{"schema_version":"1.7.2","id":"OESA-2024-2078","modified":"2024-08-30T11:09:00Z","published":"2024-08-30T11:09:00Z","upstream":["CVE-2022-48920","CVE-2022-48935","CVE-2024-36946","CVE-2024-38613","CVE-2024-39490","CVE-2024-41002","CVE-2024-41015","CVE-2024-41059","CVE-2024-41068","CVE-2024-42120","CVE-2024-42122","CVE-2024-42265","CVE-2024-42271","CVE-2024-42280","CVE-2024-42281","CVE-2024-42284","CVE-2024-42285","CVE-2024-42288","CVE-2024-42297","CVE-2024-42302","CVE-2024-42305","CVE-2024-42308","CVE-2024-42318","CVE-2024-43819","CVE-2024-43828","CVE-2024-43831","CVE-2024-43853","CVE-2024-43860","CVE-2024-43861","CVE-2024-43866","CVE-2024-43879","CVE-2024-43882"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: get rid of warning on transaction commit when using flushoncommit\r\n\r\nWhen using the flushoncommit mount option, during almost every transaction\ncommit we trigger a warning from __writeback_inodes_sb_nr():\r\n\r\n  $ cat fs/fs-writeback.c:\n  (...)\n  static void __writeback_inodes_sb_nr(struct super_block *sb, ...\n  {\n        (...)\n        WARN_ON(!rwsem_is_locked(\u0026amp;sb-\u0026gt;s_umount));\n        (...)\n  }\n  (...)\r\n\r\nThe trace produced in dmesg looks like the following:\r\n\r\n  [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3\n  [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif\n  [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186\n  [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3\n  [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...)\n  [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246\n  [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000\n  [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50\n  [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000\n  [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488\n  [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460\n  [947.553621] FS:  0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000\n  [947.560537] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0\n  [947.571072] Call Trace:\n  [947.572354]  \u0026lt;TASK\u0026gt;\n  [947.573266]  btrfs_commit_transaction+0x1f1/0x998\n  [947.576785]  ? start_transaction+0x3ab/0x44e\n  [947.579867]  ? schedule_timeout+0x8a/0xdd\n  [947.582716]  transaction_kthread+0xe9/0x156\n  [947.585721]  ? btrfs_cleanup_transaction.isra.0+0x407/0x407\n  [947.590104]  kthread+0x131/0x139\n  [947.592168]  ? set_kthread_struct+0x32/0x32\n  [947.595174]  ret_from_fork+0x22/0x30\n  [947.597561]  \u0026lt;/TASK\u0026gt;\n  [947.598553] ---[ end trace 644721052755541c ]---\r\n\r\nThis is because we started using writeback_inodes_sb() to flush delalloc\nwhen committing a transaction (when using -o flushoncommit), in order to\navoid deadlocks with filesystem freeze operations. This change was made\nby commit ce8ea7cc6eb313 (\u0026quot;btrfs: don\u0026apos;t call btrfs_start_delalloc_roots\nin flushoncommit\u0026quot;). After that change we started producing that warning,\nand every now and then a user reports this since the warning happens too\noften, it spams dmesg/syslog, and a user is unsure if this reflects any\nproblem that might compromise the filesystem\u0026apos;s reliability.\r\n\r\nWe can not just lock the sb-\u0026gt;s_umount semaphore before calling\nwriteback_inodes_sb(), because that would at least deadlock with\nfilesystem freezing, since at fs/super.c:freeze_super() sync_filesystem()\nis called while we are holding that semaphore in write mode, and that can\ntrigger a transaction commit, resulting in a deadlock. It would also\ntrigger the same type of deadlock in the unmount path. Possibly, it could\nalso introduce some other locking dependencies that lockdep would report.\r\n\r\nTo fix this call try_to_writeback_inodes_sb() instead of\nwriteback_inodes_sb(), because that will try to read lock sb-\u0026gt;s_umount\nand then will only call writeback_inodes_sb() if it was able to lock it.\nThis is fine because the cases where it can\u0026apos;t read lock sb-\u0026gt;s_umount\nare during a filesystem unmount or during a filesystem freeze - in those\ncases sb-\u0026gt;s_umount is write locked and sync_filesystem() is called, which\ncalls writeback_inodes_sb(). In other words, in all cases where we can\u0026apos;t\ntake a read lock on sb-\u0026gt;s_umount, writeback is already being triggered\nelsewhere.\r\n\r\nAn alternative would be to call btrfs_start_delalloc_roots() with a\nnumber of pages different from LONG_MAX, for example matching the number\nof delalloc bytes we currently have, in \n---truncated---(CVE-2022-48920)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: unregister flowtable hooks on netns exit\r\n\r\nUnregister flowtable hooks before they are releases via\nnf_tables_flowtable_destroy() otherwise hook core reports UAF.