{"schema_version":"1.7.2","id":"OESA-2024-1736","modified":"2024-06-21T11:08:18Z","published":"2024-06-21T11:08:18Z","upstream":["CVE-2021-47229","CVE-2021-47234","CVE-2021-47249","CVE-2021-47257","CVE-2021-47267","CVE-2021-47281","CVE-2021-47301","CVE-2021-47310","CVE-2021-47321","CVE-2021-47334","CVE-2021-47344","CVE-2021-47354","CVE-2021-47372","CVE-2021-47425","CVE-2021-47440","CVE-2021-47456","CVE-2021-47468","CVE-2021-47474","CVE-2021-47482","CVE-2021-47483","CVE-2021-47485","CVE-2021-47496","CVE-2021-47509","CVE-2021-47516","CVE-2021-47571","CVE-2022-48693","CVE-2023-52708","CVE-2023-52742","CVE-2023-52747","CVE-2023-52764","CVE-2023-52810","CVE-2023-52836","CVE-2023-52843","CVE-2023-52875","CVE-2023-52880","CVE-2024-27014","CVE-2024-27019","CVE-2024-27402","CVE-2024-35819","CVE-2024-35821","CVE-2024-35828","CVE-2024-35910","CVE-2024-35935","CVE-2024-35937","CVE-2024-35947","CVE-2024-35982","CVE-2024-36016","CVE-2024-36886","CVE-2024-36901","CVE-2024-36905","CVE-2024-36919","CVE-2024-36934","CVE-2024-36952","CVE-2024-36960"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: aardvark: Fix kernel panic during PIO transfer\r\n\r\nTrying to start a new PIO transfer by writing value 0 in PIO_START register\nwhen previous transfer has not yet completed (which is indicated by value 1\nin PIO_START) causes an External Abort on CPU, which results in kernel\npanic:\r\n\r\n    SError Interrupt on CPU0, code 0xbf000002 -- SError\n    Kernel panic - not syncing: Asynchronous SError Interrupt\r\n\r\nTo prevent kernel panic, it is required to reject a new PIO transfer when\nprevious one has not finished yet.\r\n\r\nIf previous PIO transfer is not finished yet, the kernel may issue a new\nPIO request only if the previous PIO transfer timed out.\r\n\r\nIn the past the root cause of this issue was incorrectly identified (as it\noften happens during link retraining or after link down event) and special\nhack was implemented in Trusted Firmware to catch all SError events in EL3,\nto ignore errors with code 0xbf000002 and not forwarding any other errors\nto kernel and instead throw panic from EL3 Trusted Firmware handler.\r\n\r\nLinks to discussion and patches about this issue:\nhttps://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50\nhttps://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/\nhttps://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/\nhttps://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541\r\n\r\nBut the real cause was the fact that during link retraining or after link\ndown event the PIO transfer may take longer time, up to the 1.44s until it\ntimes out. This increased probability that a new PIO transfer would be\nissued by kernel while previous one has not finished yet.\r\n\r\nAfter applying this change into the kernel, it is possible to revert the\nmentioned TF-A hack and SError events do not have to be caught in TF-A EL3.(CVE-2021-47229)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()\r\n\r\nUse clk_disable_unprepare() in the error path of mtk_phy_init() to fix\nsome resource leaks.(CVE-2021-47234)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: fix memory leak in rds_recvmsg\r\n\r\nSyzbot reported memory leak in rds. The problem\nwas in unputted refcount in case of error.\r\n\r\nint rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,\n\t\tint msg_flags)\n{\n...\r\n\r\n\tif (!rds_next_incoming(rs, \u0026amp;inc)) {\n\t\t...\n\t}\r\n\r\nAfter this \u0026quot;if\u0026quot; inc refcount incremented and\r\n\r\n\tif (rds_cmsg_recv(inc, msg, rs)) {\n\t\tret = -EFAULT;\n\t\tgoto out;\n\t}\n...\nout:\n\treturn ret;\n}\r\n\r\nin case of rds_cmsg_recv() fail the refcount won\u0026apos;t be\ndecremented. And it\u0026apos;s easy to see from ftrace log, that\nrds_inc_addref() don\u0026apos;t have rds_inc_put() pair in\nrds_recvmsg() after rds_cmsg_recv()\r\n\r\n 1)               |  rds_recvmsg() {\n 1)   3.721 us    |    rds_inc_addref();\n 1)   3.853 us    |    rds_message_inc_copy_to_user();\n 1) + 10.395 us   |    rds_cmsg_recv();\n 1) + 34.260 us   |  }(CVE-2021-47249)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ieee802154: fix null deref in parse dev addr\r\n\r\nFix a logic error that could result in a null deref if the user sets\nthe mode incorrectly for the given addr type.(CVE-2021-47257)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: fix various gadget panics on 10gbps cabling\r\n\r\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\r\n\r\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\r\n\r\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn\u0026apos;t happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there\u0026apos;s no real reason to\nartificially limit it)\r\n\r\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn\u0026apos;t provided.