • regmap: irq: Set lockdep class for hierarchical IRQ domains (git-fixes).
  • rpm/scripts: Remove obsolete Symbols.list Symbols.list is not longer needed by the new klp-convert implementation. (bsc#1218644)
  • rtc: ab-eoz9: do not fail temperature reads on undervoltage notification (git-fixes).
  • rtc: abx80x: Fix WDT bit position of the status register (git-fixes).
  • rtc: bbnsm: add remove hook (git-fixes).
  • rtc: check if __rtc_read_time was successful in rtc_timer_do_work() (git-fixes).
  • rtc: rzn1: fix BCD to rtc_time conversion errors (git-fixes).
  • rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • scsi: NCR5380: Check for phase match during PDMA fixup (git-fixes).
  • scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers (git-fixes).
  • scsi: Remove scsi device no_start_on_resume flag (git-fixes).
  • scsi: aacraid: Rearrange order of struct aac_srb_unit (git-fixes).
  • scsi: cdrom: kABI: fix cdrom_dev_ops change (git-fixes).
  • scsi: core: Disable CDL by default (git-fixes).
  • scsi: core: Fix handling of SCMD_FAIL_IF_RECOVERING (git-fixes).
  • scsi: core: Fix the return value of scsi_logical_block_count() (git-fixes).
  • scsi: core: Handle devices which return an unusually large VPD page count (git-fixes).
  • scsi: core: alua: I/O errors for ALUA state transitions (git-fixes).
  • scsi: hisi_sas: Handle the NCQ error returned by D2H frame (git-fixes).
  • scsi: hpsa: Fix allocation size for Scsi_Host private data (git-fixes).
  • scsi: kABI: restore no_start_on_resume to scsi_device (git-fixes).
  • scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed (git-fixes).
  • scsi: libsas: Fix the failure of adding phy with zero-address to port (git-fixes).
  • scsi: lpfc: Add cleanup of nvmels_wq after HBA reset (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Call lpfc_sli4_queue_unset() in restart and rmmod paths (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Change lpfc_nodelist nlp_flag member into a bitmask (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Check SLI_ACTIVE flag in FDMI cmpl before submitting follow up FDMI (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Copyright updates for 14.4.0.6 patches (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Modify CGN warning signal calculation based on EDC response (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Update lpfc version to 14.4.0.6 (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Update lpfc_els_flush_cmd() to check for SLI_ACTIVE before BSG flag (bsc#1233241 jsc#PED-9943).
  • scsi: mac_scsi: Disallow bus errors during PDMA send (git-fixes).
  • scsi: mac_scsi: Refactor polling loop (git-fixes).
  • scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages (git-fixes).
  • scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES (git-fixes).
  • scsi: mpi3mr: Avoid memcpy field-spanning write WARNING (git-fixes).
  • scsi: mpi3mr: Avoid possible run-time warning with long manufacturer strings (git-fixes).
  • scsi: mpi3mr: Fix ATA NCQ priority support (git-fixes).
  • scsi: mpi3mr: Validate SAS port assignments (git-fixes).
  • scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES (git-fixes).
  • scsi: pm8001: Do not overwrite PCI queue mapping (git-fixes).
  • scsi: pm80xx: Set phy->enable_completion only when we wait for it (git-fixes).
  • scsi: qedf: Set qed_slowpath_params to zero before use (git-fixes).
  • scsi: scsi_transport_fc: Allow setting rport state to current state (git-fixes).
  • scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress (git-fixes).
  • scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer (git-fixes).
  • scsi: smartpqi: correct stream detection (git-fixes).
  • scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly (git-fixes).
  • scsi: spi: Fix sshdr use (git-fixes).
  • scsi: sr: Fix unintentional arithmetic wraparound (git-fixes).
  • scsi: wd33c93: Do not use stale scsi_pointer value (git-fixes).
  • security/keys: fix slab-out-of-bounds in key_task_permission (git-fixes).
  • serial: 8250: omap: Move pm_runtime_get_sync (git-fixes).
  • signal: Replace BUG_ON()s (bsc#1234093).
  • soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() (git-fixes).
  • soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() (git-fixes).
  • soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • spi: Fix acpi deferred irq probe (git-fixes).
  • spi: atmel-quadspi: Fix register name in verbose logging function (git-fixes).
  • spi: mpc52xx: Add cancel_work_sync before module remove (git-fixes).
  • spi: tegra210-quad: Avoid shift-out-of-bounds (git-fixes).
  • tcp: Fix refcnt handling in __inet_hash_connect() (git-fixes).
  • thermal: core: Initialize thermal zones before registering them (git-fixes).
  • thermal: int3400: Fix reading of current_uuid for active policy (git-fixes).
  • thermal: intel: int340x: processor: Fix warning during module unload (git-fixes).
  • thunderbolt: Honor TMU requirements in the domain when setting TMU mode (stable-fixes).
  • tools/lib/thermal: Fix sampling handler context ptr (git-fixes).
  • tools/power turbostat: Fix trailing '\n' parsing (git-fixes).
  • tools/power turbostat: Increase the limit for fd opened (bsc#1233119).
  • tpm: Lock TPM chip in tpm_pm_suspend() first (bsc#1082555 git-fixes).
  • tpm: fix signed/unsigned bug when checking event logs (git-fixes).
  • tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler (git-fixes).
  • u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file (git-fixes).
  • ucounts: fix counter leak in inc_rlimit_get_ucounts() (bsc#1233460).
  • unicode: Fix utf8_load() error path (git-fixes).
  • usb: dwc3: gadget: Add missing check for single port RAM in TxFIFO resizing logic (git-fixes).
  • usb: dwc3: gadget: Fix checking for number of TRBs left (git-fixes).
  • usb: dwc3: gadget: Fix looping of queued SG entries (git-fixes).
  • usb: ehci-spear: fix call balance of sehci clk handling routines (git-fixes).
  • usb: gadget: dummy_hcd: Set transfer interval to 1 microframe (stable-fixes).
  • usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler (stable-fixes).
  • usb: gadget: dummy_hcd: execute hrtimer callback in softirq context (git-fixes).
  • usb: musb: Fix hardware lockup on first Rx endpoint request (git-fixes).
  • usb: musb: sunxi: Fix accessing an released usb phy (git-fixes).
  • usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() (git-fixes).
  • usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() (git-fixes).
  • usb: xhci: Fix TD invalidation under pending Set TR Dequeue (git-fixes).
  • usb: yurex: make waiting on yurex_write interruptible (git-fixes).
  • vsock: Update msg_count on read_skb() (git-fixes).
  • watchdog: apple: Actually flush writes after requesting watchdog restart (git-fixes).
  • watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart() (git-fixes).
  • watchdog: rti: of: honor timeout-sec property (git-fixes).
  • wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss1 (git-fixes).
  • wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss2 (git-fixes).
  • wifi: ath11k: Fix CE offset address calculation for WCN6750 in SSR (git-fixes).
  • wifi: ath12k: Skip Rx TID cleanup for self peer (git-fixes).
  • wifi: ath12k: fix crash when unbinding (git-fixes).
  • wifi: ath12k: fix warning when unbinding (git-fixes).
  • wifi: ath12k: remove msdu_end structure for WCN7850 (git-fixes).
  • wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (git-fixes).
  • wifi: brcmfmac: release 'root' node in all execution paths (git-fixes).
  • wifi: cw1200: Fix potential NULL dereference (git-fixes).
  • wifi: iwlegacy: Clear stale interrupts before resuming device (stable-fixes).
  • wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() (git-fixes).
  • wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
  • wifi: wfx: Fix error handling in wfx_core_init() (git-fixes).
  • x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client (bsc#1233443).
  • x86/microcode/intel: Remove unnecessary cache writeback and invalidation (git-fixes).
  • x86/resctrl: Remove hard-coded memory bandwidth limit (git-fixes).
  • x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() (git-fixes).
  • x86/tdx: Dynamically disable SEPT violations from causing #VEs (git-fixes).
  • x86/tdx: Enable CPU topology enumeration (git-fixes).
  • x86/tdx: Introduce wrappers to read and write TD metadata (git-fixes).
  • x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup() (git-fixes).
  • x86/traps: move kmsan check after instrumentation_begin (git-fixes).
  • x86: Increase brk randomness entropy for 64-bit systems (git-fixes).
  • x86: fix off-by-one in access_ok() (git-fixes).
  • xfrm: Export symbol xfrm_dev_state_delete (bsc#1233754).
  • xfrm: Fix unregister netdevice hang on hardware offload (bsc#1233754).
  • drm: Expand max DRM device number to full MINORBITS (jsc#PED-11580).
  • accel: Use XArray instead of IDR for minors (jsc#PED-11580).
  • drm: Use XArray instead of IDR for minors (jsc#PED-11580).
  • scsi: lpfc: Copyright updates for 14.4.0.6 patches (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Update lpfc version to 14.4.0.6 (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Change lpfc_nodelist nlp_flag member into a bitmask (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Add cleanup of nvmels_wq after HBA reset (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Check SLI_ACTIVE flag in FDMI cmpl before submitting follow up FDMI (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Update lpfc_els_flush_cmd() to check for SLI_ACTIVE before BSG flag (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Call lpfc_sli4_queue_unset() in restart and rmmod paths (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (bsc#1233241 jsc#PED-9943).
  • scsi: lpfc: Modify CGN warning signal calculation based on EDC response (bsc#1233241 jsc#PED-9943).

Список пакетов

Image SLES15-SP6-Azure-Basic
kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard
kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC
kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure
kernel-azure-6.4.0-150600.8.20.1
SUSE Linux Enterprise Module for Public Cloud 15 SP6
kernel-azure-6.4.0-150600.8.20.1
kernel-azure-devel-6.4.0-150600.8.20.1
kernel-devel-azure-6.4.0-150600.8.20.1
kernel-source-azure-6.4.0-150600.8.20.1
kernel-syms-azure-6.4.0-150600.8.20.1
openSUSE Leap 15.6
cluster-md-kmp-azure-6.4.0-150600.8.20.1
dlm-kmp-azure-6.4.0-150600.8.20.1
gfs2-kmp-azure-6.4.0-150600.8.20.1
kernel-azure-6.4.0-150600.8.20.1
kernel-azure-devel-6.4.0-150600.8.20.1
kernel-azure-extra-6.4.0-150600.8.20.1
kernel-azure-optional-6.4.0-150600.8.20.1
kernel-azure-vdso-6.4.0-150600.8.20.1
kernel-devel-azure-6.4.0-150600.8.20.1
kernel-source-azure-6.4.0-150600.8.20.1
kernel-syms-azure-6.4.0-150600.8.20.1
kselftests-kmp-azure-6.4.0-150600.8.20.1
ocfs2-kmp-azure-6.4.0-150600.8.20.1
reiserfs-kmp-azure-6.4.0-150600.8.20.1

Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: deal with large GSO size After the blamed commit below, the TCP sockets (and the MPTCP subflows) can build egress packets larger than 64K. That exceeds the maximum DSS data size, the length being misrepresent on the wire and the stream being corrupted, as later observed on the receiver: WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0 CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705 RSP: 0018:ffffc90000006e80 EFLAGS: 00010246 RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908 RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908 R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29 FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <IRQ> mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819 subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409 tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151 tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098 tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483 tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749 ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438 ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483 ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304 __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532 process_backlog+0x353/0x660 net/core/dev.c:5974 __napi_poll+0xc6/0x5a0 net/core/dev.c:6536 net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603 __do_softirq+0x184/0x524 kernel/softirq.c:553 do_softirq+0xdd/0x130 kernel/softirq.c:454 Address the issue explicitly bounding the maximum GSO size to what MPTCP actually allows.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: support non-r10 register spill/fill to/from stack in precision tracking Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it *and* potentially adjusting offset. To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking. This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches. There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states). File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- ------------- test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%) Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees. Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present. Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for every NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); return p->dp; } Which is obviously bogus, because not all net_devices have a netdev_priv() of type struct dsa_user_priv. But struct dsa_user_priv is fairly small, and p->dp means dereferencing 8 bytes starting with offset 16. Most drivers allocate that much private memory anyway, making our access not fault, and we discard the bogus data quickly afterwards, so this wasn't caught. But the dummy interface is somewhat special in that it calls alloc_netdev() with a priv size of 0. So every netdev_priv() dereference is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event with a VLAN as its new upper: $ ip link add dummy1 type dummy $ ip link add link dummy1 name dummy1.100 type vlan id 100 [ 43.309174] ================================================================== [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374 [ 43.330058] [ 43.342436] Call trace: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.393424] register_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink+0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Avoid the kernel oops by dereferencing after the type check, as customary.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Move hrtimer_init to timerlat_fd open() Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading. Here's an example: # echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer # cat <<EOF > ./timerlat_load.py # !/usr/bin/env python3 timerlat_fd = open("/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd", 'r') timerlat_fd.close(); EOF # ./taskset -c 0 ./timerlat_load.py <BOOM> BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimer_active+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? srso_alias_return_thunk+0x5/0x7f ? avc_has_extended_perms+0x237/0x520 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? hrtimer_active+0xd/0x50 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x48/0xe0 __fput+0xf5/0x290 __x64_sys_close+0x3d/0x80 do_syscall_64+0x60/0x90 ? srso_alias_return_thunk+0x5/0x7f ? __x64_sys_ioctl+0x72/0xd0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 ? srso_alias_return_thunk+0x5/0x7f ? exit_to_user_mode_prepare+0x142/0x1f0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 </TASK> CR2: 0000000000000010 ---[ end trace 0000000000000000 ]--- Move hrtimer_init to timerlat_fd open() to avoid this problem.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished(). syzkaller reported a warning [0] in inet_csk_destroy_sock() with no repro. WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash); However, the syzkaller's log hinted that connect() failed just before the warning due to FAULT_INJECTION. [1] When connect() is called for an unbound socket, we search for an available ephemeral port. If a bhash bucket exists for the port, we call __inet_check_established() or __inet6_check_established() to check if the bucket is reusable. If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num. Later, we look up the corresponding bhash2 bucket and try to allocate it if it does not exist. Although it rarely occurs in real use, if the allocation fails, we must revert the changes by check_established(). Otherwise, an unconnected socket could illegally occupy an ehash entry. Note that we do not put tw back into ehash because sk might have already responded to a packet for tw and it would be better to free tw earlier under such memory presure. [0]: WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Modules linked in: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05 RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40 RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8 RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0 R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000 FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) dccp_close (net/dccp/proto.c:1078) inet_release (net/ipv4/af_inet.c:434) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:377) __fput_sync (fs/file_table.c:462) __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7f03e53852bb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44 RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000 R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170 </TASK> [1]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3748) kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867) inet_bind2_bucket_create ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: Fix refcnt handling in __inet_hash_connect(). syzbot reported a warning in sk_nulls_del_node_init_rcu(). The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().") tried to fix an issue that an unconnected socket occupies an ehash entry when bhash2 allocation fails. In such a case, we need to revert changes done by check_established(), which does not hold refcnt when inserting socket into ehash. So, to revert the change, we need to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu(). Otherwise, sock_put() will cause refcnt underflow and leak the socket. [0]: WARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Modules linked in: CPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Code: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2 RSP: 0018:ffffc900032d7848 EFLAGS: 00010246 RAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28 R10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140 R13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130 FS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139 dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956 __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678 inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f3b8167dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8 </TASK>

