{"schema_version":"1.7.2","id":"OESA-2024-1895","modified":"2024-07-26T11:08:37Z","published":"2024-07-26T11:08:37Z","upstream":["CVE-2021-47612","CVE-2022-48775","CVE-2022-48788","CVE-2022-48838","CVE-2022-48855","CVE-2022-48856","CVE-2022-48865","CVE-2024-38589","CVE-2024-39493","CVE-2024-39494","CVE-2024-39499","CVE-2024-40904","CVE-2024-40912","CVE-2024-40929","CVE-2024-40932","CVE-2024-40941","CVE-2024-40943","CVE-2024-40968","CVE-2024-40974","CVE-2024-40984","CVE-2024-40987","CVE-2024-41005","CVE-2024-41007"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: fix segfault in nfc_genl_dump_devices_done\r\n\r\nWhen kmalloc in nfc_genl_dump_devices() fails then\nnfc_genl_dump_devices_done() segfaults as below\r\n\r\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:klist_iter_exit+0x26/0x80\nCall Trace:\n\u0026lt;TASK\u0026gt;\nclass_dev_iter_exit+0x15/0x20\nnfc_genl_dump_devices_done+0x3b/0x50\ngenl_lock_done+0x84/0xd0\nnetlink_sock_destruct+0x8f/0x270\n__sk_destruct+0x64/0x3b0\nsk_destruct+0xa8/0xd0\n__sk_free+0x2e8/0x3d0\nsk_free+0x51/0x90\nnetlink_sock_destruct_work+0x1c/0x20\nprocess_one_work+0x411/0x710\nworker_thread+0x6fd/0xa80(CVE-2021-47612)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nDrivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj\r\n\r\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()?\r\n\r\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\r\n\r\nFix memory leak by calling kobject_put().(CVE-2022-48775)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-rdma: fix possible use-after-free in transport error_recovery work\r\n\r\nWhile nvme_rdma_submit_async_event_work is checking the ctrl and queue\nstate before preparing the AER command and scheduling io_work, in order\nto fully prevent a race where this check is not reliable the error\nrecovery work must flush async_event_work before continuing to destroy\nthe admin queue after setting the ctrl state to RESETTING such that\nthere is no race .submit_async_event and the error recovery handler\nitself changing the ctrl state.(CVE-2022-48788)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: Fix use-after-free bug by not setting udc-\u0026gt;dev.driver\r\n\r\nThe syzbot fuzzer found a use-after-free bug:\r\n\r\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\r\n\r\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\r\n\r\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\r\n\r\n\tif (dev-\u0026gt;driver)\n\t\tadd_uevent_var(env, \u0026quot;DRIVER=%s\u0026quot;, dev-\u0026gt;driver-\u0026gt;name);\r\n\r\nand between the test and the dereference of dev-\u0026gt;driver, the gadget\ncore sets dev-\u0026gt;driver to NULL.\r\n\r\nThe race wouldn\u0026apos;t occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it\u0026apos;s not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc-\u0026gt;dev.driver is always NULL.\r\n\r\nIn fact, there is no reason for udc-\u0026gt;dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget\u0026apos;s driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\r\n\r\nThis patch simply removes the statements in the gadget core that touch\nudc-\u0026gt;dev.driver.(CVE-2022-48838)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsctp: fix kernel-infoleak for SCTP sockets\r\n\r\nsyzbot reported a kernel infoleak [1] of 4 bytes.\r\n\r\nAfter analysis, it turned out r-\u0026gt;idiag_expires is not initialized\nif inet_sctp_diag_fill() calls inet_diag_msg_common_fill()\r\n\r\nMake sure to clear idiag_timer/idiag_retrans/idiag_expires\nand let inet_diag_msg_sctpasoc_fill() fill them again if needed.\r\n\r\n[1]\r\n\r\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:154 [inline]\n _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n copy_to_iter include/linux/uio.h:162 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]\n netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n __sys_recvfrom+0x795/0xa10 net/socket.c:2097\n __do_sys_recvfrom net/socket.c:2115 [inline]\n __se_sys_recvfrom net/socket.c:2111 [inline]\n __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3247 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1158 [inline]\n netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248\n __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]\n netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343\n netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1061\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x645/0xe00 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nBytes 68-71 of 2508 are uninitialized\nMemory access of size 2508 starts at ffff888114f9b000\nData copied to user address 00007f7fe09ff2e0\r\n\r\nCPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011(CVE-2022-48855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngianfar: ethtool: Fix refcount leak in gfar_get_ts_info\r\n\r\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount.(CVE-2022-48856)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix kernel panic when enabling bearer\r\n\r\nWhen enabling a bearer on a node, a kernel panic is observed:\r\n\r\n[ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[ 4.520030] Call Trace:\n[ 4.520689] \u0026lt;IRQ\u0026gt;\n[ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc]\n[ 4.525292] tipc_rcv+0x5da/0x730 [tipc]\n[ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0\n[ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[ 4.528737] __netif_receive_skb_list_core+0x20b/0x260\n[ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0\n[ 4.531450] ? dev_gro_receive+0x4c2/0x680\n[ 4.532512] napi_complete_done+0x6f/0x180\n[ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net]\n...\r\n\r\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\r\n\r\n thread 1 | thread 2\n -------- | --------\n |\ntipc_enable_bearer() |\n test_and_set_bit_lock() |\n tipc_bearer_xmit_skb() |\n | tipc_l2_rcv_msg()\n | tipc_rcv()\n | __tipc_node_link_up()\n | tipc_link_build_state_msg()\n | tipc_link_build_proto_msg()\n | tipc_mon_prep()\n | {\n | ...\n | // null-pointer dereference\n | u16 gen = mon-\u0026gt;dom_gen;\n | ...\n | }\n // Not being executed yet |\n tipc_mon_create() |\n { |\n ... |\n // allocate |\n mon = kzalloc(); |\n ... |\n } |\r\n\r\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\r\n\r\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages.(CVE-2022-48865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: fix possible dead-lock in nr_rt_ioctl()\r\n\r\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\r\n\r\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\r\n\r\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\r\n\r\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-\u0026gt; #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n-\u0026gt; #0 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(\u0026amp;nr_node-\u0026gt;node_lock);\n lock(nr_node_list_lock);\n lock(\u0026amp;nr_node-\u0026gt;node_lock);\r\n\r\n *** DEADLOCK ***\r\n\r\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---(CVE-2024-38589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\r\n\r\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it\u0026apos;s still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\r\n\r\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.(CVE-2024-39493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nima: Fix use-after-free on a dentry\u0026apos;s dname.name\r\n\r\n-\u0026gt;d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (-\u0026gt;d_lock on dentry,\n-\u0026gt;d_lock on its parent, -\u0026gt;i_rwsem exclusive on the parent\u0026apos;s inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.