\r\n\r\nObviously this won\u0026apos;t fix the problem if the 5gbps descriptor is also\nNULL, but such cases can\u0026apos;t be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way).(CVE-2021-47267)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: seq: Fix race of snd_seq_timer_open()\r\n\r\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses.  It looks as if it\u0026apos;s\nchecking the already existing timer instance at the beginning, but\nit\u0026apos;s not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily.  This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\r\n\r\nFor avoiding the race, add a proper check at the assignment of\ntmr-\u0026gt;timeri again, and return -EBUSY if it\u0026apos;s been already registered.(CVE-2021-47281)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nigb: Fix use-after-free error during reset\r\n\r\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\r\n\r\nFailure to do so can cause invalid memory accesses. If igb_poll() runs\nwhile the controller is reset this can lead to the driver try to free\na skb that was already freed.\r\n\r\n(The crash is harder to reproduce with the igb driver, but the same\npotential problem exists as the code is identical to igc)(CVE-2021-47301)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ti: fix UAF in tlan_remove_one\r\n\r\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.(CVE-2021-47310)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: Fix possible use-after-free by calling del_timer_sync()\r\n\r\nThis driver\u0026apos;s remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver\u0026apos;s remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47321)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmisc/libmasm/module: Fix two use after free in ibmasm_init_one\r\n\r\nIn ibmasm_init_one, it calls ibmasm_init_remote_input_dev().\nInside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are\nallocated by input_allocate_device(), and assigned to\nsp-\u0026gt;remote.mouse_dev and sp-\u0026gt;remote.keybd_dev respectively.\r\n\r\nIn the err_free_devices error branch of ibmasm_init_one,\nmouse_dev and keybd_dev are freed by input_free_device(), and return\nerror. Then the execution runs into error_send_message error branch\nof ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called\nto unregister the freed sp-\u0026gt;remote.mouse_dev and sp-\u0026gt;remote.keybd_dev.\r\n\r\nMy patch add a \u0026quot;error_init_remote\u0026quot; label to handle the error of\nibmasm_init_remote_input_dev(), to avoid the uaf bugs.(CVE-2021-47334)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: zr364xx: fix memory leak in zr364xx_start_readpipe\r\n\r\nsyzbot reported memory leak in zr364xx driver.\nThe problem was in non-freed urb in case of\nusb_submit_urb() fail.\r\n\r\nbacktrace:\n  [\u0026lt;ffffffff82baedf6\u0026gt;] kmalloc include/linux/slab.h:561 [inline]\n  [\u0026lt;ffffffff82baedf6\u0026gt;] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74\n  [\u0026lt;ffffffff82f7cce8\u0026gt;] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022\n  [\u0026lt;ffffffff84251dfc\u0026gt;] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline]\n  [\u0026lt;ffffffff84251dfc\u0026gt;] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516\n  [\u0026lt;ffffffff82bb6507\u0026gt;] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n  [\u0026lt;ffffffff826018a9\u0026gt;] really_probe+0x159/0x500 drivers/base/dd.c:576(CVE-2021-47344)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/sched: Avoid data corruptions\r\n\r\nWait for all dependencies of a job  to complete before\nkilling it to avoid data corruptions.(CVE-2021-47354)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: macb: fix use after free on rmmod\r\n\r\nplat_dev-\u0026gt;dev-\u0026gt;platform_data is released by platform_device_unregister(),\nuse of pclk and hclk is a use-after-free. Since device unregister won\u0026apos;t\nneed a clk device we adjust the function call sequence to fix this issue.\r\n\r\n[   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]\n[   31.275563] Freed by task 306:\n[   30.276782]  platform_device_release+0x25/0x80(CVE-2021-47372)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: acpi: fix resource leak in reconfiguration device addition\r\n\r\nacpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a\nreference on the adapter which is never released which will result in a\nreference count leak and render the adapter unremovable.  Make sure to\nput the adapter after creating the client in the same manner that we do\nfor OF.