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: esp: fix bad handling of pages from page_pool When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash. This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding: BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre] dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: erspan: make sure erspan_base_hdr is present in skb->head syzbot reported a problem in ip6erspan_rcv() [1] Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make sure erspan_base_hdr is present in skb linear part (skb->head) before getting @ver field from it. Add the missing pskb_may_pull() calls. v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() because skb->head might have changed. [1] BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] pskb_may_pull include/linux/skbuff.h:2756 [inline] ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5538 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 netif_receive_skb_internal net/core/dev.c:5738 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5798 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1525 [inline] tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix missing hugetlb_lock for resv uncharge There is a recent report on UFFDIO_COPY over hugetlb: https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/ 350: lockdep_assert_held(&hugetlb_lock); Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() will update the cgroup pointer, so it requires to be called with the lock held.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set by user-space is overwritten to TIME64_MAX, disabling further DNS updates. Fix this by restoring the condition that key_set_expiry is only called when the pre-parser sets a specific expiry.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: relax socket state check at accept time. Christoph reported the following splat: WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0 Modules linked in: CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759 Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80 RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293 RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64 R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000 R13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800 FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786 do_accept+0x435/0x620 net/socket.c:1929 __sys_accept4_file net/socket.c:1969 [inline] __sys_accept4+0x9b/0x110 net/socket.c:1999 __do_sys_accept net/socket.c:2016 [inline] __se_sys_accept net/socket.c:2013 [inline] __x64_sys_accept+0x7d/0x90 net/socket.c:2013 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x4315f9 Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300 R10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055 </TASK> The reproducer invokes shutdown() before entering the listener status. After commit 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets"), the above causes the child to reach the accept syscall in FIN_WAIT1 status. Eric noted we can relax the existing assertion in __inet_accept()

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix out-of-bounds access in ops_init net_alloc_generic is called by net_alloc, which is called without any locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It is read twice, first to allocate an array, then to set s.len, which is later used to limit the bounds of the array access. It is possible that the array is allocated and another thread is registering a new pernet ops, increments max_gen_ptrs, which is then used to set s.len with a larger than allocated length for the variable array. Fix it by reading max_gen_ptrs only once in net_alloc_generic. If max_gen_ptrs is later incremented, it will be caught in net_assign_generic.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Call Trace: <IRQ> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:377 print_report+0xc4/0x620 linux/mm/kasan/report.c:488 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 skb_release_all linux/net/core/skbuff.c:1094 __kfree_skb linux/net/core/skbuff.c:1108 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 kfree_skb linux/./include/linux/skbuff.h:1244 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 dst_input linux/./include/net/dst.h:461 ip_rcv_finish linux/net/ipv4/ip_input.c:449 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 napi_poll linux/net/core/dev.c:6645 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 do_softirq linux/kernel/softirq.c:454 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 local_bh_enable linux/./include/linux/bottom_half.h:33 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 dev_queue_xmit linux/./include/linux/netdevice.h:3169 neigh_hh_output linux/./include/net/neighbour.h:526 neigh_output linux/./include/net/neighbour.h:540 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 __ip_finish_output linux/net/ipv4/ip_output.c:313 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 NF_HOOK_COND linux/./include/linux/netfilter.h:303 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 dst_output linux/./include/net/dst.h:451 ip_local_out linux/net/ipv4/ip_output.c:129 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 sock_sendmsg_nosec linux/net/socket.c:730 __sock_sendmsg linux/net/socket.c:745 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 __do_sys_sendto linux/net/socket.c:2203 __se_sys_sendto linux/net/socket.c:2199 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 do_syscall_x64 linux/arch/x86/entry/common.c:52 do_syscall_ ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used by cross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divide by zero in tcp_rcv_space_adjust() A socket makes the following state transitions, without ever calling tcp_init_transfer(), meaning tcp_init_buffer_space() is also not called. TCP_CLOSE connect() TCP_SYN_SENT TCP_SYN_RECV shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN) TCP_FIN_WAIT1 To fix this issue, change tcp_shutdown() to not perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition, which makes no sense anyway. When tcp_rcv_state_process() later changes socket state from TCP_SYN_RECV to TCP_ESTABLISH, then look at sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state, and send a FIN packet from a sane socket state. This means tcp_send_fin() can now be called from BH context, and must use GFP_ATOMIC allocations. [1] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767 Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48 RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246 RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7 R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30 R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513 tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578 inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x474/0xae0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7faeb6363db9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9 RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Avoid memcpy field-spanning write WARNING When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driver prints this WARNING message: memcpy: detected field-spanning write (size 128) of single field "bsg_reply_buf->reply_buf" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1) WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr] The cause of the WARN is 128 bytes memcpy to the 1 byte size array "__u8 replay_buf[1]" in the struct mpi3mr_bsg_in_reply_buf. The array is intended to be a flexible length array, so the WARN is a false positive. To suppress the WARN, remove the constant number '1' from the array declaration and clarify that it has flexible length. Also, adjust the memory allocation size to match the change.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4_init_output(), but we should not rely on specific union layout. Initialize these explicitly in raw_sendmsg(). [1] BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 ip_finish_skb include/net/ip.h:243 [inline] ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix a possible memleak in tipc_buf_append __skb_linearize() doesn't free the skb when it fails, so move '*buf = NULL' after __skb_linearize(), so that the skb can be freed on the err path.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netrom: fix possible dead-lock in nr_rt_ioctl() syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) [1] WARNING: possible circular locking dependency detected 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted ------------------------------------------------------ syz-executor350/5129 is trying to acquire lock: ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 but task is already holding lock: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (nr_node_list_lock){+...}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_remove_node net/netrom/nr_route.c:299 [inline] nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&nr_node->node_lock){+...}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_node_lock include/net/netrom.h:152 [inline] nr_dec_obs net/netrom/nr_route.c:464 [inline] nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nr_node_list_lock); lock(&nr_node->node_lock); lock(nr_node_list_lock); lock(&nr_node->node_lock); *** DEADLOCK *** 1 lock held by syz-executor350/5129: #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] #0: ffffffff8f70 ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: don't unpoison huge_zero_folio When I did memory failure tests recently, below panic occurs: kernel BUG at include/linux/mm.h:1135! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14 RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 Call Trace: <TASK> do_shrink_slab+0x14f/0x6a0 shrink_slab+0xca/0x8c0 shrink_node+0x2d0/0x7d0 balance_pgdat+0x33a/0x720 kswapd+0x1f3/0x410 kthread+0xd5/0x100 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 The root cause is that HWPoison flag will be set for huge_zero_folio without increasing the folio refcnt. But then unpoison_memory() will decrease the folio refcnt unexpectedly as it appears like a successfully hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when releasing huge_zero_folio. Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. We're not prepared to unpoison huge_zero_folio yet.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix task_struct reference leak During the execution of the following stress test with linux-rt: stress-ng --cyclic 30 --timeout 30 --minimize --quiet kmemleak frequently reported a memory leak concerning the task_struct: unreferenced object 0xffff8881305b8000 (size 16136): comm "stress-ng", pid 614, jiffies 4294883961 (age 286.412s) object hex dump (first 32 bytes): 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ debug hex dump (first 16 bytes): 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S............... backtrace: [<00000000046b6790>] dup_task_struct+0x30/0x540 [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0 [<00000000ced59777>] kernel_clone+0xb0/0x770 [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0 [<000000001dbf2008>] do_syscall_64+0x5d/0xf0 [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 The issue occurs in start_dl_timer(), which increments the task_struct reference count and sets a timer. The timer callback, dl_task_timer, is supposed to decrement the reference count upon expiration. However, if enqueue_task_dl() is called before the timer expires and cancels it, the reference count is not decremented, leading to the leak. This patch fixes the reference leak by ensuring the task_struct reference count is properly decremented when the timer is canceled.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" Patch series "mm: Avoid possible overflows in dirty throttling". Dirty throttling logic assumes dirty limits in page units fit into 32-bits. This patch series makes sure this is true (see patch 2/2 for more details). This patch (of 2): This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. The commit is broken in several ways. Firstly, the removed (u64) cast from the multiplication will introduce a multiplication overflow on 32-bit archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the default settings with 4GB of RAM will trigger this). Secondly, the div64_u64() is unnecessarily expensive on 32-bit archs. We have div64_ul() in case we want to be safe & cheap. Thirdly, if dirty thresholds are larger than 1<<32 pages, then dirty balancing is going to blow up in many other spectacular ways anyway so trying to fix one possible overflow is just moot.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix a deadlock problem when config TC during resetting When config TC during the reset process, may cause a deadlock, the flow is as below: pf reset start | ▼ ...... setup tc | | ▼ ▼ DOWN: napi_disable() napi_disable()(skip) | | | ▼ ▼ ...... ...... | | ▼ | napi_enable() | ▼ UINIT: netif_napi_del() | ▼ ...... | ▼ INIT: netif_napi_add() | ▼ ...... global reset start | | ▼ ▼ UP: napi_enable()(skip) ...... | | ▼ ▼ ...... napi_disable() In reset process, the driver will DOWN the port and then UINIT, in this case, the setup tc process will UP the port before UINIT, so cause the problem. Adds a DOWN process in UINIT to fix it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, when running the load/unload test over multiple iterations. 1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4 The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash. This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup) The new ps_cleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled ps_work and destroys the ps_lock mutex. [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] process_one_work+0x1d4/0x330 [ 85.977464] worker_thread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] ret_from_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] ---[ end trace 0000000000000000 ]--- Preset since v6.9.11

