{"schema_version":"1.7.2","id":"OESA-2024-1897","modified":"2024-07-26T11:08:37Z","published":"2024-07-26T11:08:37Z","upstream":["CVE-2024-34030","CVE-2024-36014","CVE-2024-36016","CVE-2024-36031","CVE-2024-36881","CVE-2024-36939","CVE-2024-36979","CVE-2024-38559","CVE-2024-38578","CVE-2024-38589","CVE-2024-38618","CVE-2024-38619","CVE-2024-39463","CVE-2024-39469","CVE-2024-39472","CVE-2024-39485","CVE-2024-39494","CVE-2024-39499","CVE-2024-39505","CVE-2024-40912","CVE-2024-40916","CVE-2024-40918","CVE-2024-40923","CVE-2024-40929","CVE-2024-40932","CVE-2024-40936","CVE-2024-40941","CVE-2024-40943","CVE-2024-40951","CVE-2024-40952","CVE-2024-40957","CVE-2024-40968","CVE-2024-40974","CVE-2024-40975","CVE-2024-40977","CVE-2024-40983","CVE-2024-40984","CVE-2024-40987","CVE-2024-41004","CVE-2024-41005","CVE-2024-41007","CVE-2024-41009"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: of_property: Return error for int_map allocation failure\r\n\r\nReturn -ENOMEM from of_pci_prop_intr_map() if kcalloc() fails to prevent a\nNULL pointer dereference in this case.\r\n\r\n[bhelgaas: commit log](CVE-2024-34030)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/arm/malidp: fix a possible null pointer dereference\r\n\r\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm-\u0026gt;len\n Reason: gsm-\u0026gt;len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm-\u0026gt;buf\n Reason: Neither gsm-\u0026gt;state nor gsm-\u0026gt;len have been reset after\n reconfiguration.\r\n\r\nFix this by changing gsm-\u0026gt;count to gsm-\u0026gt;len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm-\u0026gt;len and gsm-\u0026gt;mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkeys: Fix overwrite of key expiration on instantiation\r\n\r\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.(CVE-2024-36031)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/userfaultfd: reset ptes when close() for wr-protected ones\r\n\r\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover\nthat too. This fixes a WARN trace.\r\n\r\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it. However hopefully that should be\nharmless, and nothing bad should happen even if so.\r\n\r\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\u0026quot;mm/page_table_check:\nsupport userfault wr-protect entries\u0026quot;)), as we\u0026apos;ll do sanity check on\nuffd-wp bits without vma context. So it\u0026apos;s better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid.(CVE-2024-36881)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\r\n\r\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\r\n\r\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\u0026quot;Linux-2.6.12-rc2\u0026quot;).\r\n\r\nRecently, commit d47151b79e32 (\u0026quot;nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\u0026quot;) converted the procfs to per-netns and made\nthe problem more visible.\r\n\r\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\r\n\r\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\r\n\r\nLet\u0026apos;s handle the error of rpc_proc_register() properly in nfs_net_init().\r\n\r\n[0]:\nname \u0026apos;nfs\u0026apos;\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff \u0026lt;0f\u0026gt; 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n \u0026lt;/TASK\u0026gt;(CVE-2024-36939)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: mst: fix vlan use-after-free\r\n\r\nsyzbot reported a suspicious rcu usage[1] in bridge\u0026apos;s mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\r\n\r\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n \u0026lt;IRQ\u0026gt;\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n run_timer_base kernel/time/timer.c:2438 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \u0026lt;/IRQ\u0026gt;\n \u0026lt;TASK\u0026gt;\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 \u0026lt;4b\u0026gt; c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246(CVE-2024-36979)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qedf: Ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon\u0026apos;t ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.(CVE-2024-38559)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\necryptfs: Fix buffer size for tag 66 packet\r\n\r\nThe \u0026apos;TAG 66 Packet Format\u0026apos; description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\r\n\r\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\r\n\r\nThis fixes the below kasan slab-out-of-bounds bug:\r\n\r\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\r\n\r\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \u0026lt;TASK\u0026gt;\n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \u0026lt;/TASK\u0026gt;\r\n\r\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2024-38578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: fix possible dead-lock in nr_rt_ioctl()\r\n\r\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\r\n\r\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\r\n\r\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\r\n\r\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-\u0026gt; #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n-\u0026gt; #0 (\u0026amp;nr_node-\u0026gt;node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(\u0026amp;nr_node-\u0026gt;node_lock);\n lock(nr_node_list_lock);\n lock(\u0026amp;nr_node-\u0026gt;node_lock);\r\n\r\n *** DEADLOCK ***\r\n\r\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---(CVE-2024-38589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: timer: Set lower bound of start tick time\r\n\r\nCurrently ALSA timer doesn\u0026apos;t have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\r\n\r\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.