\r\n\r\n[wsa: fixed title](CVE-2021-47425)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: encx24j600: check error in devm_regmap_init_encx24j600\r\n\r\ndevm_regmap_init may return error which caused by like out of memory,\nthis will results in null pointer dereference later when reading\nor writing register:\r\n\r\ngeneral protection fault in encx24j600_spi_probe\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 286 Comm: spi-encx24j600- Not tainted 5.15.0-rc2-00142-g9978db750e31-dirty #11 9c53a778c1306b1b02359f3c2bbedc0222cba652\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:regcache_cache_bypass drivers/base/regmap/regcache.c:540\nCode: 54 41 89 f4 55 53 48 89 fb 48 83 ec 08 e8 26 94 a8 fe 48 8d bb a0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u0026lt;80\u0026gt; 3c 02 00 0f 85 4a 03 00 00 4c 8d ab b0 00 00 00 48 8b ab a0 00\nRSP: 0018:ffffc900010476b8 EFLAGS: 00010207\nRAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: 0000000000000000\nRDX: 0000000000000012 RSI: ffff888002de0000 RDI: 0000000000000094\nRBP: ffff888013c9a000 R08: 0000000000000000 R09: fffffbfff3f9cc6a\nR10: ffffc900010476e8 R11: fffffbfff3f9cc69 R12: 0000000000000001\nR13: 000000000000000a R14: ffff888013c9af54 R15: ffff888013c9ad08\nFS:  00007ffa984ab580(0000) GS:ffff88801fe00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055a6384136c8 CR3: 000000003bbe6003 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n encx24j600_spi_probe drivers/net/ethernet/microchip/encx24j600.c:459\n spi_probe drivers/spi/spi.c:397\n really_probe drivers/base/dd.c:517\n __driver_probe_device drivers/base/dd.c:751\n driver_probe_device drivers/base/dd.c:782\n __device_attach_driver drivers/base/dd.c:899\n bus_for_each_drv drivers/base/bus.c:427\n __device_attach drivers/base/dd.c:971\n bus_probe_device drivers/base/bus.c:487\n device_add drivers/base/core.c:3364\n __spi_add_device drivers/spi/spi.c:599\n spi_add_device drivers/spi/spi.c:641\n spi_new_device drivers/spi/spi.c:717\n new_device_store+0x18c/0x1f1 [spi_stub 4e02719357f1ff33f5a43d00630982840568e85e]\n dev_attr_store drivers/base/core.c:2074\n sysfs_kf_write fs/sysfs/file.c:139\n kernfs_fop_write_iter fs/kernfs/file.c:300\n new_sync_write fs/read_write.c:508 (discriminator 4)\n vfs_write fs/read_write.c:594\n ksys_write fs/read_write.c:648\n do_syscall_64 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:113\r\n\r\nAdd error check in devm_regmap_init_encx24j600 to avoid this situation.(CVE-2021-47440)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: peak_pci: peak_pci_remove(): fix UAF\r\n\r\nWhen remove the module peek_pci, referencing \u0026apos;chan\u0026apos; again after\nreleasing \u0026apos;dev\u0026apos; will cause UAF.\r\n\r\nFix this by releasing \u0026apos;dev\u0026apos; later.\r\n\r\nThe following log reveals it:\r\n\r\n[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537\n[   35.965513 ] Call Trace:\n[   35.965718 ]  dump_stack_lvl+0xa8/0xd1\n[   35.966028 ]  print_address_description+0x87/0x3b0\n[   35.966420 ]  kasan_report+0x172/0x1c0\n[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170\n[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20\n[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.968752 ]  pci_device_remove+0xa9/0x250(CVE-2021-47456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nisdn: mISDN: Fix sleeping function called from invalid context\r\n\r\nThe driver can call card-\u0026gt;isac.release() function from an atomic\ncontext.\r\n\r\nFix this by calling this function after releasing the lock.\r\n\r\nThe following log reveals it:\r\n\r\n[   44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018\n[   44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe\n[   44.169574 ] INFO: lockdep is turned off.\n[   44.169899 ] irq event stamp: 0\n[   44.170160 ] hardirqs last  enabled at (0): [\u0026lt;0000000000000000\u0026gt;] 0x0\n[   44.170627 ] hardirqs last disabled at (0): [\u0026lt;ffffffff814209ed\u0026gt;] copy_process+0x132d/0x3e00\n[   44.171240 ] softirqs last  enabled at (0): [\u0026lt;ffffffff81420a1a\u0026gt;] copy_process+0x135a/0x3e00\n[   44.171852 ] softirqs last disabled at (0): [\u0026lt;0000000000000000\u0026gt;] 0x0\n[   44.172318 ] Preemption disabled at:\n[   44.172320 ] [\u0026lt;ffffffffa009b0a9\u0026gt;] nj_release+0x69/0x500 [netjet]\n[   44.174441 ] Call Trace:\n[   44.174630 ]  dump_stack_lvl+0xa8/0xd1\n[   44.174912 ]  dump_stack+0x15/0x17\n[   44.175166 ]  ___might_sleep+0x3a2/0x510\n[   44.175459 ]  ? nj_release+0x69/0x500 [netjet]\n[   44.175791 ]  __might_sleep+0x82/0xe0\n[   44.176063 ]  ? start_flush_work+0x20/0x7b0\n[   44.176375 ]  start_flush_work+0x33/0x7b0\n[   44.176672 ]  ? trace_irq_enable_rcuidle+0x85/0x170\n[   