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] <TASK> [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] </TASK> The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 </TASK> Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it "exit" before it actually exits. Since kthread ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, lsm: Add check for BPF LSM return value A bpf prog returning a positive number attached to file_alloc_security hook makes kernel panic. This happens because file system can not filter out the positive number returned by the LSM prog using IS_ERR, and misinterprets this positive number as a file pointer. Given that hook file_alloc_security never returned positive number before the introduction of BPF LSM, and other BPF LSM hooks may encounter similar issues, this patch adds LSM return value check in verifier, to ensure no unexpected value is returned.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion [BUG] Syzbot reported a NULL pointer dereference with the following crash: FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... BTRFS info (device loop0): balance: ended with status: -12 Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667] RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 Call Trace: <TASK> commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 del_balance_item fs/btrfs/volumes.c:3678 [inline] reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] The allocation failure happens at the start_transaction() inside prepare_to_relocate(), and during the error handling we call unset_reloc_control(), which makes fs_info->balance_ctl to be NULL. Then we continue the error path cleanup in btrfs_balance() by calling reset_balance_state() which will call del_balance_item() to fully delete the balance item in the root tree. However during the small window between set_reloc_contrl() and unset_reloc_control(), we can have a subvolume tree update and created a reloc_root for that subvolume. Then we go into the final btrfs_commit_transaction() of del_balance_item(), and into btrfs_update_reloc_root() inside commit_fs_roots(). That function checks if fs_info->reloc_ctl is in the merge_reloc_tree stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer dereference. [FIX] Just add extra check on fs_info->reloc_ctl inside btrfs_update_reloc_root(), before checking fs_info->reloc_ctl->merge_reloc_tree. That DEAD_RELOC_TREE handling is to prevent further modification to the reloc tree during merge stage, but since there is no reloc_ctl at all, we do not need to bother that.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a sdiv overflow issue Zac Ecob reported a problem where a bpf program may cause kernel crash due to the following error: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI The failure is due to the below signed divide: LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808. LLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808, but it is impossible since for 64-bit system, the maximum positive number is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will cause a kernel exception. On arm64, the result for LLONG_MIN/-1 is LLONG_MIN. Further investigation found all the following sdiv/smod cases may trigger an exception when bpf program is running on x86_64 platform: - LLONG_MIN/-1 for 64bit operation - INT_MIN/-1 for 32bit operation - LLONG_MIN%-1 for 64bit operation - INT_MIN%-1 for 32bit operation where -1 can be an immediate or in a register. On arm64, there are no exceptions: - LLONG_MIN/-1 = LLONG_MIN - INT_MIN/-1 = INT_MIN - LLONG_MIN%-1 = 0 - INT_MIN%-1 = 0 where -1 can be an immediate or in a register. Insn patching is needed to handle the above cases and the patched codes produced results aligned with above arm64 result. The below are pseudo codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0 and the divisor is stored in a register. sdiv: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L2 if tmp == 0 goto L1 rY = 0 L1: rY = -rY; goto L3 L2: rY /= rX L3: smod: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L1 if tmp == 1 (is64 ? goto L2 : goto L3) rY = 0; goto L2 L1: rY %= rX L2: goto L4 // only when !is64 L3: wY = wY // only when !is64 L4: [1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominators' default to 1 [WHAT & HOW] Variables used as denominators and maybe not assigned to other values, should not be 0. Change their default to 1 so they are never 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was assumed to be null, but was used later in the code without a null check. This could potentially lead to a null pointer dereference. Changes since v1: - Moved the null check for 'afb' to the line where 'afb' is used. (Alex) Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be null at line 8388, but was used later in the code without a null check. This could potentially lead to a null pointer dereference. Changes since v1: - Moved the null check for 'afb' to the line where 'afb' is used. (Alex) Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor() error: we previously assumed 'afb' could be null (see line 8388)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn20_set_output_transfer_func function. Previously, set_output_gamma was being checked for null at line 1030, but then it was being dereferenced without any null check at line 1048. This could potentially lead to a null pointer dereference error if set_output_gamma is null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a null check for set_output_gamma before the call to set_output_gamma at line 1048.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' This commit adds a null check for 'stream_status' in the function 'planes_changed_for_existing_stream'. Previously, the code assumed 'stream_status' could be null, but did not handle the case where it was actually null. This could lead to a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before used [WHAT & HOW] Poniters, such as dc->clk_mgr, are null checked previously in the same function, so Coverity warns "implies that "dc->clk_mgr" might be null". As a result, these pointers need to be checked when used again. This fixes 10 FORWARD_NULL issues reported by Coverity.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using them [WHAT & HOW] These pointers are null checked previously in the same function, indicating they might be null as reported by Coverity. As a result, they need to be checked when used again. This fixes 3 FORWARD_NULL issue reported by Coverity.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags [WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null dereference. This fixes 2 FORWARD_NULL issues reported by Coverity.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: efifb: Register sysfs groups through driver core The driver core can register and cleanup sysfs groups already. Make use of that functionality to simplify the error handling and cleanup. Also avoid a UAF race during unregistering where the sysctl attributes were usable after the info struct was freed.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: blk_iocost: fix more out of bound shifts Recently running UBSAN caught few out of bound shifts in the ioc_forgive_debts() function: UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace: <IRQ> dump_stack_lvl+0xca/0x130 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 ? __lock_acquire+0x6441/0x7c10 ioc_timer_fn+0x6cec/0x7750 ? blk_iocost_init+0x720/0x720 ? call_timer_fn+0x5d/0x470 call_timer_fn+0xfa/0x470 ? blk_iocost_init+0x720/0x720 __run_timer_base+0x519/0x700 ... Actual impact of this issue was not identified but I propose to fix the undefined behaviour. The proposed fix to prevent those out of bound shifts consist of precalculating exponent before using it the shift operations by taking min value from the actual exponent and maximum possible number of bits.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s mirror dm_region_hash dm_log dm_mod CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:do_user_addr_fault+0x2a0/0x790 Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41 RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046 RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658 R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000 FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200 <...snip...> BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440 <...snip...> ? dentry_name+0x2fa/0x440 vsnprintf+0x1f3/0x4f0 vprintk_store+0x23a/0x540 vprintk_emit+0x6d/0x330 _printk+0x58/0x80 dump_mapping+0x10b/0x1a0 ? __pfx_free_object_rcu+0x10/0x10 __dump_page+0x26b/0x3e0 ? vprintk_emit+0xe0/0x330 ? _printk+0x58/0x80 ? dump_page+0x17/0x50 dump_page+0x17/0x50 do_migrate_range+0x2f7/0x7f0 ? do_migrate_range+0x42/0x7f0 ? offline_pages+0x2f4/0x8c0 offline_pages+0x60a/0x8c0 memory_subsys_offline+0x9f/0x1c0 ? lockdep_hardirqs_on+0x77/0x100 ? _raw_spin_unlock_irqrestore+0x38/0x60 device_offline+0xe3/0x110 state_store+0x6e/0xc0 kernfs_fop_write_iter+0x143/0x200 vfs_write+0x39f/0x560 ksys_write+0x65/0xf0 do_syscall_64+0x62/0x130 Previously, some sanity check have been done in dump_mapping() before the print facility parsing '%pd' though, it's still possible to run into an invalid dentry.d_name.name. Since dump_mapping() only needs to dump the filename only, retrieve it by itself in a safer way to prevent an unnecessary crash. Note that either retrieving the filename with '%pd' or strncpy_from_kernel_nofault(), the filename could be unreliable.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start In sctp_listen_start() invoked by sctp_inet_listen(), it should set the sk_state back to CLOSED if sctp_autobind() fails due to whatever reason. Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash is NULL. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617 Call Trace: <TASK> __sys_listen_socket net/socket.c:1883 [inline] __sys_listen+0x1b7/0x230 net/socket.c:1894 __do_sys_listen net/socket.c:1902 [inline]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/ncsi: Disable the ncsi work before freeing the associated structure The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prevent nf_skb_duplicated corruption syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write per-cpu variable nf_skb_duplicated in an unsafe way [1]. Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well. [1] BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 NF_HOOK_COND include/linux/netfilter.h:302 [inline] ip_output+0x185/0x230 net/ipv4/ip_output.c:433 ip_local_out net/ipv4/ip_output.c:129 [inline] ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 </TASK>

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: filesystems without casefold feature cannot be mounted with siphash When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: uprobes: fix kernel info leak via "[uprobes]" vma xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Drop interface_lock in stop_kthread() stop_kthread() is the offline callback for "trace/osnoise:online", since commit 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearing of kthread in stop_kthread()"), the following ABBA deadlock scenario is introduced: T1 | T2 [BP] | T3 [AP] osnoise_hotplug_workfn() | work_for_cpu_fn() | cpuhp_thread_fun() | _cpu_down() | osnoise_cpu_die() mutex_lock(&interface_lock) | | stop_kthread() | cpus_write_lock() | mutex_lock(&interface_lock) cpus_read_lock() | cpuhp_kick_ap() | As the interface_lock here in just for protecting the "kthread" field of the osn_var, use xchg() instead to fix this issue. Also use for_each_online_cpu() back in stop_per_cpu_kthreads() as it can take cpu_read_lock() again.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!! So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: bpftool: Fix undefined behavior in qsort(NULL, 0, ...) When netfilter has no entry to display, qsort is called with qsort(NULL, 0, ...). This results in undefined behavior, as UBSan reports: net.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null Although the C standard does not explicitly state whether calling qsort with a NULL pointer when the size is 0 constitutes undefined behavior, Section 7.1.4 of the C standard (Use of library functions) mentions: "Each of the following statements applies unless explicitly stated otherwise in the detailed descriptions that follow: If an argument to a function has an invalid value (such as a value outside the domain of the function, or a pointer outside the address space of the program, or a null pointer, or a pointer to non-modifiable storage when the corresponding parameter is not const-qualified) or a type (after promotion) not expected by a function with variable number of arguments, the behavior is undefined." To avoid this, add an early return when nf_link_info is NULL to prevent calling qsort with a NULL pointer.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix double free issue during amdgpu module unload Flexible endpoints use DIGs from available inflexible endpoints, so only the encoders of inflexible links need to be freed. Otherwise, a double free issue may occur when unloading the amdgpu module. [ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0 [ 279.190577] Call Trace: [ 279.190580] <TASK> [ 279.190582] ? show_regs+0x69/0x80 [ 279.190590] ? die+0x3b/0x90 [ 279.190595] ? do_trap+0xc8/0xe0 [ 279.190601] ? do_error_trap+0x73/0xa0 [ 279.190605] ? __slab_free+0x152/0x2f0 [ 279.190609] ? exc_invalid_op+0x56/0x70 [ 279.190616] ? __slab_free+0x152/0x2f0 [ 279.190642] ? asm_exc_invalid_op+0x1f/0x30 [ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191096] ? __slab_free+0x152/0x2f0 [ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191469] kfree+0x260/0x2b0 [ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191821] link_destroy+0xd7/0x130 [amdgpu] [ 279.192248] dc_destruct+0x90/0x270 [amdgpu] [ 279.192666] dc_destroy+0x19/0x40 [amdgpu] [ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu] [ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu] [ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu] [ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu] [ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu] [ 279.194632] pci_device_remove+0x3a/0xa0 [ 279.194638] device_remove+0x40/0x70 [ 279.194642] device_release_driver_internal+0x1ad/0x210 [ 279.194647] driver_detach+0x4e/0xa0 [ 279.194650] bus_remove_driver+0x6f/0xf0 [ 279.194653] driver_unregister+0x33/0x60 [ 279.194657] pci_unregister_driver+0x44/0x90 [ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu] [ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0 [ 279.194946] __x64_sys_delete_module+0x16/0x20 [ 279.194950] do_syscall_64+0x58/0x120 [ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 279.194980] </TASK>

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix system hang while resume with TBT monitor [Why] Connected with a Thunderbolt monitor and do the suspend and the system may hang while resume. The TBT monitor HPD will be triggered during the resume procedure and call the drm_client_modeset_probe() while struct drm_connector connector->dev->master is NULL. It will mess up the pipe topology after resume. [How] Skip the TBT monitor HPD during the resume procedure because we currently will probe the connectors after resume by default. (cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 [WHY & HOW] Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause grey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override to match HW spec. (cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix i_data_sem unlock order in ext4_ind_migrate() Fuzzing reports a possible deadlock in jbd2_log_wait_commit. This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates because the file descriptor is opened with O_SYNC. This can lead to the jbd2_journal_stop() function calling jbd2_might_wait_for_commit(), potentially causing a deadlock if the EXT4_IOC_MIGRATE call races with a write(2) system call. This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This triggers lockdep because the jbd2_journal_start function might also lock the same jbd2_handle simultaneously. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Rule: add

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: Avoid a bad reference count on CPU node In the parse_perf_domain function, if the call to of_parse_phandle_with_args returns an error, then the reference to the CPU device node that was acquired at the start of the function would not be properly decremented. Address this by declaring the variable with the __free(device_node) cleanup attribute.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix access to uninitialised lock in fc replay path The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: wd33c93: Don't use stale scsi_pointer value A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93: Move the SCSI pointer to private command data") which results in an oops in wd33c93_intr(). That commit added the scsi_pointer variable and initialized it from hostdata->connected. However, during selection, hostdata->connected is not yet valid. Fix this by getting the current scsi_pointer from hostdata->selecting.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race We're seeing crashes from rq_qos_wake_function that look like this: BUG: unable to handle page fault for address: ffffafe180a40084 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> try_to_wake_up+0x5a/0x6a0 rq_qos_wake_function+0x71/0x80 __wake_up_common+0x75/0xa0 __wake_up+0x36/0x60 scale_up.part.0+0x50/0x110 wb_timer_fn+0x227/0x450 ... So rq_qos_wake_function() calls wake_up_process(data->task), which calls try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). p comes from data->task, and data comes from the waitqueue entry, which is stored on the waiter's stack in rq_qos_wait(). Analyzing the core dump with drgn, I found that the waiter had already woken up and moved on to a completely unrelated code path, clobbering what was previously data->task. Meanwhile, the waker was passing the clobbered garbage in data->task to wake_up_process(), leading to the crash. What's happening is that in between rq_qos_wake_function() deleting the waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding that it already got a token and returning. The race looks like this: rq_qos_wait() rq_qos_wake_function() ============================================================== prepare_to_wait_exclusive() data->got_token = true; list_del_init(&curr->entry); if (data.got_token) break; finish_wait(&rqw->wait, &data.wq); ^- returns immediately because list_empty_careful(&wq_entry->entry) is true ... return, go do something else ... wake_up_process(data->task) (NO LONGER VALID!)-^ Normally, finish_wait() is supposed to synchronize against the waker. But, as noted above, it is returning immediately because the waitqueue entry has already been removed from the waitqueue. The bug is that rq_qos_wake_function() is accessing the waitqueue entry AFTER deleting it. Note that autoremove_wake_function() wakes the waiter and THEN deletes the waitqueue entry, which is the proper order. Fix it by swapping the order. We also need to use list_del_init_careful() to match the list_empty_careful() in finish_wait().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in kunit test") fixed the use-after-free error, but introduced below memory leaks by removing necessary vcap_free_rule(), add it to fix it. unreferenced object 0xffffff80ca58b700 (size 192): comm "kunit_try_catch", pid 1215, jiffies 4294898264 hex dump (first 32 bytes): 00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00 ..z.........d... 00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff ................ backtrace (crc 9c09c3fe): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<0000000040a01b8d>] vcap_alloc_rule+0x3cc/0x9c4 [<000000003fe86110>] vcap_api_encode_rule_test+0x1ac/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0400 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898265 hex dump (first 32 bytes): 80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff ..........X..... 39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff 9............... backtrace (crc daf014e9): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<00000000dfdb1e81>] vcap_api_encode_rule_test+0x224/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0700 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898265 hex dump (first 32 bytes): 80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff ........(.X..... 3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff <......../...... backtrace (crc 8d877792): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000006eadfab7>] vcap_rule_add_action+0x2d0/0x52c [<00000000323475d1>] vcap_api_encode_rule_test+0x4d4/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0900 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898266 hex dump (first 32 bytes): 80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff ................ 7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00 }............... backtrace (crc 34181e56): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<00000000991e3564>] vcap_val_rule+0xcf0/0x13e8 [<00000000fc9868e5>] vcap_api_encode_rule_test+0x678/0x16b0 [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000c5d82c9a>] kthread+0x2e8/0x374 [<00000000f4287308>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cc0b0980 (size 64): comm "kunit_try_catch", pid 1215, jiffies 4294898266 hex dump (first 32 bytes): 18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff ..X............. 67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff g.........t..... backtrace (crc 275fd9be): [<0000000052a0be73>] kmemleak_alloc+0x34/0x40 [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528 [<000000001396a1a2>] test_add_de ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free on read_alloc_one_name() error The function read_alloc_one_name() does not initialize the name field of the passed fscrypt_str struct if kmalloc fails to allocate the corresponding buffer. Thus, it is not guaranteed that fscrypt_str.name is initialized when freeing it. This is a follow-up to the linked patch that fixes the remaining instances of the bug introduced by commit e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs").