(CVE-2024-39494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\r\n\r\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg-\u0026gt;event_data.event is passed to event_deliver() and used\nas an index without sanitization.\r\n\r\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\r\n\r\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\r\n\r\nOnly compile tested, no access to HW.(CVE-2024-39499)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\r\n\r\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver\u0026apos;s immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\r\n\r\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [\u0026lt;ffff80008037bc00\u0026gt;] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [\u0026lt;ffff80008037bc00\u0026gt;] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [\u0026lt;ffff80008af10b00\u0026gt;] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [\u0026lt;ffff80008af10b00\u0026gt;] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [\u0026lt;ffff8000801ea530\u0026gt;] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [\u0026lt;ffff8000801ea530\u0026gt;] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [\u0026lt;ffff800080020de8\u0026gt;] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\r\n\r\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\r\n\r\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().(CVE-2024-40904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\r\n\r\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta-\u0026gt;ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta-\u0026gt;ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\r\n\r\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\r\n\r\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.(CVE-2024-40912)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\r\n\r\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.(CVE-2024-40929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/exynos/vidi: fix memory leak in .get_modes()\r\n\r\nThe duplicated EDID is never freed. Fix it.(CVE-2024-40932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: mvm: don\u0026apos;t read past the mfuart notifcation\r\n\r\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won\u0026apos;t see it by default. If needed,\nwe can see the content with tracing.\r\n\r\nThis was reported by KFENCE.(CVE-2024-40941)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix races between hole punching and AIO+DIO\r\n\r\nAfter commit \u0026quot;ocfs2: return real error code in ocfs2_dio_wr_get_block\u0026quot;,\nfstests/generic/300 become from always failed to sometimes failed:\r\n\r\n========================================================================\n[ 473.293420 ] run fstests generic/300\r\n\r\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\r\n\r\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\r\n\r\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\r\n\r\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.(CVE-2024-40943)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nMIPS: Octeon: Add PCIe link status check\r\n\r\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \u0026quot;Data bus error\u0026quot;. So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.(CVE-2024-40968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/pseries: Enforce hcall result buffer validity and size\r\n\r\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\r\n\r\nFor example, if I write a bug like this:\r\n\r\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\r\n\r\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\r\n\r\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\r\n\r\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\r\n\r\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\u0026quot;gcc: disable \u0026apos;-Warray-bounds\u0026apos; for gcc-13 too\u0026quot;) and\n related changes.(CVE-2024-40974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPICA: Revert \u0026quot;ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\u0026quot;\r\n\r\nUndo the modifications made in commit d410ee5109a1 (\u0026quot;ACPICA: avoid\n\u0026quot;Info: mapping multiple BARs. Your kernel is fine.\u0026quot;\u0026quot;). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\r\n\r\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary\u0026apos;s end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary\u0026apos;s\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\r\n\r\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.(CVE-2024-40984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\r\n\r\nAdds bounds check for sumo_vid_mapping_entry.(CVE-2024-40987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetpoll: Fix race condition in netpoll_owner_active\r\n\r\nKCSAN detected a race condition in netpoll:\r\n\r\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\u0026lt;snip\u0026gt;\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\u0026lt;snip\u0026gt;\n\tvalue changed: 0x0000000a -\u0026gt; 0xffffffff\r\n\r\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi-\u0026gt;poll_owner\nnon atomically. The -\u0026gt;poll_owner field contains the current CPU holding\nthe lock.\r\n\r\nUse an atomic read to check if the poll owner is the current CPU.(CVE-2024-41005)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: avoid too many retransmit packets\r\n\r\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has \u0026apos;expired\u0026apos;.\r\n\r\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk-\u0026gt;icsk_user_timeout into account.\r\n\r\nBefore blamed commit, the socket would not timeout after\nicsk-\u0026gt;icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\r\n\r\nAlso worth noting that before commit e89688e3e978 (\u0026quot;net: tcp:\nfix unexcepted socket die when snd_wnd is 0\u0026quot;), the issue\nwould last 2 minutes instead of 4.(CVE-2024-41007)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2407.5.0.0287.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","perf-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2407.5.0.0287.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","perf-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2407.5.0.0287.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1895"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47612"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48775"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48788"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48838"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48855"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48856"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48865"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38589"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39493"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39494"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39499"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40904"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40912"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40929"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40932"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40941"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40943"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40968"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40974"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40984"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40987"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41005"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41007"}],"database_specific":{"severity":"High"}}