{"schema_version":"1.7.2","id":"OESA-2024-1535","modified":"2024-05-10T11:07:54Z","published":"2024-05-10T11:07:54Z","upstream":["CVE-2021-47084","CVE-2021-47085","CVE-2021-47090","CVE-2021-47100","CVE-2021-47121","CVE-2021-47149","CVE-2021-47183","CVE-2021-47194","CVE-2021-47210","CVE-2023-52619","CVE-2024-24860","CVE-2024-26633","CVE-2024-26644","CVE-2024-26751","CVE-2024-26764","CVE-2024-26772","CVE-2024-26773","CVE-2024-26777","CVE-2024-26778","CVE-2024-26810","CVE-2024-26884","CVE-2024-26898","CVE-2024-27437"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47084)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47085)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()\r\n\r\nHulk Robot reported a panic in put_page_testzero() when testing\nmadvise() with MADV_SOFT_OFFLINE.  The BUG() is triggered when retrying\nget_any_page().  This is because we keep MF_COUNT_INCREASED flag in\nsecond try but the refcnt is not increased.\r\n\r\n    page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\n    ------------[ cut here ]------------\n    kernel BUG at include/linux/mm.h:737!\n    invalid opcode: 0000 [#1] PREEMPT SMP\n    CPU: 5 PID: 2135 Comm: sshd Tainted: G    B             5.16.0-rc6-dirty #373\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n    RIP: release_pages+0x53f/0x840\n    Call Trace:\n      free_pages_and_swap_cache+0x64/0x80\n      tlb_flush_mmu+0x6f/0x220\n      unmap_page_range+0xe6c/0x12c0\n      unmap_single_vma+0x90/0x170\n      unmap_vmas+0xc4/0x180\n      exit_mmap+0xde/0x3a0\n      mmput+0xa3/0x250\n      do_exit+0x564/0x1470\n      do_group_exit+0x3b/0x100\n      __do_sys_exit_group+0x13/0x20\n      __x64_sys_exit_group+0x16/0x20\n      do_syscall_64+0x34/0x80\n      entry_SYSCALL_64_after_hwframe+0x44/0xae\n    Modules linked in:\n    ---[ end trace e99579b570fe0649 ]---\n    RIP: 0010:release_pages+0x53f/0x840(CVE-2021-47090)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module\r\n\r\nHi,\r\n\r\nWhen testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,\nthe system crashed.\r\n\r\nThe log as follows:\n[  141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a\n[  141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0\n[  141.087464] Oops: 0010 [#1] SMP NOPTI\n[  141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47\n[  141.088009] Workqueue: events 0xffffffffc09b3a40\n[  141.088009] RIP: 0010:0xffffffffc09b3a5a\n[  141.088009] Code: Bad RIP value.\n[  141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246\n[  141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000\n[  141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[  141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1\n[  141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700\n[  141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8\n[  141.088009] FS:  0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000\n[  141.088009] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0\n[  141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  141.088009] PKRU: 55555554\n[  141.088009] Call Trace:\n[  141.088009]  ? process_one_work+0x195/0x390\n[  141.088009]  ? worker_thread+0x30/0x390\n[  141.088009]  ? process_one_work+0x390/0x390\n[  141.088009]  ? kthread+0x10d/0x130\n[  141.088009]  ? kthread_flush_work_fn+0x10/0x10\n[  141.088009]  ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a\n[  200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0\n[  200.223464] Oops: 0010 [#1] SMP NOPTI\n[  200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46\n[  200.224008] Workqueue: events 0xffffffffc0b28a40\n[  200.224008] RIP: 0010:0xffffffffc0b28a5a\n[  200.224008] Code: Bad RIP value.\n[  200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246\n[  200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000\n[  200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[  200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5\n[  200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700\n[  200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8\n[  200.224008] FS:  0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000\n[  200.224008] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0\n[  200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  200.224008] PKRU: 55555554\n[  200.224008] Call Trace:\n[  200.224008]  ? process_one_work+0x195/0x390\n[  200.224008]  ? worker_thread+0x30/0x390\n[  200.224008]  ? process_one_work+0x390/0x390\n[  200.224008]  ? kthread+0x10d/0x130\n[  200.224008]  ? kthread_flush_work_fn+0x10/0x10\n[  200.224008]  ? ret_from_fork+0x35/0x40\n[  200.224008] kernel fault(0x1) notification starting on CPU 63\n[  200.224008] kernel fault(0x1) notification finished on CPU 63\n[  200.224008] CR2: ffffffffc0b28a5a\n[  200.224008] ---[ end trace c82a412d93f57412 ]---\r\n\r\nThe reason is as follows:\nT1: rmmod ipmi_si.\n    -\u0026gt;ipmi_unregister_smi()\n        -\u0026gt; ipmi_bmc_unregister()\n            -\u0026gt; __ipmi_bmc_unregister()\n                -\u0026gt; kref_put(\u0026amp;bmc-\u0026gt;usecount, cleanup_bmc_device);\n                    -\u0026gt; schedule_work(\u0026amp;bmc-\u0026gt;remove_work);\r\n\r\nT2: rmmod ipmi_msghandl\n---truncated---(CVE-2021-47100)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: caif: fix memory leak in cfusbl_device_notify\r\n\r\nIn case of caif_enroll_dev() fail, allocated\nlink_support won\u0026apos;t be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error.