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free in add_inode_ref() The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode = read_one_inode(root, inode_objectid); if (!inode) { ret = -EIO; goto out; } then "name.name" would be freed on "out" before being initialized. out: ... kfree(name.name); This issue was reported by Coverity with CID 1526744.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal: intel: int340x: processor: Fix warning during module unload The processor_thermal driver uses pcim_device_enable() to enable a PCI device, which means the device will be automatically disabled on driver detach. Thus there is no need to call pci_disable_device() again on it. With recent PCI device resource management improvements, e.g. commit f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is exposed and triggers the warining below. [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100 ... [ 224.010844] Call Trace: [ 224.010845] <TASK> [ 224.010847] ? show_regs+0x6d/0x80 [ 224.010851] ? __warn+0x8c/0x140 [ 224.010854] ? pci_disable_device+0xe5/0x100 [ 224.010856] ? report_bug+0x1c9/0x1e0 [ 224.010859] ? handle_bug+0x46/0x80 [ 224.010862] ? exc_invalid_op+0x1d/0x80 [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30 [ 224.010867] ? pci_disable_device+0xe5/0x100 [ 224.010869] ? pci_disable_device+0xe5/0x100 [ 224.010871] ? kfree+0x21a/0x2b0 [ 224.010873] pcim_disable_device+0x20/0x30 [ 224.010875] devm_action_release+0x16/0x20 [ 224.010878] release_nodes+0x47/0xc0 [ 224.010880] devres_release_all+0x9f/0xe0 [ 224.010883] device_unbind_cleanup+0x12/0x80 [ 224.010885] device_release_driver_internal+0x1ca/0x210 [ 224.010887] driver_detach+0x4e/0xa0 [ 224.010889] bus_remove_driver+0x6f/0xf0 [ 224.010890] driver_unregister+0x35/0x60 [ 224.010892] pci_unregister_driver+0x44/0x90 [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci] ... [ 224.010921] ---[ end trace 0000000000000000 ]--- Remove the excess pci_disable_device() calls. [ rjw: Subject and changelog edits ]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/mad: Improve handling of timed out WRs of mad agent Current timeout handler of mad agent acquires/releases mad_agent_priv lock for every timed out WRs. This causes heavy locking contention when higher no. of WRs are to be handled inside timeout handler. This leads to softlockup with below trace in some use cases where rdma-cm path is used to establish connection between peer nodes Trace: ----- BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767] CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019 Workqueue: ib_mad1 timeout_sends [ib_core] RIP: 0010:__do_softirq+0x78/0x2ac RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000 R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __irq_exit_rcu+0xa1/0xc0 ? watchdog_timer_fn+0x1b2/0x210 ? __pfx_watchdog_timer_fn+0x10/0x10 ? __hrtimer_run_queues+0x127/0x2c0 ? hrtimer_interrupt+0xfc/0x210 ? __sysvec_apic_timer_interrupt+0x5c/0x110 ? sysvec_apic_timer_interrupt+0x37/0x90 ? asm_sysvec_apic_timer_interrupt+0x16/0x20 ? __do_softirq+0x78/0x2ac ? __do_softirq+0x60/0x2ac __irq_exit_rcu+0xa1/0xc0 sysvec_call_function_single+0x72/0x90 </IRQ> <TASK> asm_sysvec_call_function_single+0x16/0x20 RIP: 0010:_raw_spin_unlock_irq+0x14/0x30 RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247 RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800 RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538 R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c cm_process_send_error+0x122/0x1d0 [ib_cm] timeout_sends+0x1dd/0x270 [ib_core] process_one_work+0x1e2/0x3b0 ? __pfx_worker_thread+0x10/0x10 worker_thread+0x50/0x3a0 ? __pfx_worker_thread+0x10/0x10 kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> Simplified timeout handler by creating local list of timed out WRs and invoke send handler post creating the list. The new method acquires/ releases lock once to fetch the list and hence helps to reduce locking contetiong when processing higher no. of WRs

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user. This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user. To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down There is a history of deadlock if reboot is performed at the beginning of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS shutdown, and at that time the audio driver was waiting on blk_mq_submit_bio() holding a mutex_lock while reading the fw binary. After that, a deadlock issue occurred while audio driver shutdown was waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down after a UFS shutdown will return an error. [ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown] [ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49] [ 31.907806]I[0: swapper/0: 0] Call trace: [ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40 [ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac [ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24 [ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec [ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280 [ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c [ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280 [ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158 [ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4 [ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0 [ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0 [ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4 [ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4 [ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter] [ 31.908783]I[0: swapper/0: 0] Call trace: [ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178 [ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c [ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: dummy-hcd: Fix "task hung" problem The syzbot fuzzer has been encountering "task hung" problems ever since the dummy-hcd driver was changed to use hrtimers instead of regular timers. It turns out that the problems are caused by a subtle difference between the timer_pending() and hrtimer_active() APIs. The changeover blindly replaced the first by the second. However, timer_pending() returns True when the timer is queued but not when its callback is running, whereas hrtimer_active() returns True when the hrtimer is queued _or_ its callback is running. This difference occasionally caused dummy_urb_enqueue() to think that the callback routine had not yet started when in fact it was almost finished. As a result the hrtimer was not restarted, which made it impossible for the driver to dequeue later the URB that was just enqueued. This caused usb_kill_urb() to hang, and things got worse from there. Since hrtimers have no API for telling when they are queued and the callback isn't running, the driver must keep track of this for itself. That's what this patch does, adding a new "timer_pending" flag and setting or clearing it at the appropriate times.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Previously, the domain_context_clear() function incorrectly called pci_for_each_dma_alias() to set up context entries for non-PCI devices. This could lead to kernel hangs or other unexpected behavior. Add a check to only call pci_for_each_dma_alias() for PCI devices. For non-PCI devices, domain_context_clear_one() is called directly.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: x86: fix user address masking non-canonical speculation issue It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical accesses in kernel space. And so using just the high bit to decide whether an access is in user space or kernel space ends up with the good old "leak speculative data" if you have the right gadget using the result: CVE-2020-12965 "Transient Execution of Non-Canonical Accesses" Now, the kernel surrounds the access with a STAC/CLAC pair, and those instructions end up serializing execution on older Zen architectures, which closes the speculation window. But that was true only up until Zen 5, which renames the AC bit [1]. That improves performance of STAC/CLAC a lot, but also means that the speculation window is now open. Note that this affects not just the new address masking, but also the regular valid_user_address() check used by access_ok(), and the asm version of the sign bit check in the get_user() helpers. It does not affect put_user() or clear_user() variants, since there's no speculative result to be used in a gadget for those operations.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Stuart Hayhurst has found that both at bootup and fullscreen VA-API video is leading to black screens for around 1 second and kernel WARNING [1] traces when calling dmub_psr_enable() with Parade 08-01 TCON. These symptoms all go away with PSR-SU disabled for this TCON, so disable it for now while DMUB traces [2] from the failure can be analyzed and the failure state properly root caused. (cherry picked from commit afb634a6823d8d9db23c5fb04f79c5549349628b)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm: fix one more kernel-infoleak in algo dumping During fuzz testing, the following issue was discovered: BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30 _copy_to_iter+0x598/0x2a30 __skb_datagram_iter+0x168/0x1060 skb_copy_datagram_iter+0x5b/0x220 netlink_recvmsg+0x362/0x1700 sock_recvmsg+0x2dc/0x390 __sys_recvfrom+0x381/0x6d0 __x64_sys_recvfrom+0x130/0x200 x64_sys_call+0x32c8/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Uninit was stored to memory at: copy_to_user_state_extra+0xcc1/0x1e00 dump_one_state+0x28c/0x5f0 xfrm_state_walk+0x548/0x11e0 xfrm_dump_sa+0x1e0/0x840 netlink_dump+0x943/0x1c40 __netlink_dump_start+0x746/0xdb0 xfrm_user_rcv_msg+0x429/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 ____sys_sendmsg+0x863/0xc30 ___sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Uninit was created at: __kmalloc+0x571/0xd30 attach_auth+0x106/0x3e0 xfrm_add_sa+0x2aa0/0x4230 xfrm_user_rcv_msg+0x832/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 ____sys_sendmsg+0x863/0xc30 ___sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Bytes 328-379 of 732 are uninitialized Memory access of size 732 starts at ffff88800e18e000 Data copied to user address 00007ff30f48aff0 CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Fixes copying of xfrm algorithms where some random data of the structure fields can end up in userspace. Padding in structures may be filled with random (possibly sensitve) data and should never be given directly to user-space. A similar issue was resolved in the commit 8222d5910dae ("xfrm: Zero padding when dumping algos and encap") Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of buffer delay flag Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug. This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this. This became necessary when the use of nilfs2's own page clear routine was expanded. This state inconsistency does not occur if the buffer is written normally by log writing.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Guard against bad data for ATIF ACPI method If a BIOS provides bad data in response to an ATIF method call this causes a NULL pointer dereference in the caller. ``` ? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1)) ? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434) ? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2)) ? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1)) ? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642) ? exc_page_fault (arch/x86/mm/fault.c:1542) ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu ``` It has been encountered on at least one system, so guard for it. (cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update 'admin' immediately before an attempt to schedule freeing.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: wwan: fix global oob in wwan_rtnl_policy The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. Exactly same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"). ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862 CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x14f/0x750 mm/kasan/report.c:395 kasan_report+0x139/0x170 mm/kasan/report.c:495 validate_nla lib/nlattr.c:388 [inline] __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 __nla_parse+0x3c/0x50 lib/nlattr.c:700 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline] __rtnl_newlink net/core/rtnetlink.c:3514 [inline] rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f67b19a24ad RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004 RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40 </TASK> The buggy address belongs to the variable: wwan_rtnl_policy+0x20/0x40 The buggy address belongs to the physical page: page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 >ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== According to the comment of `nla_parse_nested_deprecated`, use correct size `IFLA_WWAN_MAX` here to fix this issue.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: must hold reference on net namespace BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0 Read of size 8 at addr ffff8880106fe400 by task repro/72= bpf_nf_link_release+0xda/0x1e0 bpf_link_free+0x139/0x2d0 bpf_link_release+0x68/0x80 __fput+0x414/0xb60 Eric says: It seems that bpf was able to defer the __nf_unregister_net_hook() after exit()/close() time. Perhaps a netns reference is missing, because the netns has been dismantled/freed already. bpf_nf_link_attach() does : link->net = net; But I do not see a reference being taken on net. Add such a reference and release it after hook unreg. Note that I was unable to get syzbot reproducer to work, so I do not know if this resolves this splat.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns failure for it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a "memcpy: detected field-spanning write error" warning: [ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [ 13.320038] Call Trace: [ 13.320173] hgsmi_update_pointer_shape [vboxvideo] [ 13.320184] vbox_cursor_atomic_update [vboxvideo] Note as mentioned in the added comment it seems the original length calculation for the allocated and send hgsmi buffer is 4 bytes too large. Changing this is not the goal of this patch, so this behavior is kept.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix race condition between reset and nvme_dev_disable() nvme_dev_disable() modifies the dev->online_queues field, therefore nvme_pci_update_nr_queues() should avoid racing against it, otherwise we could end up passing invalid values to blk_mq_update_nr_hw_queues(). WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347 pci_irq_get_affinity+0x187/0x210 Workqueue: nvme-reset-wq nvme_reset_work [nvme] RIP: 0010:pci_irq_get_affinity+0x187/0x210 Call Trace: <TASK> ? blk_mq_pci_map_queues+0x87/0x3c0 ? pci_irq_get_affinity+0x187/0x210 blk_mq_pci_map_queues+0x87/0x3c0 nvme_pci_map_queues+0x189/0x460 [nvme] blk_mq_update_nr_hw_queues+0x2a/0x40 nvme_reset_work+0x1be/0x2a0 [nvme] Fix the bug by locking the shutdown_lock mutex before using dev->online_queues. Give up if nvme_dev_disable() is running or if it has been executed already.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Unregister notifier on eswitch init failure It otherwise remains registered and a subsequent attempt at eswitch enabling might trigger warnings of the sort: [ 682.589148] ------------[ cut here ]------------ [ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered [ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90 [...snipped] [ 682.610052] Call Trace: [ 682.610369] <TASK> [ 682.610663] ? __warn+0x7c/0x110 [ 682.611050] ? notifier_chain_register+0x3e/0x90 [ 682.611556] ? report_bug+0x148/0x170 [ 682.611977] ? handle_bug+0x36/0x70 [ 682.612384] ? exc_invalid_op+0x13/0x60 [ 682.612817] ? asm_exc_invalid_op+0x16/0x20 [ 682.613284] ? notifier_chain_register+0x3e/0x90 [ 682.613789] atomic_notifier_chain_register+0x25/0x40 [ 682.614322] mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core] [ 682.614965] mlx5_eswitch_enable+0xc9/0x100 [mlx5_core] [ 682.615551] mlx5_device_enable_sriov+0x25/0x340 [mlx5_core] [ 682.616170] mlx5_core_sriov_configure+0x50/0x170 [mlx5_core] [ 682.616789] sriov_numvfs_store+0xb0/0x1b0 [ 682.617248] kernfs_fop_write_iter+0x117/0x1a0 [ 682.617734] vfs_write+0x231/0x3f0 [ 682.618138] ksys_write+0x63/0xe0 [ 682.618536] do_syscall_64+0x4c/0x100 [ 682.618958] entry_SYSCALL_64_after_hwframe+0x4b/0x53