(CVE-2024-38618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb-storage: alauda: Check whether the media is initialized\r\n\r\nThe member \u0026quot;uzonesize\u0026quot; of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \u0026quot;media_initialized\u0026quot; to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().(CVE-2024-38619)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\n9p: add missing locking around taking dentry fid list\r\n\r\nFix a use-after-free on dentry\u0026apos;s d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\r\n\r\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\r\n\r\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\r\n\r\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.(CVE-2024-39463)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\r\n\r\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\r\n\r\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory\u0026apos;s inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\r\n\r\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.(CVE-2024-39469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\r\n\r\nCommit a70f9fe52daa (\u0026quot;xfs: detect and handle invalid iclog size set by\nmkfs\u0026quot;) added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\u0026quot;xfs: clean up calculation of LR header blocks\u0026quot;) cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\r\n\r\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.(CVE-2024-39472)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l: async: Properly re-initialise notifier entry in unregister\r\n\r\nThe notifier_entry of a notifier is not re-initialised after unregistering\nthe notifier. This leads to dangling pointers being left there so use\nlist_del_init() to return the notifier_entry an empty list.(CVE-2024-39485)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nima: Fix use-after-free on a dentry\u0026apos;s dname.name\r\n\r\n-\u0026gt;d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (-\u0026gt;d_lock on dentry,\n-\u0026gt;d_lock on its parent, -\u0026gt;i_rwsem exclusive on the parent\u0026apos;s inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.(CVE-2024-39494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\r\n\r\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg-\u0026gt;event_data.event is passed to event_deliver() and used\nas an index without sanitization.\r\n\r\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\r\n\r\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\r\n\r\nOnly compile tested, no access to HW.(CVE-2024-39499)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/komeda: check for error-valued pointer\r\n\r\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.(CVE-2024-39505)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\r\n\r\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta-\u0026gt;ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta-\u0026gt;ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\r\n\r\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\r\n\r\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.(CVE-2024-40912)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\r\n\r\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\r\n\r\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\u0026quot;drm/exynos: do not return negative values from .get_modes()\u0026quot;):\r\n\r\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---(CVE-2024-40916)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved: parisc: Try to fix random segmentation faults in package builds PA-RISC systems with PA8800 and PA8900 processors have had problems with random segmentation faults for many years. Systems with earlier processors are much more stable. Systems with PA8800 and PA8900 processors have a large L2 cache which needs per page flushing for decent performance when a large range is flushed. The combined cache in these systems is also more sensitive to non-equivalent aliases than the caches in earlier systems. The majority of random segmentation faults that I have looked at appear to be memory corruption in memory allocated using mmap and malloc. My first attempt at fixing the random faults didn\u0026apos;t work. On reviewing the cache code, I realized that there were two issues which the existing code didn\u0026apos;t handle correctly. Both relate to cache move-in. Another issue is that the present bit in PTEs is racy. 1) PA-RISC caches have a mind of their own and they can speculatively load data and instructions for a page as long as there is a entry in the TLB for the page which allows move-in. TLBs are local to each CPU. Thus, the TLB entry for a page must be purged before flushing the page. This is particularly important on SMP systems. In some of the flush routines, the flush routine would be called and then the TLB entry would be purged. This was because the flush routine needed the TLB entry to do the flush. 