(CVE-2021-47121)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fujitsu: fix potential null-ptr-deref\r\n\r\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure.(CVE-2021-47149)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\r\n\r\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \u0026quot;2878\u0026quot; log\nmessages.\r\n\r\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\r\n\r\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed.(CVE-2021-47183)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\r\n\r\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata-\u0026gt;assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.(CVE-2021-47194)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\r\n\r\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There\u0026apos;s no need to crash systems\nwith panic-on-warn enabled.(CVE-2021-47210)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/ram: Fix crash when setting number of cpus to an odd number\r\n\r\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n    addr of zone0 = BASE\n    addr of zone1 = BASE + zone_size\n    addr of zone2 = BASE + zone_size*2\n    ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\r\n\r\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.(CVE-2023-52619)\r\n\r\nA race condition was found in the Linux kernel\u0026apos;s bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb-\u0026gt;head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don\u0026apos;t abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   \u0026lt;TASK\u0026gt;\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   \u0026lt;/TASK\u0026gt;\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root\u0026apos;s refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group\u0026apos;s block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn\u0026apos;t use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac-\u0026gt;ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0026apos;t check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var-\u0026gt;pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0026apos;t check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo-\u0026gt;var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()-\u0026gt;dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2405.1.0.0248.oe1"}]}],"ecosystem_specific":{"aarch64":["python3-perf-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-devel-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","bpftool-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","perf-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","python2-perf-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-debugsource-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","python3-perf-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-source-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","bpftool-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","python2-perf-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-tools-devel-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","kernel-tools-4.19.90-2405.1.0.0248.oe1.aarch64.rpm","perf-debuginfo-4.19.90-2405.1.0.0248.oe1.aarch64.rpm"],"src":["kernel-4.19.90-2405.1.0.0248.oe1.src.rpm"],"x86_64":["kernel-devel-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-tools-devel-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","bpftool-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","perf-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","bpftool-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","python2-perf-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-tools-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","python3-perf-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","python3-perf-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-source-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","perf-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","python2-perf-debuginfo-4.19.90-2405.1.0.0248.oe1.x86_64.rpm","kernel-debugsource-4.19.90-2405.1.0.0248.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1535"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47084"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47085"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47090"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47100"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47121"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47149"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47183"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47194"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47210"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52619"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24860"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26633"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26644"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26751"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26764"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26772"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26773"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26777"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26778"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26810"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26884"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26898"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27437"}],"database_specific":{"severity":"High"}}