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Use raw_spinlock_t in ringbuf The function __bpf_ringbuf_reserve is invoked from a tracepoint, which disables preemption. Using spinlock_t in this context can lead to a "sleep in atomic" warning in the RT variant. This issue is illustrated in the example below: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 INFO: lockdep is turned off. Preemption disabled at: [<ffffd33a5c88ea44>] migrate_enable+0xc0/0x39c CPU: 7 PID: 556208 Comm: test_progs Tainted: G Hardware name: Qualcomm SA8775P Ride (DT) Call trace: dump_backtrace+0xac/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0xac/0xe8 dump_stack+0x18/0x30 __might_resched+0x3bc/0x4fc rt_spin_lock+0x8c/0x1a4 __bpf_ringbuf_reserve+0xc4/0x254 bpf_ringbuf_reserve_dynptr+0x5c/0xdc bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238 trace_call_bpf+0x238/0x774 perf_call_bpf_enter.isra.0+0x104/0x194 perf_syscall_enter+0x2f8/0x510 trace_sys_enter+0x39c/0x564 syscall_trace_enter+0x220/0x3c0 do_el0_svc+0x138/0x1dc el0_svc+0x54/0x130 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Switch the spinlock to raw_spinlock_t to avoid this error.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix shift-out-of-bounds bug Fix a shift-out-of-bounds bug reported by UBSAN when running VM with MTE enabled host kernel. UBSAN: shift-out-of-bounds in arch/arm64/kvm/sys_regs.c:1988:14 shift exponent 33 is too large for 32-bit type 'int' CPU: 26 UID: 0 PID: 7629 Comm: qemu-kvm Not tainted 6.12.0-rc2 #34 Hardware name: IEI NF5280R7/Mitchell MB, BIOS 00.00. 2024-10-12 09:28:54 10/14/2024 Call trace: dump_backtrace+0xa0/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x74/0x90 dump_stack+0x18/0x28 __ubsan_handle_shift_out_of_bounds+0xf8/0x1e0 reset_clidr+0x10c/0x1c8 kvm_reset_sys_regs+0x50/0x1c8 kvm_reset_vcpu+0xec/0x2b0 __kvm_vcpu_set_target+0x84/0x158 kvm_vcpu_set_target+0x138/0x168 kvm_arch_vcpu_ioctl_vcpu_init+0x40/0x2b0 kvm_arch_vcpu_ioctl+0x28c/0x4b8 kvm_vcpu_ioctl+0x4bc/0x7a8 __arm64_sys_ioctl+0xb4/0x100 invoke_syscall+0x70/0x100 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x158 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context PRMT needs to find the correct type of block to translate the PA-VA mapping for EFI runtime services. The issue arises because the PRMT is finding a block of type EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services as described in Section 2.2.2 (Runtime Services) of the UEFI Specification [1]. Since the PRM handler is a type of runtime service, this causes an exception when the PRM handler is called. [Firmware Bug]: Unable to handle paging request in EFI runtime service WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341 __efi_queue_work+0x11c/0x170 Call trace: Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM context. If no suitable block is found, a warning message will be printed, but the procedure continues to manage the next PRM handler. However, if the PRM handler is actually called without proper allocation, it would result in a failure during error handling. By using the correct memory types for runtime services, ensure that the PRM handler and the context are properly mapped in the virtual address space during runtime, preventing the paging request error. The issue is really that only memory that has been remapped for runtime by the firmware can be used by the PRM handler, and so the region needs to have the EFI_MEMORY_RUNTIME attribute. [ rjw: Subject and changelog edits ]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() build_skb() returns NULL in case of a memory allocation failure so handle it inside __octep_oq_process_rx() to avoid NULL pointer dereference. __octep_oq_process_rx() is called during NAPI polling by the driver. If skb allocation fails, keep on pulling packets out of the Rx DMA queue: we shouldn't break the polling immediately and thus falsely indicate to the octep_napi_poll() that the Rx pressure is going down. As there is no associated skb in this case, don't process the packets and don't push them up the network stack - they are skipped. Helper function is implemented to unmmap/flush all the fragment buffers used by the dropped packet. 'alloc_failures' counter is incremented to mark the skb allocation error in driver statistics. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't call cleanup on profile rollback failure When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix command bitmask initialization Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit isn't Initialize during command bitmask Initialization, only during MANAGE_PAGES. In addition, mlx5_cmd_trigger_completions() is trying to trigger completion for MANAGE_PAGES command as well. Hence, in case health error occurred before any MANAGE_PAGES command have been invoke (for example, during mlx5_enable_hca()), mlx5_cmd_trigger_completions() will try to trigger completion for MANAGE_PAGES command, which will result in null-ptr-deref error.[1] Fix it by Initialize command bitmask correctly. While at it, re-write the code for better understanding. [1] BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078 CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: <TASK> dump_stack_lvl+0x7e/0xc0 kasan_report+0xb9/0xf0 kasan_check_range+0xec/0x190 mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] mlx5_cmd_flush+0x94/0x240 [mlx5_core] enter_error_state+0x6c/0xd0 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core] process_one_work+0x787/0x1490 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? pwq_dec_nr_in_flight+0xda0/0xda0 ? assign_work+0x168/0x240 worker_thread+0x586/0xd30 ? rescuer_thread+0xae0/0xae0 kthread+0x2df/0x3b0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK>

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: fix wild-memory-access in proto_unregister There's issue as follows: KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W RIP: 0010:proto_unregister+0xee/0x400 Call Trace: <TASK> __do_sys_delete_module+0x318/0x580 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() will cleanup all resource. Then when remove bnep module will call bnep_sock_cleanup() to cleanup sock's resource. To solve above issue just return bnep_sock_init()'s return value in bnep_exit().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmode should keep reference to parent The altmode device release refers to its parent device, but without keeping a reference to it. When registering the altmode, get a reference to the parent and put it in the release function. Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues like this: [ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) [ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) [ 46.612867] ================================================================== [ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 [ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 [ 46.614538] [ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 [ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 46.616042] Workqueue: events kobject_delayed_cleanup [ 46.616446] Call Trace: [ 46.616648] <TASK> [ 46.616820] dump_stack_lvl+0x5b/0x7c [ 46.617112] ? typec_altmode_release+0x38/0x129 [ 46.617470] print_report+0x14c/0x49e [ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 [ 46.618117] ? __virt_addr_valid+0x19a/0x1ab [ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d [ 46.618807] ? typec_altmode_release+0x38/0x129 [ 46.619161] kasan_report+0x8d/0xb4 [ 46.619447] ? typec_altmode_release+0x38/0x129 [ 46.619809] ? process_scheduled_works+0x3cb/0x85f [ 46.620185] typec_altmode_release+0x38/0x129 [ 46.620537] ? process_scheduled_works+0x3cb/0x85f [ 46.620907] device_release+0xaf/0xf2 [ 46.621206] kobject_delayed_cleanup+0x13b/0x17a [ 46.621584] process_scheduled_works+0x4f6/0x85f [ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 [ 46.622353] ? hlock_class+0x31/0x9a [ 46.622647] ? lock_acquired+0x361/0x3c3 [ 46.622956] ? move_linked_works+0x46/0x7d [ 46.623277] worker_thread+0x1ce/0x291 [ 46.623582] ? __kthread_parkme+0xc8/0xdf [ 46.623900] ? __pfx_worker_thread+0x10/0x10 [ 46.624236] kthread+0x17e/0x190 [ 46.624501] ? kthread+0xfb/0x190 [ 46.624756] ? __pfx_kthread+0x10/0x10 [ 46.625015] ret_from_fork+0x20/0x40 [ 46.625268] ? __pfx_kthread+0x10/0x10 [ 46.625532] ret_from_fork_asm+0x1a/0x30 [ 46.625805] </TASK> [ 46.625953] [ 46.626056] Allocated by task 678: [ 46.626287] kasan_save_stack+0x24/0x44 [ 46.626555] kasan_save_track+0x14/0x2d [ 46.626811] __kasan_kmalloc+0x3f/0x4d [ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 [ 46.627362] typec_register_port+0x23/0x491 [ 46.627698] cros_typec_probe+0x634/0xbb6 [ 46.628026] platform_probe+0x47/0x8c [ 46.628311] really_probe+0x20a/0x47d [ 46.628605] device_driver_attach+0x39/0x72 [ 46.628940] bind_store+0x87/0xd7 [ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 [ 46.629574] vfs_write+0x1d6/0x29b [ 46.629856] ksys_write+0xcd/0x13b [ 46.630128] do_syscall_64+0xd4/0x139 [ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 46.630820] [ 46.630946] Freed by task 48: [ 46.631182] kasan_save_stack+0x24/0x44 [ 46.631493] kasan_save_track+0x14/0x2d [ 46.631799] kasan_save_free_info+0x3f/0x4d [ 46.632144] __kasan_slab_free+0x37/0x45 [ 46.632474] ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix null-ptr-deref in target_alloc_device() There is a null-ptr-deref issue reported by KASAN: BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] ... kasan_report+0xb9/0xf0 target_alloc_device+0xbc4/0xbe0 [target_core_mod] core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] target_core_init_configfs+0x205/0x420 [target_core_mod] do_one_initcall+0xdd/0x4e0 ... entry_SYSCALL_64_after_hwframe+0x76/0x7e In target_alloc_device(), if allocing memory for dev queues fails, then dev will be freed by dev->transport->free_device(), but dev->transport is not initialized at that time, which will lead to a null pointer reference problem. Fixing this bug by freeing dev with hba->backend->ops->free_device().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netdevsim: use cond_resched() in nsim_dev_trap_report_work() I am still seeing many syzbot reports hinting that syzbot might fool nsim_dev_trap_report_work() with hundreds of ports [1] Lets use cond_resched(), and system_unbound_wq instead of implicit system_wq. [1] INFO: task syz-executor:20633 blocked for more than 143 seconds. Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006 ... NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events nsim_dev_trap_report_work RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as `const`. Patchwork: https://patchwork.freedesktop.org/patch/619657/

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Driver waits indefinitely for the fifo occupancy to go below a threshold as soon as the pacing interrupt is received. This can cause soft lockup on one of the processors, if the rate of DB is very high. Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th if the loop is taking more time. Pacing will be continuing until the occupancy is below the threshold. This is ensured by the checks in bnxt_re_pacing_timer_exp and further scheduling the work for pacing based on the fifo occupancy.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix out of bound check Driver exports pacing stats only on GenP5 and P7 adapters. But while parsing the pacing stats, driver has a check for "rdev->dbr_pacing". This caused a trace when KASAN is enabled. BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re] Write of size 8 at addr ffff8885942a6340 by task modprobe/4809

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() Clang static checker(scan-build) throws below warning: | drivers/firmware/arm_scmi/driver.c:line 2915, column 2 | Attempt to free released memory. When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup() will run twice which causes double free of 'dbg->name'. Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs8409: Fix possible NULL dereference If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then NULL pointer dereference will occur in the next line. Since dolphin_fixups function is a hda_fixup function which is not supposed to return any errors, add simple check before dereference, ignore the fail. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fsl/fman: Fix refcount handling of fman-related devices In mac_probe() there are multiple calls to of_find_device_by_node(), fman_bind() and fman_port_bind() which takes references to of_dev->dev. Not all references taken by these calls are released later on error path in mac_probe() and in mac_remove() which lead to reference leaks. Add references release.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: be2net: fix potential memory leak in be_xmit() The be_xmit() returns NETDEV_TX_OK without freeing skb in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: vsock: Update rx_bytes on read_skb() Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt() calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after vsock_transport::read_skb(). While here, also inform the peer that we've freed up space and it has more credit. Failing to update rx_bytes after packet is dequeued leads to a warning on SOCK_STREAM recv(): [ 233.396654] rx_queue is empty, but rx_bytes is non-zero [ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: systemport: fix potential memory leak in bcm_sysport_xmit() The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb in case of dma_map_single() fails, add dev_kfree_skb() to fix it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a possible memory leak In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails driver is not freeing the memory allocated for "rdev->chip_ctx".

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: Remove use_count guard in stop_streaming The use_count check was introduced so that multiple concurrent Raw Data Interfaces RDIs could be driven by different virtual channels VCs on the CSIPHY input driving the video pipeline. This is an invalid use of use_count though as use_count pertains to the number of times a video entity has been opened by user-space not the number of active streams. If use_count and stream-on count don't agree then stop_streaming() will break as is currently the case and has become apparent when using CAMSS with libcamera's released softisp 0.3. The use of use_count like this is a bit hacky and right now breaks regular usage of CAMSS for a single stream case. Stopping qcam results in the splat below, and then it cannot be started again and any attempts to do so fails with -EBUSY. [ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] ... [ 1265.510630] Call trace: [ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] [ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common] [ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2] [ 1265.510673] v4l_streamoff+0x24/0x30 [videodev] [ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev] [ 1265.510732] video_usercopy+0x304/0x8c4 [videodev] [ 1265.510757] video_ioctl2+0x18/0x34 [videodev] [ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev] ... [ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state [ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state [ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st One CAMSS specific way to handle multiple VCs on the same RDI might be: - Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx. - The video buffers are already associated with msm_vfeN_rdiX so release video buffers when told to do so by stop_streaming. - Only release the power-domains for the CSIPHY, CSID and VFE when their internal refcounts drop. Either way refusing to release video buffers based on use_count is erroneous and should be reverted. The silicon enabling code for selecting VCs is perfectly fine. Its a "known missing feature" that concurrent VCs won't work with CAMSS right now. Initial testing with this code didn't show an error but, SoftISP and "real" usage with Google Hangouts breaks the upstream code pretty quickly, we need to do a partial revert and take another pass at VCs. This commit partially reverts commit 89013969e232 ("media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels")