2) My initial approach to trying the fix the random faults was to try and use flush_cache_page_if_present for all flush operations. This actually made things worse and led to a couple of hardware lockups. It finally dawned on me that some lines weren\u0026apos;t being flushed because the pte check code was racy. This resulted in random inequivalent mappings to physical pages. The __flush_cache_page tmpalias flush sets up its own TLB entry and it doesn\u0026apos;t need the existing TLB entry. As long as we can find the pte pointer for the vm page, we can get the pfn and physical address of the page. We can also purge the TLB entry for the page before doing the flush. Further, __flush_cache_page uses a special TLB entry that inhibits cache move-in. When switching page mappings, we need to ensure that lines are removed from the cache. It is not sufficient to just flush the lines to memory as they may come back. This made it clear that we needed to implement all the required flush operations using tmpalias routines. This includes flushes for user and kernel pages. After modifying the code to use tmpalias flushes, it became clear that the random segmentation faults were not fully resolved. The frequency of faults was worse on systems with a 64 MB L2 (PA8900) and systems with more CPUs (rp4440). The warning that I added to flush_cache_page_if_present to detect pages that couldn\u0026apos;t be flushed triggered frequently on some systems. Helge and I looked at the pages that couldn\u0026apos;t be flushed and found that the PTE was either cleared or for a swap page. Ignoring pages that were swapped out seemed okay but pages with cleared PTEs seemed problematic. I looked at routines related to pte_clear and noticed ptep_clear_flush. The default implementation just flushes the TLB entry. However, it was obvious that on parisc we need to flush the cache page as well. If we don\u0026apos;t flush the cache page, stale lines will be left in the cache and cause random corruption. Once a PTE is cleared, there is no way to find the physical address associated with the PTE and flush the associated page at a later time. I implemented an updated change with a parisc specific version of ptep_clear_flush. It fixed the random data corruption on Helge\u0026apos;s rp4440 and rp3440, as well as on my c8000. At this point, I realized that I could restore the code where we only flush in flush_cache_page_if_present if the page has been accessed. However, for this, we also need to flush the cache when the accessed bit is cleared in ---truncated---(CVE-2024-40918)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvmxnet3: disable rx data ring on dma allocation failure\r\n\r\nWhen vmxnet3_rq_create() fails to allocate memory for rq-\u0026gt;data_ring.base,\nthe subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset\nrq-\u0026gt;data_ring.desc_size for the data ring that failed, which presumably\ncauses the hypervisor to reference it on packet reception.\r\n\r\nTo fix this bug, rq-\u0026gt;data_ring.desc_size needs to be set to 0 to tell\nthe hypervisor to disable this feature.\r\n\r\n[ 95.436876] kernel BUG at net/core/skbuff.c:207!\n[ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1\n[ 95.441558] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018\n[ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f\n[ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50\nff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9\nff \u0026lt;0f\u0026gt; 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24\n[ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246\n[ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f\n[ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f\n[ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60\n[ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000\n[ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0\n[ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000\n[ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0\n[ 95.459791] Call Trace:\n[ 95.460515] \u0026lt;IRQ\u0026gt;\n[ 95.461180] ? __die_body.cold+0x19/0x27\n[ 95.462150] ? die+0x2e/0x50\n[ 95.462976] ? do_trap+0xca/0x110\n[ 95.463973] ? do_error_trap+0x6a/0x90\n[ 95.464966] ? skb_panic+0x4d/0x4f\n[ 95.465901] ? exc_invalid_op+0x50/0x70\n[ 95.466849] ? skb_panic+0x4d/0x4f\n[ 95.467718] ? asm_exc_invalid_op+0x1a/0x20\n[ 95.468758] ? skb_panic+0x4d/0x4f\n[ 95.469655] skb_put.cold+0x10/0x10\n[ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]\n[ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]\n[ 95.473185] __napi_poll+0x2b/0x160\n[ 95.474145] net_rx_action+0x2c6/0x3b0\n[ 95.475115] handle_softirqs+0xe7/0x2a0\n[ 95.476122] __irq_exit_rcu+0x97/0xb0\n[ 95.477109] common_interrupt+0x85/0xa0\n[ 95.478102] \u0026lt;/IRQ\u0026gt;\n[ 95.478846] \u0026lt;TASK\u0026gt;\n[ 95.479603] asm_common_interrupt+0x26/0x40\n[ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20\n[ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 \u0026lt;e9\u0026gt; 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90\n[ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246\n[ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000\n[ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001\n[ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3\n[ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260\n[ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000\n[ 95.495035] acpi_safe_halt+0x14/0x20\n[ 95.496127] acpi_idle_do_entry+0x2f/0x50\n[ 95.497221] acpi_idle_enter+0x7f/0xd0\n[ 95.498272] cpuidle_enter_state+0x81/0x420\n[ 95.499375] cpuidle_enter+0x2d/0x40\n[ 95.500400] do_idle+0x1e5/0x240\n[ 95.501385] cpu_startup_entry+0x29/0x30\n[ 95.502422] start_secondary+0x11c/0x140\n[ 95.503454] common_startup_64+0x13e/0x141\n[ 95.504466] \u0026lt;/TASK\u0026gt;\n[ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4\nnft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip\n---truncated---(CVE-2024-40923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\r\n\r\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.