44.177034 ]  ? kasan_quarantine_put+0xaa/0x1f0\n[   44.177372 ]  ? kasan_quarantine_put+0xaa/0x1f0\n[   44.177711 ]  __flush_work+0x11a/0x1a0\n[   44.177991 ]  ? flush_work+0x20/0x20\n[   44.178257 ]  ? lock_release+0x13c/0x8f0\n[   44.178550 ]  ? __kasan_check_write+0x14/0x20\n[   44.178872 ]  ? do_raw_spin_lock+0x148/0x360\n[   44.179187 ]  ? read_lock_is_recursive+0x20/0x20\n[   44.179530 ]  ? __kasan_check_read+0x11/0x20\n[   44.179846 ]  ? do_raw_spin_unlock+0x55/0x900\n[   44.180168 ]  ? ____kasan_slab_free+0x116/0x140\n[   44.180505 ]  ? _raw_spin_unlock_irqrestore+0x41/0x60\n[   44.180878 ]  ? skb_queue_purge+0x1a3/0x1c0\n[   44.181189 ]  ? kfree+0x13e/0x290\n[   44.181438 ]  flush_work+0x17/0x20\n[   44.181695 ]  mISDN_freedchannel+0xe8/0x100\n[   44.182006 ]  isac_release+0x210/0x260 [mISDNipac]\n[   44.182366 ]  nj_release+0xf6/0x500 [netjet]\n[   44.182685 ]  nj_remove+0x48/0x70 [netjet]\n[   44.182989 ]  pci_device_remove+0xa9/0x250(CVE-2021-47468)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: vmk80xx: fix bulk-buffer overflow\r\n\r\nThe driver is using endpoint-sized buffers but must not assume that the\ntx and rx buffers are of equal size or a malicious device could overflow\nthe slab-allocated receive buffer when doing bulk transfers.(CVE-2021-47474)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: batman-adv: fix error handling\r\n\r\nSyzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was\nin wrong error handling in batadv_mesh_init().\r\n\r\nBefore this patch batadv_mesh_init() was calling batadv_mesh_free() in case\nof any batadv_*_init() calls failure. This approach may work well, when\nthere is some kind of indicator, which can tell which parts of batadv are\ninitialized; but there isn\u0026apos;t any.\r\n\r\nAll written above lead to cleaning up uninitialized fields. Even if we hide\nODEBUG warning by initializing bat_priv-\u0026gt;nc.work, syzbot was able to hit\nGPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]\r\n\r\nTo fix these bugs we can unwind batadv_*_init() calls one by one.\nIt is good approach for 2 reasons: 1) It fixes bugs on error handling\npath 2) It improves the performance, since we won\u0026apos;t call unneeded\nbatadv_*_free() functions.\r\n\r\nSo, this patch makes all batadv_*_init() clean up all allocated memory\nbefore returning with an error to no call correspoing batadv_*_free()\nand open-codes batadv_mesh_free() with proper order to avoid touching\nuninitialized fields.(CVE-2021-47482)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nregmap: Fix possible double-free in regcache_rbtree_exit()\r\n\r\nIn regcache_rbtree_insert_to_block(), when \u0026apos;present\u0026apos; realloc failed,\nthe \u0026apos;blk\u0026apos; which is supposed to assign to \u0026apos;rbnode-\u0026gt;block\u0026apos; will be freed,\nso \u0026apos;rbnode-\u0026gt;block\u0026apos; points a freed memory, in the error handling path of\nregcache_rbtree_init(), \u0026apos;rbnode-\u0026gt;block\u0026apos; will be freed again in\nregcache_rbtree_exit(), KASAN will report double-free as follows:\r\n\r\nBUG: KASAN: double-free or invalid-free in kfree+0xce/0x390\nCall Trace:\n slab_free_freelist_hook+0x10d/0x240\n kfree+0xce/0x390\n regcache_rbtree_exit+0x15d/0x1a0\n regcache_rbtree_init+0x224/0x2c0\n regcache_init+0x88d/0x1310\n __regmap_init+0x3151/0x4a80\n __devm_regmap_init+0x7d/0x100\n madera_spi_probe+0x10f/0x333 [madera_spi]\n spi_probe+0x183/0x210\n really_probe+0x285/0xc30\r\n\r\nTo fix this, moving up the assignment of rbnode-\u0026gt;block to immediately after\nthe reallocation has succeeded so that the data structure stays valid even\nif the second reallocation fails.(CVE-2021-47483)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields\r\n\r\nOverflowing either addrlimit or bytes_togo can allow userspace to trigger\na buffer overflow of kernel memory. Check for overflows in all the places\ndoing math on user controlled buffers.(CVE-2021-47485)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/tls: Fix flipped sign in tls_err_abort() calls\r\n\r\nsk-\u0026gt;sk_err appears to expect a positive value, a convention that ktls\ndoesn\u0026apos;t always follow and that leads to memory corruption in other code.\nFor instance,\r\n\r\n    [kworker]\n    tls_encrypt_done(..., err=\u0026lt;negative error from crypto request\u0026gt;)\n      tls_err_abort(.., err)\n        sk-\u0026gt;sk_err = err;\r\n\r\n    [task]\n    splice_from_pipe_feed\n      ...\n        tls_sw_do_sendpage\n          if (sk-\u0026gt;sk_err) {\n            ret = -sk-\u0026gt;sk_err;  // ret is positive\r\n\r\n    splice_from_pipe_feed (continued)\n      ret = actor(...)  // ret is still positive and interpreted as bytes\n                        // written, resulting in underflow of buf-\u0026gt;len and\n                        // sd-\u0026gt;len, leading to huge buf-\u0026gt;offset and bogus\n                        // addresses computed in later calls to actor()\r\n\r\nFix all tls_err_abort() callers to pass a negative error code\nconsistently and centralize the error-prone sign flip there, throwing in\na warning to catch future misuse and uninlining the function so it\nreally does only warn once.(CVE-2021-47496)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: pcm: oss: Limit the period size to 16MB\r\n\r\nSet the practical limit to the period size (the fragment shift in OSS)\ninstead of a full 31bit; a too large value could lead to the exhaust\nof memory as we allocate temporary buffers of the period size, too.\r\n\r\nAs of this patch, we set to 16MB limit, which should cover all use\ncases.(CVE-2021-47509)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfp: Fix memory leak in nfp_cpp_area_cache_add()\r\n\r\nIn line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a\nCPP area structure. But in line 807 (#2), when the cache is allocated\nfailed, this CPP area structure is not freed, which will result in\nmemory leak.\r\n\r\nWe can fix it by freeing the CPP area when the cache is allocated\nfailed (#2).\r\n\r\n792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)\n793 {\n794 \tstruct nfp_cpp_area_cache *cache;\n795 \tstruct nfp_cpp_area *area;\r\n\r\n800\tarea = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),\n801 \t\t\t\t  0, size);\n\t// #1: allocates and initializes\r\n\r\n802 \tif (!area)\n803 \t\treturn -ENOMEM;\r\n\r\n805 \tcache = kzalloc(sizeof(*cache), GFP_KERNEL);\n806 \tif (!cache)\n807 \t\treturn -ENOMEM; // #2: missing free\r\n\r\n817\treturn 0;\n818 }(CVE-2021-47516)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nstaging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()\r\n\r\nThe free_rtllib() function frees the \u0026quot;dev\u0026quot; pointer so there is use\nafter free on the next line.  Re-arrange things to avoid that.(CVE-2021-47571)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\r\n\r\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\r\n\r\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path(CVE-2022-48693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\r\n\r\nIf mmc_add_host() fails, it doesn\u0026apos;t need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\r\n\r\nTo fix this, goto label \u0026apos;fail_glue_init\u0026apos;, if mmc_add_host() fails,\nand change the label \u0026apos;fail_add_host\u0026apos; to \u0026apos;fail_gpiod_request\u0026apos;.(CVE-2023-52708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: USB: Fix wrong-direction WARNING in plusb.c\r\n\r\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite.  In modern kernels this error provokes a WARNING:\r\n\r\nusb 1-1: BOGUS control dir, pipe 80000280 doesn\u0026apos;t match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \u0026lt;TASK\u0026gt;\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.(CVE-2023-52742)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Restore allocated resources on failed copyout\r\n\r\nFix a resource leak if an error occurs.(CVE-2023-52747)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\r\n\r\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type \u0026apos;int\u0026apos;\r\n\r\nWhen the value of the variable \u0026quot;sd-\u0026gt;params.exposure.gain\u0026quot; exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \u0026quot;currentexp\u0026quot; cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.(CVE-2023-52764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add check for negative db_l2nbperpage\r\n\r\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\r\n\r\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\r\n\r\nSyzbot reported this bug:\r\n\r\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative(CVE-2023-52810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlocking/ww_mutex/test: Fix potential workqueue corruption\r\n\r\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\r\n\r\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\r\n\r\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\u0026quot;struct stress\u0026quot; structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\r\n\r\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\r\n\r\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don\u0026apos;t corrupt the workqueue by freeing the structure\nprematurely.\r\n\r\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.