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: remoteproc: k3-r5: Fix error handling when power-up failed By simply bailing out, the driver was violating its rule and internal assumptions that either both or no rproc should be initialized. E.g., this could cause the first core to be available but not the second one, leading to crashes on its shutdown later on while trying to dereference that second instance.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a UBSAN warning in DML2.1 When programming phantom pipe, since cursor_width is explicity set to 0, this causes calculation logic to trigger overflow for an unsigned int triggering the kernel's UBSAN check as below: [ 40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34 [ 40.962849] shift exponent 4294967170 is too large for 32-bit type 'unsigned int' [ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024 [ 40.962856] Call Trace: [ 40.962857] <TASK> [ 40.962860] dump_stack_lvl+0x48/0x70 [ 40.962870] dump_stack+0x10/0x20 [ 40.962872] __ubsan_handle_shift_out_of_bounds+0x1ac/0x360 [ 40.962878] calculate_cursor_req_attributes.cold+0x1b/0x28 [amdgpu] [ 40.963099] dml_core_mode_support+0x6b91/0x16bc0 [amdgpu] [ 40.963327] ? srso_alias_return_thunk+0x5/0x7f [ 40.963331] ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu] [ 40.963534] ? srso_alias_return_thunk+0x5/0x7f [ 40.963536] ? dml_core_mode_support+0xb3db/0x16bc0 [amdgpu] [ 40.963730] dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu] [ 40.963906] ? srso_alias_return_thunk+0x5/0x7f [ 40.963909] ? dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu] [ 40.964078] core_dcn4_mode_support+0x72/0xbf0 [amdgpu] [ 40.964247] dml2_top_optimization_perform_optimization_phase+0x1d3/0x2a0 [amdgpu] [ 40.964420] dml2_build_mode_programming+0x23d/0x750 [amdgpu] [ 40.964587] dml21_validate+0x274/0x770 [amdgpu] [ 40.964761] ? srso_alias_return_thunk+0x5/0x7f [ 40.964763] ? resource_append_dpp_pipes_for_plane_composition+0x27c/0x3b0 [amdgpu] [ 40.964942] dml2_validate+0x504/0x750 [amdgpu] [ 40.965117] ? dml21_copy+0x95/0xb0 [amdgpu] [ 40.965291] ? srso_alias_return_thunk+0x5/0x7f [ 40.965295] dcn401_validate_bandwidth+0x4e/0x70 [amdgpu] [ 40.965491] update_planes_and_stream_state+0x38d/0x5c0 [amdgpu] [ 40.965672] update_planes_and_stream_v3+0x52/0x1e0 [amdgpu] [ 40.965845] ? srso_alias_return_thunk+0x5/0x7f [ 40.965849] dc_update_planes_and_stream+0x71/0xb0 [amdgpu] Fix this by adding a guard for checking cursor width before triggering the size calculation.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ceph: remove the incorrect Fw reference check when dirtying pages When doing the direct-io reads it will also try to mark pages dirty, but for the read path it won't hold the Fw caps and there is case will it get the Fw reference.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: sisfb: Fix strbuf array overflow The values of the variables xres and yres are placed in strbuf. These variables are obtained from strbuf1. The strbuf1 array contains digit characters and a space if the array contains non-digit characters. Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); more than 16 bytes will be written to strbuf. It is suggested to increase the size of the strbuf array to 24. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot set direct map Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Deleting an NPIV instance requires all fabric ndlps to be released before an NPIV's resources can be torn down. Failure to release fabric ndlps beforehand opens kref imbalance race conditions. Fix by forcing the DA_ID to complete synchronously with usage of wait_queue.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: Check device status before requesting flush If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor's pointer (`vc4->active_perfmon`) is still retained. If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83869: fix memory corruption when enabling fiber When configuring the fiber port, the DP83869 PHY driver incorrectly calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit number (10). This corrupts some other memory location -- in case of arm64 the priv pointer in the same structure. Since the advertising flags are updated from supported at the end of the function the incorrect line isn't needed at all and can be removed.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Using the device-managed version allows to simplify clean-up in probe() error path. Additionally, this device-managed ensures proper cleanup, which helps to resolve memory errors, page faults, btrfs going read-only, and btrfs disk corruption.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Kunkun Jiang reported that there is a small window of opportunity for userspace to force a change of affinity for a VPE while the VPE has already been unmapped, but the corresponding doorbell interrupt still visible in /proc/irq/. Plug the race by checking the value of vmapp_count, which tracks whether the VPE is mapped ot not, and returning an error in this case. This involves making vmapp_count common to both GICv4.1 and its v4.0 ancestor.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Fix uprobes for big-endian kernels The arm64 uprobes code is broken for big-endian kernels as it doesn't convert the in-memory instruction encoding (which is always little-endian) into the kernel's native endianness before analyzing and simulating instructions. This may result in a few distinct problems: * The kernel may may erroneously reject probing an instruction which can safely be probed. * The kernel may erroneously erroneously permit stepping an instruction out-of-line when that instruction cannot be stepped out-of-line safely. * The kernel may erroneously simulate instruction incorrectly dur to interpretting the byte-swapped encoding. The endianness mismatch isn't caught by the compiler or sparse because: * The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so the compiler and sparse have no idea these contain a little-endian 32-bit value. The core uprobes code populates these with a memcpy() which similarly does not handle endianness. * While the uprobe_opcode_t type is an alias for __le32, both arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[] to the similarly-named probe_opcode_t, which is an alias for u32. Hence there is no endianness conversion warning. Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and adding the appropriate __le32_to_cpu() conversions prior to consuming the instruction encoding. The core uprobes copies these fields as opaque ranges of bytes, and so is unaffected by this change. At the same time, remove MAX_UINSN_BYTES and consistently use AARCH64_INSN_SIZE for clarity. Tested with the following: | #include <stdio.h> | #include <stdbool.h> | | #define noinline __attribute__((noinline)) | | static noinline void *adrp_self(void) | { | void *addr; | | asm volatile( | " adrp %x0, adrp_self\n" | " add %x0, %x0, :lo12:adrp_self\n" | : "=r" (addr)); | } | | | int main(int argc, char *argv) | { | void *ptr = adrp_self(); | bool equal = (ptr == adrp_self); | | printf("adrp_self => %p\n" | "adrp_self() => %p\n" | "%s\n", | adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL"); | | return 0; | } .... where the adrp_self() function was compiled to: | 00000000004007e0 <adrp_self>: | 4007e0: 90000000 adrp x0, 400000 <__ehdr_start> | 4007e4: 911f8000 add x0, x0, #0x7e0 | 4007e8: d65f03c0 ret Before this patch, the ADRP is not recognized, and is assumed to be steppable, resulting in corruption of the result: | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events | # echo 1 > /sys/kernel/tracing/events/uprobes/enable | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0xffffffffff7e0 | NOT EQUAL After this patch, the ADRP is correctly recognized and simulated: | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL | # | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events | # echo 1 > /sys/kernel/tracing/events/uprobes/enable | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: posix-clock: Fix missing timespec64 check in pc_clock_settime() As Andrew pointed out, it will make sense that the PTP core checked timespec64 struct's tv_sec and tv_nsec range before calling ptp->info->settime64(). As the man manual of clock_settime() said, if tp.tv_sec is negative or tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL, which include dynamic clocks which handles PTP clock, and the condition is consistent with timespec64_valid(). As Thomas suggested, timespec64_valid() only check the timespec is valid, but not ensure that the time is in a valid range, so check it ahead using timespec64_valid_strict() in pc_clock_settime() and return -EINVAL if not valid. There are some drivers that use tp->tv_sec and tp->tv_nsec directly to write registers without validity checks and assume that the higher layer has checked it, which is dangerous and will benefit from this, such as hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(), and some drivers can remove the checks of itself.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: ocelot: fix system hang on level based interrupts The current implementation only calls chained_irq_enter() and chained_irq_exit() if it detects pending interrupts. ``` for (i = 0; i < info->stride; i++) { uregmap_read(info->map, id_reg + 4 * i, &reg); if (!reg) continue; chained_irq_enter(parent_chip, desc); ``` However, in case of GPIO pin configured in level mode and the parent controller configured in edge mode, GPIO interrupt might be lowered by the hardware. In the result, if the interrupt is short enough, the parent interrupt is still pending while the GPIO interrupt is cleared; chained_irq_enter() never gets called and the system hangs trying to service the parent interrupt. Moving chained_irq_enter() and chained_irq_exit() outside the for loop ensures that they are called even when GPIO interrupt is lowered by the hardware. The similar code with chained_irq_enter() / chained_irq_exit() functions wrapping interrupt checking loop may be found in many other drivers: ``` grep -r -A 10 chained_irq_enter drivers/pinctrl ```

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: light: veml6030: fix IIO device retrieval from embedded device The dev pointer that is received as an argument in the in_illuminance_period_available_show function references the device embedded in the IIO device, not in the i2c client. dev_to_iio_dev() must be used to accessthe right data. The current implementation leads to a segmentation fault on every attempt to read the attribute because indio_dev gets a NULL assignment. This bug has been present since the first appearance of the driver, apparently since the last version (V6) before getting applied. A constant attribute was used until then, and the last modifications might have not been tested again.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix encoder->possible_clones Include the encoder itself in its possible_clones bitmask. In the past nothing validated that drivers were populating possible_clones correctly, but that changed in commit 74d2aacbe840 ("drm: Validate encoder->possible_clones"). Looks like radeon never got the memo and is still not following the rules 100% correctly. This results in some warnings during driver initialization: Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7) WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c ... (cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division. The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Avoid memory corruption while setting up Level-2 PBL pages for the non MR resources when num_pages > 256K. There will be a single PDE page address (contiguous pages in the case of > PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid memory access after 256K PBL entries in the PDE.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Add a check for memory allocation __alloc_pbl() can return error when memory allocation fails. Driver is not checking the status on one of the instances.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() If get_clock_desc() succeeds, it calls fget() for the clockid's fd, and get the clk->rwsem read lock, so the error path should release the lock to make the lock balance and fput the clockid's fd to make the refcount balance and release the fd related resource. However the below commit left the error path locked behind resulting in unbalanced locking. Check timespec64_valid_strict() before get_clock_desc() to fix it, because the "ts" is not changed after that. [pabeni@redhat.com: fixed commit message typo]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nvmet-auth: assign dh_key to NULL after kfree_sensitive ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup() for the same controller. So it's better to nullify it after release on error path in order to avoid double free later in nvmet_destroy_auth(). Found by Linux Verification Center (linuxtesting.org) with Svace.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: fix finding a last resort AG in xfs_filestream_pick_ag When the main loop in xfs_filestream_pick_ag fails to find a suitable AG it tries to just pick the online AG. But the loop for that uses args->pag as loop iterator while the later code expects pag to be set. Fix this by reusing the max_pag case for this last resort, and also add a check for impossible case of no AG just to make sure that the uninitialized pag doesn't even escape in theory.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than ocfs2_max_inline_data_with_xattr, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for byte_start and byte_len right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater than ocfs2_max_inline_data_with_xattr return -EINVAL.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Vangogh: Fix kernel memory out of bounds write KASAN reports that the GPU metrics table allocated in vangogh_tables_init() is not large enough for the memset done in smu_cmn_init_soft_gpu_metrics(). Condensed report follows: [ 33.861314] BUG: KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu] [ 33.861799] Write of size 168 at addr ffff888129f59500 by task mangoapp/1067 ... [ 33.861808] CPU: 6 UID: 1000 PID: 1067 Comm: mangoapp Tainted: G W 6.12.0-rc4 #356 1a56f59a8b5182eeaf67eb7cb8b13594dd23b544 [ 33.861816] Tainted: [W]=WARN [ 33.861818] Hardware name: Valve Galileo/Galileo, BIOS F7G0107 12/01/2023 [ 33.861822] Call Trace: [ 33.861826] <TASK> [ 33.861829] dump_stack_lvl+0x66/0x90 [ 33.861838] print_report+0xce/0x620 [ 33.861853] kasan_report+0xda/0x110 [ 33.862794] kasan_check_range+0xfd/0x1a0 [ 33.862799] __asan_memset+0x23/0x40 [ 33.862803] smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.863306] vangogh_get_gpu_metrics_v2_4+0x123/0xad0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.864257] vangogh_common_get_gpu_metrics+0xb0c/0xbc0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.865682] amdgpu_dpm_get_gpu_metrics+0xcc/0x110 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.866160] amdgpu_get_gpu_metrics+0x154/0x2d0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.867135] dev_attr_show+0x43/0xc0 [ 33.867147] sysfs_kf_seq_show+0x1f1/0x3b0 [ 33.867155] seq_read_iter+0x3f8/0x1140 [ 33.867173] vfs_read+0x76c/0xc50 [ 33.867198] ksys_read+0xfb/0x1d0 [ 33.867214] do_syscall_64+0x90/0x160 ... [ 33.867353] Allocated by task 378 on cpu 7 at 22.794876s: [ 33.867358] kasan_save_stack+0x33/0x50 [ 33.867364] kasan_save_track+0x17/0x60 [ 33.867367] __kasan_kmalloc+0x87/0x90 [ 33.867371] vangogh_init_smc_tables+0x3f9/0x840 [amdgpu] [ 33.867835] smu_sw_init+0xa32/0x1850 [amdgpu] [ 33.868299] amdgpu_device_init+0x467b/0x8d90 [amdgpu] [ 33.868733] amdgpu_driver_load_kms+0x19/0xf0 [amdgpu] [ 33.869167] amdgpu_pci_probe+0x2d6/0xcd0 [amdgpu] [ 33.869608] local_pci_probe+0xda/0x180 [ 33.869614] pci_device_probe+0x43f/0x6b0 Empirically we can confirm that the former allocates 152 bytes for the table, while the latter memsets the 168 large block. Root cause appears that when GPU metrics tables for v2_4 parts were added it was not considered to enlarge the table to fit. The fix in this patch is rather "brute force" and perhaps later should be done in a smarter way, by extracting and consolidating the part version to size logic to a common helper, instead of brute forcing the largest possible allocation. Nevertheless, for now this works and fixes the out of bounds write. v2: * Drop impossible v3_0 case. (Mario) (cherry picked from commit 0880f58f9609f0200483a49429af0f050d281703)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-dspi: Fix crash when not using GPIO chip select Add check for the return value of spi_get_csgpiod() to avoid passing a NULL pointer to gpiod_direction_output(), preventing a crash when GPIO chip select is not used. Fix below crash: [ 4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 4.260762] Mem abort info: [ 4.263556] ESR = 0x0000000096000004 [ 4.267308] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.272624] SET = 0, FnV = 0 [ 4.275681] EA = 0, S1PTW = 0 [ 4.278822] FSC = 0x04: level 0 translation fault [ 4.283704] Data abort info: [ 4.286583] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 4.292074] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.297130] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.302445] [0000000000000000] user address but active_mm is swapper [ 4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 4.315072] Modules linked in: [ 4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359 [ 4.328130] Hardware name: LS1046A QDS Board (DT) [ 4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.339794] pc : gpiod_direction_output+0x34/0x5c [ 4.344505] lr : gpiod_direction_output+0x18/0x5c [ 4.349208] sp : ffff80008003b8f0 [ 4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068 [ 4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810 [ 4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002 [ 4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff [ 4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007 [ 4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e [ 4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008 [ 4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000 [ 4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000 [ 4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000 [ 4.423921] Call trace: [ 4.426362] gpiod_direction_output+0x34/0x5c (P) [ 4.431067] gpiod_direction_output+0x18/0x5c (L) [ 4.435771] dspi_setup+0x220/0x334