(CVE-2024-40929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/exynos/vidi: fix memory leak in .get_modes()\r\n\r\nThe duplicated EDID is never freed. Fix it.(CVE-2024-40932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncxl/region: Fix memregion leaks in devm_cxl_add_region()\r\n\r\nMove the mode verification to __create_region() before allocating the\nmemregion to avoid the memregion leaks.(CVE-2024-40936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: mvm: don\u0026apos;t read past the mfuart notifcation\r\n\r\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won\u0026apos;t see it by default. If needed,\nwe can see the content with tracing.\r\n\r\nThis was reported by KFENCE.(CVE-2024-40941)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix races between hole punching and AIO+DIO\r\n\r\nAfter commit \u0026quot;ocfs2: return real error code in ocfs2_dio_wr_get_block\u0026quot;,\nfstests/generic/300 become from always failed to sometimes failed:\r\n\r\n========================================================================\n[ 473.293420 ] run fstests generic/300\r\n\r\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\r\n\r\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\r\n\r\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\r\n\r\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.(CVE-2024-40943)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()\r\n\r\nbdev-\u0026gt;bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev-\u0026gt;bd_super to b_assoc_map-\u0026gt;host-\u0026gt;i_sb. Since ocfs2 hasn\u0026apos;t set\nbh-\u0026gt;b_assoc_map, it will trigger NULL pointer dereference when calling\ninto ocfs2_abort_trigger().\r\n\r\nActually this was pointed out in history, see commit 74e364ad1b13. But\nI\u0026apos;ve made a mistake when reviewing commit 8887b94d9322 and then\nre-introduce this regression.\r\n\r\nSince we cannot revive bdev in buffer head, so fix this issue by\ninitializing all types of ocfs2 triggers when fill super, and then get the\nspecific ocfs2 trigger from ocfs2_caching_info when access journal.\r\n\r\n[joseph.qi@linux.alibaba.com: v2]\n Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com(CVE-2024-40951)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()\r\n\r\nbdev-\u0026gt;bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev-\u0026gt;bd_super to b_assoc_map-\u0026gt;host-\u0026gt;i_sb. This introduces the\nfollowing NULL pointer dereference in ocfs2_journal_dirty() since\nb_assoc_map is still not initialized. This can be easily reproduced by\nrunning xfstests generic/186, which simulate no more credits.\r\n\r\n[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000\n...\n[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n...\n[ 134.365071] Call Trace:\n[ 134.365312] \u0026lt;TASK\u0026gt;\n[ 134.365524] ? __die_body+0x1e/0x60\n[ 134.365868] ? page_fault_oops+0x13d/0x4f0\n[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10\n[ 134.366659] ? schedule+0x27/0xb0\n[ 134.366981] ? exc_page_fault+0x6a/0x140\n[ 134.367356] ? asm_exc_page_fault+0x26/0x30\n[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]\n[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]\n[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]\n[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]\n[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]\n[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]\n[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]\n[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]\n[ 134.372994] ? inode_update_timestamps+0x4a/0x120\n[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]\n[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]\n[ 134.376971] ? security_file_permission+0x29/0x50\n[ 134.377644] vfs_clone_file_range+0xfe/0x320\n[ 134.378268] ioctl_file_clone+0x45/0xa0\n[ 134.378853] do_vfs_ioctl+0x457/0x990\n[ 134.379422] __x64_sys_ioctl+0x6e/0xd0\n[ 134.379987] do_syscall_64+0x5d/0x170\n[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 134.381231] RIP: 0033:0x7fa4926397cb\n[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48\n[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb\n[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003\n[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000\n[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000\n[ 134.389207] \u0026lt;/TASK\u0026gt;\r\n\r\nFix it by only aborting transaction and journal in ocfs2_journal_dirty()\nnow, and leave ocfs2_abort() later when detecting an aborted handle,\ne.g. start next transaction. Also log the handle details in this case.