{"schema_version":"1.7.2","id":"OESA-2024-1568","modified":"2024-05-11T11:07:58Z","published":"2024-05-11T11:07:58Z","upstream":["CVE-2021-47182","CVE-2021-47201","CVE-2021-47203","CVE-2021-47211","CVE-2021-47216","CVE-2021-47217","CVE-2023-52477","CVE-2023-52609","CVE-2024-26635","CVE-2024-26636","CVE-2024-26640","CVE-2024-26641"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev-\u0026gt;use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev-\u0026gt;use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niavf: free q_vectors before queues in iavf_disable_vf\r\n\r\niavf_free_queues() clears adapter-\u0026gt;num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored.(CVE-2021-47201)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\r\n\r\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \u0026quot;fail_msg\u0026quot;\nstring is set and a log message output.  The job is then added to a\ncompletions list for cancellation.\r\n\r\nProcessing of any further jobs from the txq list continues, but since\n\u0026quot;fail_msg\u0026quot; remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter.  If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\r\n\r\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure.(CVE-2021-47203)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: advansys: Fix kernel pointer leak\r\n\r\nPointers should be printed with %p or %px rather than cast to \u0026apos;unsigned\nlong\u0026apos; and printed with %lx.\r\n\r\nChange %lx to %p to print the hashed pointer.(CVE-2021-47216)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\r\n\r\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V\u0026apos;s TSC change callback.  If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it\u0026apos;s running under\nHyper-V, but will have silently disabled nearly all functionality.\r\n\r\n  BUG: kernel NULL pointer dereference, address: 0000000000000010\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n  Code: \u0026lt;8b\u0026gt; 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n  ...\n  Call Trace:\n   kvm_arch_init+0x17c/0x280\n   kvm_init+0x31/0x330\n   vmx_init+0xba/0x13a\n   do_one_initcall+0x41/0x1c0\n   kernel_init_freeable+0x1f2/0x23b\n   kernel_init+0x16/0x120\n   ret_from_fork+0x22/0x30(CVE-2021-47217)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev-\u0026gt;bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev-\u0026gt;bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \u0026lt;HASH:1f9e 1\u0026gt;\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 \u0026lt;48\u0026gt; 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn\u0026apos;t accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it\u0026apos;s dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm-\u0026gt;async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, \u0026amp;(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, \u0026apos;)\u0026apos;, \u0026quot;90e5dd\u0026quot;}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb-\u0026gt;protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\u0026quot;net: delete all instances of special processing for token ring\u0026quot;).\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet\u0026apos;s remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page-\u0026gt;mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(\u0026amp;(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, \u0026amp;(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, \u0026amp;(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, \u0026amp;(0x7f00000000c0)=\u0026apos;./file0\\x00\u0026apos;,\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    \u0026amp;(0x7f00000001c0)={\u0026amp;(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, \u0026amp;(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, \u0026amp;(0x7f00000000c0)=\u0026apos;./file0\\x00\u0026apos;,\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb-\u0026gt;head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2405.1.0.0275.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["python2-perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","bpftool-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","perf-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2405.1.0.0275.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2405.1.0.0275.oe2003sp4.src.rpm"],"x86_64":["kernel-tools-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","bpftool-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","perf-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm","kernel-4.19.90-2405.1.0.0275.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1568"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47182"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47201"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47203"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47211"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47216"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47217"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52477"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52609"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26635"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26636"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26640"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26641"}],"database_specific":{"severity":"Medium"}}