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix error propagation of split bios The purpose of btrfs_bbio_propagate_error() shall be propagating an error of split bio to its original btrfs_bio, and tell the error to the upper layer. However, it's not working well on some cases. * Case 1. Immediate (or quick) end_bio with an error When btrfs sends btrfs_bio to mirrored devices, btrfs calls btrfs_bio_end_io() when all the mirroring bios are completed. If that btrfs_bio was split, it is from btrfs_clone_bioset and its end_io function is btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error() accesses the orig_bbio's bio context to increase the error count. That works well in most cases. However, if the end_io is called enough fast, orig_bbio's (remaining part after split) bio context may not be properly set at that time. Since the bio context is set when the orig_bbio (the last btrfs_bio) is sent to devices, that might be too late for earlier split btrfs_bio's completion. That will result in NULL pointer dereference. That bug is easily reproducible by running btrfs/146 on zoned devices [1] and it shows the following trace. [1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: writeback wb_workfn (flush-btrfs-5) RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs] BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0 RSP: 0018:ffffc9000006f248 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080 RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58 R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158 FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? page_fault_oops+0x13e/0x2b0 ? _printk+0x58/0x73 ? do_user_addr_fault+0x5f/0x750 ? exc_page_fault+0x76/0x240 ? asm_exc_page_fault+0x22/0x30 ? btrfs_bio_end_io+0xae/0xc0 [btrfs] ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs] btrfs_orig_write_end_io+0x51/0x90 [btrfs] dm_submit_bio+0x5c2/0xa50 [dm_mod] ? find_held_lock+0x2b/0x80 ? blk_try_enter_queue+0x90/0x1e0 __submit_bio+0xe0/0x130 ? ktime_get+0x10a/0x160 ? lockdep_hardirqs_on+0x74/0x100 submit_bio_noacct_nocheck+0x199/0x410 btrfs_submit_bio+0x7d/0x150 [btrfs] btrfs_submit_chunk+0x1a1/0x6d0 [btrfs] ? lockdep_hardirqs_on+0x74/0x100 ? __folio_start_writeback+0x10/0x2c0 btrfs_submit_bbio+0x1c/0x40 [btrfs] submit_one_bio+0x44/0x60 [btrfs] submit_extent_folio+0x13f/0x330 [btrfs] ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs] extent_writepage_io+0x18b/0x360 [btrfs] extent_write_locked_range+0x17c/0x340 [btrfs] ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs] run_delalloc_cow+0x71/0xd0 [btrfs] btrfs_run_delalloc_range+0x176/0x500 [btrfs] ? find_lock_delalloc_range+0x119/0x260 [btrfs] writepage_delalloc+0x2ab/0x480 [btrfs] extent_write_cache_pages+0x236/0x7d0 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xd4/0x240 ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode+0x12c/0x290 ? wbc_attach_and_unlock_inode+0x12c/0x29 ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential deadlock with newly created symlinks Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers memory reclamation involving the filesystem layer, which can result in circular lock dependencies among the reader/writer semaphore nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the fs_reclaim pseudo lock. This is because after commit 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem"), the gfp flags of the page cache for symbolic links are overwritten to GFP_KERNEL via inode_nohighmem(). This is not a problem for symlinks read from the backing device, because the __GFP_FS flag is dropped after inode_nohighmem() is called. However, when a new symlink is created with nilfs_symlink(), the gfp flags remain overwritten to GFP_KERNEL. Then, memory allocation called from page_symlink() etc. triggers memory reclamation including the FS layer, which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can cause a deadlock if they are called while nilfs->ns_segctor_sem is held: Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags of newly created symlinks in the same way that nilfs_new_inode() and __nilfs_read_inode() do, as a workaround until we adopt nofs allocation scope consistently or improve the locking constraints.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of checked flag Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() modprobe iio-test-gts and rmmod it, then the following memory leak occurs: unreferenced object 0xffffff80c810be00 (size 64): comm "kunit_try_catch", pid 1654, jiffies 4294913981 hex dump (first 32 bytes): 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@... 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................ backtrace (crc a63d875e): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000000315bc18>] 0xffffffdf052a6488 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cbfe9e70 (size 16): comm "kunit_try_catch", pid 1658, jiffies 4294914015 hex dump (first 16 bytes): 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@........... backtrace (crc 857f0cb4): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000007d089d45>] 0xffffffdf052a6864 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 ...... It includes 5*5 times "size 64" memory leaks, which correspond to 5 times test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int)) and gts_test_itimes size 5. It also includes 5*1 times "size 16" memory leak, which correspond to one time __test_init_iio_gain_scale() call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes size 5. The reason is that the per_time_gains[i] is not freed which is allocated in the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() In the ad7124_write_raw() function, parameter val can potentially be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() is called within ad7124_set_channel_odr(). The ad7124_write_raw() function is invoked through the sequence: iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(), with no checks in place to ensure val is non-zero.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() In the ad9832_write_frequency() function, clk_get_rate() might return 0. This can lead to a division by zero when calling ad9832_calc_freqreg(). The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect against the case when fout is 0. The ad9832_write_frequency() function is called from ad9832_write(), and fout is derived from a text buffer, which can contain any value.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlegacy: Clear stale interrupts before resuming device iwl4965 fails upon resume from hibernation on my laptop. The reason seems to be a stale interrupt which isn't being cleared out before interrupts are enabled. We end up with a race beween the resume trying to bring things back up, and the restart work (queued form the interrupt handler) trying to bring things down. Eventually the whole thing blows up. Fix the problem by clearing out any stale interrupts before interrupts get enabled during resume. Here's a debug log of the indicent: [ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000 [ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000 [ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio. [ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload [ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282 [ 12.052207] ieee80211 phy0: il4965_mac_start enter [ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff [ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready [ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions [ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S [ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm [ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm [ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK [ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations [ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up [ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done. [ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down [ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout [ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort [ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver [ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared [ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state [ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master [ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear. [ 12.058869] ieee80211 phy0: Hardware restart was requested [ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms. [ 16.132303] ------------[ cut here ]------------ [ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue. [ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143 [ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.132463] Workqueue: async async_run_entry_fn [ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132501] Code: da 02 00 0 ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: clear wdev->cqm_config pointer on free When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Fix memory leak in management tx In the current logic, memory is allocated for storing the MSDU context during management packet TX but this memory is not being freed during management TX completion. Similar leaks are seen in the management TX cleanup logic. Kmemleak reports this problem as below, unreferenced object 0xffffff80b64ed250 (size 16): comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) hex dump (first 16 bytes): 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... backtrace: [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8 [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110 [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core] [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core] [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400 [<ffffffe6e78d60b8>] worker_thread+0x208/0x328 [<ffffffe6e78dc890>] kthread+0x100/0x1c0 [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20 Free the memory during completion and cleanup to fix the leak. Protect the mgmt_pending_tx idr_remove() operation in ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to other instances. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Avoid potentially crashing in the driver because of uninitialized private data

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: qcom: qmp-usb: fix NULL-deref on runtime suspend Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend. Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with this driver.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix possible deadlock in mi_read Mutex lock with another subclass used in ni_lock_dir().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add rough attr alloc_size check

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Make rmw_lock a raw_spin_lock The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370 other info that might help us debug this: context-{5:5} 2 locks held by kworker/1:1/62: #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50 #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280 stack backtrace: CPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406 Workqueue: 0x0 (events) Call trace: dump_backtrace+0xa4/0x130 show_stack+0x20/0x38 dump_stack_lvl+0x90/0xd0 dump_stack+0x18/0x28 __lock_acquire+0x480/0x1ad8 lock_acquire+0x114/0x310 _raw_spin_lock+0x50/0x70 cpc_write+0xcc/0x370 cppc_set_perf+0xa0/0x3a8 cppc_cpufreq_fast_switch+0x40/0xc0 cpufreq_driver_fast_switch+0x4c/0x218 sugov_update_shared+0x234/0x280 update_load_avg+0x6ec/0x7b8 dequeue_entities+0x108/0x830 dequeue_task_fair+0x58/0x408 __schedule+0x4f0/0x1070 schedule+0x54/0x130 worker_thread+0xc0/0x2e8 kthread+0x130/0x148 ret_from_fork+0x10/0x20 sugov_update_shared() locks a raw_spinlock while cpc_write() locks a spinlock. To have a correct wait-type order, update rmw_lock to a raw spinlock and ensure that interrupts will be disabled on the CPU holding it. [ rjw: Changelog edits ]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, even if its pos argument is in the middle of that page. This is catastrophic for data integrity when iter->pos is not aligned to a page, because daddr/saddr do not point to the same byte in the file as iter->pos. Hence we corrupt user data by copying it to the wrong place. If iter->pos + iomap_length() in the _iter function not aligned to a page, then we fail to copy a full block, and only partially populate the destination block. This is catastrophic for data confidentiality because we expose stale pmem contents. Fix both of these issues by aligning copy_pos/copy_len to a page boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that we always copy full blocks. We're not done yet -- there's no call to invalidate_inode_pages2_range, so programs that have the file range mmap'd will continue accessing the old memory mapping after the file metadata updates have completed. Be careful with the return value -- if the unshare succeeds, we still need to return the number of bytes that the iomap iter thinks we're operating on.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver. Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would result in a warning [2] and a memory leak [3]. The problem is that the new remote address is never added by the driver to its hash table (and therefore the device) and the old address is never removed from it. Fix by programming the new address when the configuration of the ip6gre net device changes and removing the old one. If the address did not change, then the above would result in increasing the reference count of the address and then decreasing it. [1] # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit # ip link set dev bla type ip6gre remote 2001:db8:3::1 # ip link del dev bla # devlink dev reload pci/0000:01:00.0 [2] WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0 Modules linked in: CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151 Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0 [...] Call Trace: <TASK> mlxsw_sp_router_netdevice_event+0x55f/0x1240 notifier_call_chain+0x5a/0xd0 call_netdevice_notifiers_info+0x39/0x90 unregister_netdevice_many_notify+0x63e/0x9d0 rtnl_dellink+0x16b/0x3a0 rtnetlink_rcv_msg+0x142/0x3f0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x242/0x390 netlink_sendmsg+0x1de/0x420 ____sys_sendmsg+0x2bd/0x320 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [3] unreferenced object 0xffff898081f597a0 (size 32): comm "ip", pid 1626, jiffies 4294719324 hex dump (first 32 bytes): 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ............... 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia............. backtrace (crc fd9be911): [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260 [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340 [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240 [<00000000743e7757>] notifier_call_chain+0x5a/0xd0 [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90 [<000000002509645d>] register_netdevice+0x5f7/0x7a0 [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130 [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120 [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20 [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0 [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100 [<00000000908bca63>] netlink_unicast+0x242/0x390 [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420 [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320 [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0 [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in get_info() ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Call Trace: <TASK> get_info+0x128/0x180 do_ip6t_get_ctl+0x6a/0x430 nf_getsockopt+0x46/0x80 ipv6_getsockopt+0xb9/0x100 rawv6_getsockopt+0x42/0x190 do_sock_getsockopt+0xaa/0x180 __sys_getsockopt+0x70/0xc0 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0xa2/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Concurrent execution of module unload and get_info() trigered the warning. The root cause is as follows: cpu0 cpu1 module_exit //mod->state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //removed from templ_list getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &xt_templates[af]...) if (strcmp(tmpl->name, name)) continue; //table not found try_module_get list_for_each_entry(t, &xt_net->tables[af]...) return t; //not get refcnt module_put(t->me) //uaf unregister_pernet_subsys //remove table from xt_net list While xt_table module was going away and has been removed from xt_templates list, we couldnt get refcnt of xt_table->me. Check module in xt_net->tables list re-traversal to fix it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet. To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 [ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 [ 57.335164] ocfs2_xa_set+0x704/0xcf0 [ 57.335381] ? _raw_spin_unlock+0x1a/0x40 [ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 [ 57.335915] ? trace_preempt_on+0x1e/0x70 [ 57.336153] ? start_this_handle+0x16c/0x500 [ 57.336410] ? preempt_count_sub+0x50/0x80 [ 57.336656] ? _raw_read_unlock+0x20/0x40 [ 57.336906] ? start_this_handle+0x16c/0x500 [ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 [ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 [ 57.337706] ? ocfs2_start_trans+0x13d/0x290 [ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 [ 57.338207] ? dput+0x46/0x1c0 [ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338948] __vfs_removexattr+0x92/0xc0 [ 57.339182] __vfs_removexattr_locked+0xd5/0x190 [ 57.339456] ? preempt_count_sub+0x50/0x80 [ 57.339705] vfs_removexattr+0x5f/0x100 [...] Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> ocfs2_xa_value_truncate() with -ENOMEM. In this case the comment mentions that we can return 0 if ocfs2_xa_cleanup_value_truncate() is going to wipe the entry anyway. But the following 'rc' check is wrong and execution flow do 'ocfs2_xa_remove_entry(loc);' twice: * 1st: in ocfs2_xa_cleanup_value_truncate(); * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. Fix this by skipping the 2nd removal of the same entry and making syzkaller repro happy.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() The "*cmd" variable can be controlled by the user via debugfs. That means "new_cam" can be as high as 255 while the size of the uc->updated[] array is UCSI_MAX_ALTMODES (30). The call tree is: ucsi_cmd() // val comes from simple_attr_write_xsigned() -> ucsi_send_command() -> ucsi_send_command_common() -> ucsi_run_command() // calls ucsi->ops->sync_control() -> ucsi_ccg_sync_control()

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: musb: sunxi: Fix accessing an released usb phy Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") will cause that usb phy @glue->xceiv is accessed after released. 1) register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy(). 2) register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy() 3) register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). ... Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: signal: restore the override_rlimit logic Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of signals. However now it's enforced unconditionally, even if override_rlimit is set. This behavior change caused production issues. For example, if the limit is reached and a process receives a SIGSEGV signal, sigqueue_alloc fails to allocate the necessary resources for the signal delivery, preventing the signal from being delivered with siginfo. This prevents the process from correctly identifying the fault address and handling the error. From the user-space perspective, applications are unaware that the limit has been reached and that the siginfo is effectively 'corrupted'. This can lead to unpredictable behavior and crashes, as we observed with java applications. Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip the comparison to max there if override_rlimit is set. This effectively restores the old behavior.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: reinitialize delayed ref list after deleting it from the list At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: avoid vport access in idpf_get_link_ksettings When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer. To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: vertexcom: mse102x: Fix possible double free of TX skb The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again in mse102x_tx_work(), which leads to crashes: Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug in bitset iteration causes out-of-bounds access. Reproduce steps: 1. create a cache device of 1024 cache blocks (128 bytes dirty bitset) dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. shrink the fast device to 512 cache blocks, triggering out-of-bounds access to the dirty bitset (offset 0x80) dmsetup suspend cache dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 Read of size 8 at addr ffffc900000f3080 by task dmsetup/131 (...snip...) The buggy address belongs to the virtual mapping at [ffffc900000f3000, ffffc900000f5000) created by: cache_ctr+0x176a/0x35f0 (...snip...) Memory state around the buggy address: ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Fix by making the index post-incremented.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Avoid a possible buffer overflow if size is larger than 4K. (cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: prevent the risk of a division by zero As reported by Coverity, the logic at tpg_precalculate_line() blindly rescales the buffer even when scaled_witdh is equal to zero. If this ever happens, this will cause a division by zero. Instead, add a WARN_ON_ONCE() to trigger such cases and return without doing any precalculation.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not null. So the release of the dma channel leads to the following issue: [ 4.879000] st,stm32-spdifrx 500d0000.audio-controller: dma_request_slave_channel error -19 [ 4.888975] Unable to handle kernel NULL pointer dereference at virtual address 000000000000003d [...] [ 5.096577] Call trace: [ 5.099099] dma_release_channel+0x24/0x100 [ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx] [ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx] To avoid this issue, release channel only if the pointer is valid.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: arc: fix the device for dma_map_single/dma_unmap_single The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent which has dma_mask, ndev->dev.parent is just pdev->dev. Or it would cause the following issue: [ 39.933526] ------------[ cut here ]------------ [ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when uninstalling driver When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pci_disable_sriov(). The num_VFs is checked to determine whether to release the corresponding resources. During the second calling, num_VFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs: [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klist_put+0x28/0x12c [15278.138682][T50670] klist_del+0x14/0x20 [15278.142592][T50670] device_del+0xbc/0x3c0 [15278.146676][T50670] pci_remove_bus_device+0x84/0x120 [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c [15278.162485][T50670] sriov_disable+0x50/0x11c [15278.166829][T50670] pci_disable_sriov+0x24/0x30 [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 [15278.193848][T50670] invoke_syscall+0x50/0x11c [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 [15278.203837][T50670] do_el0_svc+0x34/0xcc [15278.207834][T50670] el0_svc+0x20/0x30 For details, see the following figure. rmmod hclge disable VFs ---------------------------------------------------- hclge_exit() sriov_numvfs_store() ... device_lock() pci_disable_sriov() hns3_pci_sriov_configure() pci_disable_sriov() sriov_disable() sriov_disable() if !num_VFs : if !num_VFs : return; return; sriov_del_vfs() sriov_del_vfs() ... ... klist_put() klist_put() ... ... num_VFs = 0; num_VFs = 0; device_unlock(); In this patch, when driver is removing, we get the device_lock() to protect num_VFs, just like sriov_numvfs_store().