(CVE-2024-40952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\r\n\r\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\r\n\r\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \u0026lt;IRQ\u0026gt;\n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\r\n\r\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()-\u0026gt;rpfilter_is_loopback():\r\n\r\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb-\u0026gt;pkt_type == PACKET_LOOPBACK ||\n \t in-\u0026gt;flags \u0026amp; IFF_LOOPBACK;\n }(CVE-2024-40957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nMIPS: Octeon: Add PCIe link status check\r\n\r\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \u0026quot;Data bus error\u0026quot;. So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.(CVE-2024-40968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/pseries: Enforce hcall result buffer validity and size\r\n\r\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\r\n\r\nFor example, if I write a bug like this:\r\n\r\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\r\n\r\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\r\n\r\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\r\n\r\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\r\n\r\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\u0026quot;gcc: disable \u0026apos;-Warray-bounds\u0026apos; for gcc-13 too\u0026quot;) and\n related changes.(CVE-2024-40974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\r\n\r\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\r\n\r\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\r\n\r\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \u0026lt;TASK\u0026gt;\n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\r\n\r\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\r\n\r\nOn the 830 (8\u0026quot;) and 1050 (\u0026quot;10\u0026quot;) models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\r\n\r\nBut on the 1380 (13\u0026quot;) model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\r\n\r\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\r\n\r\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.(CVE-2024-40975)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\r\n\r\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\r\n\r\nThis patch prevents the execution of stat_worker during the chip recovery.(CVE-2024-40977)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: force a dst refcount before doing decryption\r\n\r\nAs it says in commit 3bc07321ccc2 (\u0026quot;xfrm: Force a dst refcount before\nentering the xfrm type handlers\u0026quot;):\r\n\r\n\u0026quot;Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb\u0026apos;s destination\n entry before we enter the xfrm type input/output handlers.\u0026quot;\r\n\r\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\r\n\r\nShuang reported this issue when this warning is triggered:\r\n\r\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0(CVE-2024-40983)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPICA: Revert \u0026quot;ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\u0026quot;\r\n\r\nUndo the modifications made in commit d410ee5109a1 (\u0026quot;ACPICA: avoid\n\u0026quot;Info: mapping multiple BARs. Your kernel is fine.\u0026quot;\u0026quot;). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\r\n\r\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary\u0026apos;s end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary\u0026apos;s\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\r\n\r\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.(CVE-2024-40984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\r\n\r\nAdds bounds check for sumo_vid_mapping_entry.(CVE-2024-40987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Build event generation tests only as modules\r\n\r\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\r\n\r\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\r\n\r\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 \u0026lt;0f\u0026gt; 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \u0026lt;TASK\u0026gt;\n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \u0026lt;/TASK\u0026gt;\n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [\u0026lt;ffffffff8110bc0c\u0026gt;] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [\u0026lt;ffffffff8110bbf1\u0026gt;] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [\u0026lt;ffffffff8108e17f\u0026gt;] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [\u0026lt;ffffffff8108e346\u0026gt;] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\r\n\r\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\r\n\r\nTo avoid these issues, build these tests only as modules.(CVE-2024-41004)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetpoll: Fix race condition in netpoll_owner_active\r\n\r\nKCSAN detected a race condition in netpoll:\r\n\r\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\u0026lt;snip\u0026gt;\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\u0026lt;snip\u0026gt;\n\tvalue changed: 0x0000000a -\u0026gt; 0xffffffff\r\n\r\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi-\u0026gt;poll_owner\nnon atomically. The -\u0026gt;poll_owner field contains the current CPU holding\nthe lock.\r\n\r\nUse an atomic read to check if the poll owner is the current CPU.(CVE-2024-41005)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: avoid too many retransmit packets\r\n\r\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has \u0026apos;expired\u0026apos;.\r\n\r\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk-\u0026gt;icsk_user_timeout into account.