(CVE-2023-52836)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: verify mac len before reading mac header\r\n\r\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\r\n\r\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb-\u0026gt;protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\r\n\r\n    BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n    BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n    llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n    llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n    llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n    __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n    __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n    netif_receive_skb_internal net/core/dev.c:5723 [inline]\n    netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n    tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n    tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\r\n\r\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\r\n\r\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb-\u0026gt;protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\r\n\r\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\r\n\r\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\r\n\r\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.(CVE-2023-52843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\r\n\r\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\r\n\r\nRequire initial namespace CAP_NET_ADMIN to do that.(CVE-2023-52880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Prevent deadlock while disabling aRFS\r\n\r\nWhen disabling aRFS under the `priv-\u0026gt;state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\r\n\r\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker\u0026apos;s responsibility since\ndisabling aRFS deletes the rules.\r\n\r\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\r\n\r\nKernel log:\r\n\r\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G          I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(\u0026amp;rule-\u0026gt;arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\r\n\r\nbut task is already holding lock:\nffff8884a1808cc0 (\u0026amp;priv-\u0026gt;state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-\u0026gt; #1 (\u0026amp;priv-\u0026gt;state_lock){+.+.}-{3:3}:\n       __mutex_lock+0x80/0xc90\n       arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n       process_one_work+0x1dc/0x4a0\n       worker_thread+0x1bf/0x3c0\n       kthread+0xd7/0x100\n       ret_from_fork+0x2d/0x50\n       ret_from_fork_asm+0x11/0x20\r\n\r\n-\u0026gt; #0 ((work_completion)(\u0026amp;rule-\u0026gt;arfs_work)){+.+.}-{0:0}:\n       __lock_acquire+0x17b4/0x2c80\n       lock_acquire+0xd0/0x2b0\n       __flush_work+0x7a/0x4e0\n       __cancel_work_timer+0x131/0x1c0\n       arfs_del_rules+0x143/0x1e0 [mlx5_core]\n       mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n       mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n       ethnl_set_channels+0x28f/0x3b0\n       ethnl_default_set_doit+0xec/0x240\n       genl_family_rcv_msg_doit+0xd0/0x120\n       genl_rcv_msg+0x188/0x2c0\n       netlink_rcv_skb+0x54/0x100\n       genl_rcv+0x24/0x40\n       netlink_unicast+0x1a1/0x270\n       netlink_sendmsg+0x214/0x460\n       __sock_sendmsg+0x38/0x60\n       __sys_sendto+0x113/0x170\n       __x64_sys_sendto+0x20/0x30\n       do_syscall_64+0x40/0xe0\n       entry_SYSCALL_64_after_hwframe+0x46/0x4e\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(\u0026amp;priv-\u0026gt;state_lock);\n                               lock((work_completion)(\u0026amp;rule-\u0026gt;arfs_work));\n                               lock(\u0026amp;priv-\u0026gt;state_lock);\n  lock((work_completion)(\u0026amp;rule-\u0026gt;arfs_work));\r\n\r\n *** DEADLOCK ***\r\n\r\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (\u0026amp;priv-\u0026gt;state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G          I        6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u0026lt;TASK\u0026gt;\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---(CVE-2024-27014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\r\n\r\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.(CVE-2024-27019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: fix racy skb_queue_empty() use\r\n\r\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.(CVE-2024-27402)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\r\n\r\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren\u0026apos;t waiting on a sleeping task.\r\n\r\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\u0026quot;net: dpaa: Adjust queue depth on rate change\u0026quot;)\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.