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net: enetc: allocate vf_state during PF probes In the previous implementation, vf_state is allocated memory only when VF is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before VF is enabled to configure the MAC address of VF. If this is the case, enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null pointer. The simplified error log is as follows. root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89 [ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy [ 173.641973] lr : do_setlink+0x4a8/0xec8 [ 173.732292] Call trace: [ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80 [ 173.738847] __rtnl_newlink+0x530/0x89c [ 173.742692] rtnl_newlink+0x50/0x7c [ 173.746189] rtnetlink_rcv_msg+0x128/0x390 [ 173.750298] netlink_rcv_skb+0x60/0x130 [ 173.754145] rtnetlink_rcv+0x18/0x24 [ 173.757731] netlink_unicast+0x318/0x380 [ 173.761665] netlink_sendmsg+0x17c/0x3c8

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: security/keys: fix slab-out-of-bounds in key_task_permission KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/ [jarkko: tweaked the commit message a bit to have an appropriate closes tag.]

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported acpi_evaluate_object() may return AE_NOT_FOUND (failure), which would result in dereferencing buffer.pointer (obj) while being NULL. Although this case may be unrealistic for the current code, it is still better to protect against possible bugs. Bail out also when status is AE_NOT_FOUND. This fixes 1 FORWARD_NULL issue reported by Coverity Report: CID 1600951: Null pointer dereferences (FORWARD_NULL) (cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop of iio_gts_build_avail_scale_table(), the err_free_out will fail to call kfree() each time when i is reduced to 0, so all the per_time_scales[0] and per_time_gains[0] will not be freed, which will cause memory leaks. Fix it by checking if i >= 0.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: ar0521: don't overflow when checking PLL values The PLL checks are comparing 64 bit integers with 32 bit ones, as reported by Coverity. Depending on the values of the variables, this may underflow. Fix it ensuring that both sides of the expression are u64.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio_net: Add hash_key_length check Add hash_key_length check in virtnet_probe() to avoid possible out of bound errors when setting/reading the hash key.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm: Lock TPM chip in tpm_pm_suspend() first Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: fix race condition by adding filter's intermediate sync state Fix a race condition in the i40e driver that leads to MAC/VLAN filters becoming corrupted and leaking. Address the issue that occurs under heavy load when multiple threads are concurrently modifying MAC/VLAN filters by setting mac and port VLAN. 1. Thread T0 allocates a filter in i40e_add_filter() within i40e_ndo_set_vf_port_vlan(). 2. Thread T1 concurrently frees the filter in __i40e_del_filter() within i40e_ndo_set_vf_mac(). 3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which refers to the already freed filter memory, causing corruption. Reproduction steps: 1. Spawn multiple VFs. 2. Apply a concurrent heavy load by running parallel operations to change MAC addresses on the VFs and change port VLANs on the host. 3. Observe errors in dmesg: "Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX". Exact code for stable reproduction Intel can't open-source now. The fix involves implementing a new intermediate filter state, I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list. These filters cannot be deleted from the hash list directly but must be removed using the full process.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: defer partition scanning We need to suppress the partition scan from occuring within the controller's scan_work context. If a path error occurs here, the IO will wait until a path becomes available or all paths are torn down, but that action also occurs within scan_work, so it would deadlock. Defer the partion scan to a different context that does not block scan_work.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES While running ISER over SIW, the initiator machine encounters a warning from skb_splice_from_iter() indicating that a slab page is being used in send_page. To address this, it is better to add a sendpage_ok() check within the driver itself, and if it returns 0, then MSG_SPLICE_PAGES flag should be disabled before entering the network stack. A similar issue has been discussed for NVMe in this thread: https://lore.kernel.org/all/20240530142417.146696-1-ofir.gal@volumez.com/ WARNING: CPU: 0 PID: 5342 at net/core/skbuff.c:7140 skb_splice_from_iter+0x173/0x320 Call Trace: tcp_sendmsg_locked+0x368/0xe40 siw_tx_hdt+0x695/0xa40 [siw] siw_qp_sq_process+0x102/0xb00 [siw] siw_sq_resume+0x39/0x110 [siw] siw_run_sq+0x74/0x160 [siw] kthread+0xd2/0x100 ret_from_fork+0x34/0x40 ret_from_fork_asm+0x1a/0x30

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free of network namespace. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: tcp: avoid race between queue_lock lock and destroy Commit 76d54bf20cdc ("nvme-tcp: don't access released socket during error recovery") added a mutex_lock() call for the queue->queue_lock in nvme_tcp_get_address(). However, the mutex_lock() races with mutex_destroy() in nvme_tcp_free_queue(), and causes the WARN below. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 34077 at kernel/locking/mutex.c:587 __mutex_lock+0xcf0/0x1220 Modules linked in: nvmet_tcp nvmet nvme_tcp nvme_fabrics iw_cm ib_cm ib_core pktcdvd nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr sunrpc ppdev 9pnet_virtio 9pnet pcspkr netfs parport_pc parport e1000 i2c_piix4 i2c_smbus loop fuse nfnetlink zram bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper xfs drm sym53c8xx floppy nvme scsi_transport_spi nvme_core nvme_auth serio_raw ata_generic pata_acpi dm_multipath qemu_fw_cfg [last unloaded: ib_uverbs] CPU: 3 UID: 0 PID: 34077 Comm: udisksd Not tainted 6.11.0-rc7 #319 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:__mutex_lock+0xcf0/0x1220 Code: 08 84 d2 0f 85 c8 04 00 00 8b 15 ef b6 c8 01 85 d2 0f 85 78 f4 ff ff 48 c7 c6 20 93 ee af 48 c7 c7 60 91 ee af e8 f0 a7 6d fd <0f> 0b e9 5e f4 ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 RSP: 0018:ffff88811305f760 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88812c652058 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: ffff88811305f8b0 R08: 0000000000000001 R09: ffffed1075c36341 R10: ffff8883ae1b1a0b R11: 0000000000010498 R12: 0000000000000000 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88812c652058 FS: 00007f9713ae4980(0000) GS:ffff8883ae180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcd78483c7c CR3: 0000000122c38000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn.cold+0x5b/0x1af ? __mutex_lock+0xcf0/0x1220 ? report_bug+0x1ec/0x390 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? __mutex_lock+0xcf0/0x1220 ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] ? __pfx___mutex_lock+0x10/0x10 ? __lock_acquire+0xd6a/0x59e0 ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] ? __pfx_nvme_tcp_get_address+0x10/0x10 [nvme_tcp] nvme_sysfs_show_address+0x81/0xc0 [nvme_core] dev_attr_show+0x42/0x80 ? __asan_memset+0x1f/0x40 sysfs_kf_seq_show+0x1f0/0x370 seq_read_iter+0x2cb/0x1130 ? rw_verify_area+0x3b1/0x590 ? __mutex_lock+0x433/0x1220 vfs_read+0x6a6/0xa20 ? lockdep_hardirqs_on+0x78/0x100 ? __pfx_vfs_read+0x10/0x10 ksys_read+0xf7/0x1d0 ? __pfx_ksys_read+0x10/0x10 ? __x64_sys_openat+0x105/0x1d0 do_syscall_64+0x93/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? __pfx_ksys_read+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? do_syscall_64+0x9f/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f9713f55cfa Code: 55 48 89 e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 e8 74 f8 ff 48 8b 55 e8 48 8b 75 f0 4 ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized value issue in from_kuid and from_kgid ocfs2_setattr() uses attr->ia_mode, attr->ia_uid and attr->ia_gid in a trace point even though ATTR_MODE, ATTR_UID and ATTR_GID aren't set. Initialize all fields of newattrs to avoid uninitialized variables, by checking if ATTR_MODE, ATTR_UID, ATTR_GID are initialized, otherwise 0.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ima: fix buffer overrun in ima_eventdigest_init_common Function ima_eventdigest_init() calls ima_eventdigest_init_common() with HASH_ALGO__LAST which is then used to access the array hash_digest_size[] leading to buffer overrun. Have a conditional statement to handle this.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust VSDB parser for replay feature At some point, the IEEE ID identification for the replay check in the AMD EDID was added. However, this check causes the following out-of-bounds issues when using KASAN: [ 27.804016] BUG: KASAN: slab-out-of-bounds in amdgpu_dm_update_freesync_caps+0xefa/0x17a0 [amdgpu] [ 27.804788] Read of size 1 at addr ffff8881647fdb00 by task systemd-udevd/383 ... [ 27.821207] Memory state around the buggy address: [ 27.821215] ffff8881647fda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.821224] ffff8881647fda80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.821234] >ffff8881647fdb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.821243] ^ [ 27.821250] ffff8881647fdb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.821259] ffff8881647fdc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.821268] ================================================================== This is caused because the ID extraction happens outside of the range of the edid lenght. This commit addresses this issue by considering the amd_vsdb_block size. (cherry picked from commit b7e381b1ccd5e778e3d9c44c669ad38439a861d8)

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: vp_vdpa: fix id_table array not null terminated error Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: uncache inode which has failed entering the group Syzbot has reported the following BUG: kernel BUG at fs/ocfs2/uptodate.c:509! ... Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? do_error_trap+0x1dc/0x2c0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? __pfx_do_error_trap+0x10/0x10 ? handle_invalid_op+0x34/0x40 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? ocfs2_set_new_buffer_uptodate+0x2e/0x160 ? ocfs2_set_new_buffer_uptodate+0x144/0x160 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ocfs2_group_add+0x39f/0x15a0 ? __pfx_ocfs2_group_add+0x10/0x10 ? __pfx_lock_acquire+0x10/0x10 ? mnt_get_write_access+0x68/0x2b0 ? __pfx_lock_release+0x10/0x10 ? rcu_read_lock_any_held+0xb7/0x160 ? __pfx_rcu_read_lock_any_held+0x10/0x10 ? smack_log+0x123/0x540 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x226/0x2b0 ocfs2_ioctl+0x65e/0x7d0 ? __pfx_ocfs2_ioctl+0x10/0x10 ? smack_file_ioctl+0x29e/0x3a0 ? __pfx_smack_file_ioctl+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? __pfx_ocfs2_ioctl+0x10/0x10 __se_sys_ioctl+0xfb/0x170 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular inode in 'ocfs2_verify_group_and_input()', corresponding buffer head remains cached and subsequent call to the same 'ioctl()' for the same inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying to cache the same buffer head of that inode). Fix this by uncaching the buffer head with 'ocfs2_remove_from_cache()' on error path in 'ocfs2_group_add()'.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fs, lock FTE when checking if active The referenced commits introduced a two-step process for deleting FTEs: - Lock the FTE, delete it from hardware, set the hardware deletion function to NULL and unlock the FTE. - Lock the parent flow group, delete the software copy of the FTE, and remove it from the xarray. However, this approach encounters a race condition if a rule with the same match value is added simultaneously. In this scenario, fs_core may set the hardware deletion function to NULL prematurely, causing a panic during subsequent rule deletions. To prevent this, ensure the active flag of the FTE is checked under a lock, which will prevent the fs_core layer from attaching a new steering rule to an FTE that is in the process of deletion. [ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func [ 438.968205] ------------[ cut here ]------------ [ 438.968654] refcount_t: decrement hit 0; leaking memory. [ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110 [ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower] [ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8 [ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110 [ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 [ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286 [ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000 [ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0 [ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0 [ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0 [ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0 [ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 [ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0 [ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 438.986507] Call Trace: [ 438.986799] <TASK> [ 438.987070] ? __warn+0x7d/0x110 [ 438.987426] ? refcount_warn_saturate+0xfb/0x110 [ 438.987877] ? report_bug+0x17d/0x190 [ 438.988261] ? prb_read_valid+0x17/0x20 [ 438.988659] ? handle_bug+0x53/0x90 [ 438.989054] ? exc_invalid_op+0x14/0x70 [ 438.989458] ? asm_exc_invalid_op+0x16/0x20 [ 438.989883] ? refcount_warn_saturate+0xfb/0x110 [ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core] [ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core] [ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core] [ 438.992054] ? xas_load+0x9/0xb0 [ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core] [ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core] [ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core] [ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core] [ 438.994728] tc_setup_cb_destroy+0xb9/0x190 [ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] [ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower] [ 438.996105] tc_new_tfilter+0x347/0xbc0 [ 438.996503] ? __ ---truncated---

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: kTLS, Fix incorrect page refcounting The kTLS tx handling code is using a mix of get_page() and page_ref_inc() APIs to increment the page reference. But on the release path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used. This is an issue when using pages from large folios: the get_page() references are stored on the folio page while the page_ref_inc() references are stored directly in the given page. On release the folio page will be dereferenced too many times. This was found while doing kTLS testing with sendfile() + ZC when the served file was read from NFS on a kernel with NFS large folios support (commit 49b29a573da8 ("nfs: add support for large folios")).

Затронутые продукты
Image SLES15-SP6-Azure-Basic:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-Azure-Standard:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC-Azure:kernel-azure-6.4.0-150600.8.20.1
Image SLES15-SP6-HPC:kernel-azure-6.4.0-150600.8.20.1
Ссылки
Уязвимость SUSE-SU-2024:4316-1