\r\n\r\nBefore blamed commit, the socket would not timeout after\nicsk-\u0026gt;icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\r\n\r\nAlso worth noting that before commit e89688e3e978 (\u0026quot;net: tcp:\nfix unexcepted socket die when snd_wnd is 0\u0026quot;), the issue\nwould last 2 minutes instead of 4.(CVE-2024-41007)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix overrunning reservations in ringbuf\r\n\r\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\r\n\r\nEach time a record is reserved, the producer that \u0026quot;owns\u0026quot; the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\r\n\r\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\r\n\r\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk\u0026apos;s\nheader.\r\n\r\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos \u0026gt; rb-\u0026gt;mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A\u0026apos;s header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header\u0026apos;s pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A\u0026apos;s header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\r\n\r\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We\u0026apos;ve tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.(CVE-2024-41009)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-35.0.0.43.oe2403"}]}],"ecosystem_specific":{"aarch64":["bpftool-6.6.0-35.0.0.43.oe2403.aarch64.rpm","bpftool-debuginfo-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-debuginfo-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-debugsource-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-devel-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-headers-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-source-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-tools-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-tools-debuginfo-6.6.0-35.0.0.43.oe2403.aarch64.rpm","kernel-tools-devel-6.6.0-35.0.0.43.oe2403.aarch64.rpm","perf-6.6.0-35.0.0.43.oe2403.aarch64.rpm","perf-debuginfo-6.6.0-35.0.0.43.oe2403.aarch64.rpm","python3-perf-6.6.0-35.0.0.43.oe2403.aarch64.rpm","python3-perf-debuginfo-6.6.0-35.0.0.43.oe2403.aarch64.rpm"],"src":["kernel-6.6.0-35.0.0.43.oe2403.src.rpm"],"x86_64":["bpftool-6.6.0-35.0.0.43.oe2403.x86_64.rpm","bpftool-debuginfo-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-debuginfo-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-debugsource-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-devel-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-headers-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-source-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-tools-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-tools-debuginfo-6.6.0-35.0.0.43.oe2403.x86_64.rpm","kernel-tools-devel-6.6.0-35.0.0.43.oe2403.x86_64.rpm","perf-6.6.0-35.0.0.43.oe2403.x86_64.rpm","perf-debuginfo-6.6.0-35.0.0.43.oe2403.x86_64.rpm","python3-perf-6.6.0-35.0.0.43.oe2403.x86_64.rpm","python3-perf-debuginfo-6.6.0-35.0.0.43.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1897"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34030"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36014"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36016"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36031"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36881"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36939"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36979"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38559"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38578"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38589"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38618"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38619"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39463"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39469"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39472"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39485"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39494"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39499"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39505"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40912"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40916"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40918"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40929"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40932"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40936"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40941"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40943"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40951"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40952"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40957"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40968"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40974"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40975"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40977"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40983"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40984"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40987"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41004"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41005"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41007"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41009"}],"database_specific":{"severity":"Critical"}}