(CVE-2024-35819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: Set page uptodate in the correct place\r\n\r\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we\u0026apos;ve overwritten it with the data it\u0026apos;s supposed to have\nin it will allow a simultaneous reader to see old data.  Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.(CVE-2024-35821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\r\n\r\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().(CVE-2024-35828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: properly terminate timers for kernel sockets\r\n\r\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\r\n\r\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\r\n\r\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto \u0026apos;stop\u0026apos; the timers.\r\n\r\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\r\n\r\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\r\n\r\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\r\n\r\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\r\n\r\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\r\n\r\nIt is very possible we can revert in the future commit\n3a58f13a881e (\u0026quot;net: rds: acquire refcount on TCP sockets\u0026quot;)\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\r\n\r\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.(CVE-2024-35910)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\r\n\r\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don\u0026apos;t accidentally leak kernel\naddresses.(CVE-2024-35935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: check A-MSDU format more carefully\r\n\r\nIf it looks like there\u0026apos;s another subframe in the A-MSDU\nbut the header isn\u0026apos;t fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.(CVE-2024-35937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndyndbg: fix old BUG_ON in \u0026gt;control parser\r\n\r\nFix a BUG_ON from 2009.  Even if it looks \u0026quot;unreachable\u0026quot; (I didn\u0026apos;t\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.(CVE-2024-35947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbatman-adv: Avoid infinite loop trying to resize local TT\r\n\r\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\r\n\r\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\r\n\r\n   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\r\n\r\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\r\n\r\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\r\n\r\nWhile this should be handled proactively when:\r\n\r\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n  attached interfaces)\r\n\r\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.(CVE-2024-35982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm-\u0026gt;len\n  Reason: gsm-\u0026gt;len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm-\u0026gt;buf\n  Reason: Neither gsm-\u0026gt;state nor gsm-\u0026gt;len have been reset after\n  reconfiguration.\r\n\r\nFix this by changing gsm-\u0026gt;count to gsm-\u0026gt;len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm-\u0026gt;len and gsm-\u0026gt;mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix UAF in error path\r\n\r\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\r\n\r\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\r\n\r\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \u0026lt;IRQ\u0026gt;\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \u0026lt;/IRQ\u0026gt;\n \u0026lt;TASK\u0026gt;\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---(CVE-2024-36886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: prevent NULL dereference in ip6_output()\r\n\r\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\r\n\r\nsyzbot reported:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 \u0026lt;42\u0026gt; 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS:  00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u0026lt;TASK\u0026gt;\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n  sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n  sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n  sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n  sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n  sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n  sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n  sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n  __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -\u0026gt; tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -\u0026gt; TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk-\u0026gt;sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 \u0026lt;48\u0026gt; f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \u0026lt;TASK\u0026gt;\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won\u0026apos;t be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 \u0026lt;0f\u0026gt; 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbna: ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don\u0026apos;t\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.(CVE-2024-36934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV\u0026apos;s transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric.  This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject.  This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vmwgfx: Fix invalid reads in fence signaled events\r\n\r\nCorrectly set the length of the drm_event to the size of the structure\nthat\u0026apos;s actually used.\r\n\r\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.(CVE-2024-36960)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2406.3.0.0282.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["python3-perf-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","bpftool-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","perf-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2406.3.0.0282.oe2003sp4.src.rpm"],"x86_64":["python3-perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","perf-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","bpftool-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2406.3.0.0282.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1736"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47229"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47234"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47249"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47257"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47267"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47281"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47301"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47310"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47321"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47334"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47344"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47354"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47372"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47425"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47440"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47456"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47468"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47474"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47482"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47483"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47485"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47496"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47509"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47516"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47571"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48693"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52708"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52742"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52747"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52764"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52810"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52836"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52843"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52875"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52880"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27014"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27019"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27402"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35819"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35821"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35828"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35910"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35935"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35937"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35947"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35982"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36016"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36886"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36901"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36905"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36919"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36934"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36952"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36960"}],"database_specific":{"severity":"High"}}