\r\n\r\nBUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\nRead of size 4 at addr ffff8880736f7438 by task syz-executor579/3666\r\n\r\nCPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __dump_stack lib/dump_stack.c:88 [inline]\n __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106\n dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106\n print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450\n kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450\n nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\n __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429\n nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571\n nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232\n nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652\r\n\r\n__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which\nonly unregisters the hooks, then after RCU grace period, it is\nguaranteed that no packets add new entries to the flowtable (no flow\noffload rules and flowtable hooks are reachable from packet path), so it\nis safe to call nf_flow_table_free() which cleans up the remaining\nentries from the flowtable (both software and hardware) and it unbinds\nthe flow_block.(CVE-2022-48935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet: fix rtm_phonet_notify() skb allocation\r\n\r\nfill_route() stores three components in the skb:\r\n\r\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\r\n\r\nTherefore, rtm_phonet_notify() should use\r\n\r\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)(CVE-2024-36946)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nm68k: Fix spinlock race in kernel thread creation\r\n\r\nContext switching does take care to retain the correct lock owner across\nthe switch from \u0026apos;prev\u0026apos; to \u0026apos;next\u0026apos; tasks.  This does rely on interrupts\nremaining disabled for the entire duration of the switch.\r\n\r\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both \u0026apos;prev\u0026apos; and\n\u0026apos;next\u0026apos; already have interrupts disabled in their saved copies of the\nstatus register.\r\n\r\nThe situation is different for newly created kernel threads.  The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the \u0026apos;next\u0026apos; thread\u0026apos;s status register in switch_to() aka\nresume(), interrupts then become enabled prematurely.  resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\r\n\r\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner.  This causes a spinlock recursion warning as\nreported by Guenter Roeck.\r\n\r\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\u0026quot;m68k: split ret_from_fork(), simplify kernel_thread()\u0026quot;)\nbut I haven\u0026apos;t done a detailed study of kernel history so it may well\npredate that commit.\r\n\r\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space).  Disable interrupts temporarily when\nswitching the tasks\u0026apos; register sets in resume().\r\n\r\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the \u0026apos;spinlock recursion\u0026apos; warning to\nstill be observed.\r\n\r\nTested on ARAnyM and qemu (Quadra 800 emulation).(CVE-2024-38613)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix missing sk_buff release in seg6_input_core\r\n\r\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\r\n\r\nThis issue was introduced in commit af3b5158b89d (\u0026quot;ipv6: sr: fix BUG due\nto headroom too small after SRH push\u0026quot;) and persists even after commit\n7a3f5b0de364 (\u0026quot;netfilter: add netfilter hooks to SRv6 data plane\u0026quot;),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\r\n\r\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.(CVE-2024-39490)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\r\n\r\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\r\n\r\nThe aiv resource release is added to the sec resource release\nfunction.(CVE-2024-41002)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: add bounds checking to ocfs2_check_dir_entry()\r\n\r\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don\u0026apos;t stray beyond valid memory region.(CVE-2024-41015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: fix uninit-value in copy_name\r\n\r\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.(CVE-2024-41059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/sclp: Fix sclp_init() cleanup on failure\r\n\r\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\r\n\r\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [\u0026lt;000003ffe0d6076a\u0026gt;] __list_add_valid_or_report+0xe2/0xf8\n([\u0026lt;000003ffe0d60766\u0026gt;] __list_add_valid_or_report+0xde/0xf8)\n [\u0026lt;000003ffe0a8d37e\u0026gt;] sclp_init+0x40e/0x450\n [\u0026lt;000003ffe00009f2\u0026gt;] do_one_initcall+0x42/0x1e0\n [\u0026lt;000003ffe15b77a6\u0026gt;] do_initcalls+0x126/0x150\n [\u0026lt;000003ffe15b7a0a\u0026gt;] kernel_init_freeable+0x1ba/0x1f8\n [\u0026lt;000003ffe0d6650e\u0026gt;] kernel_init+0x2e/0x180\n [\u0026lt;000003ffe000301c\u0026gt;] __ret_from_fork+0x3c/0x60\n [\u0026lt;000003ffe0d759ca\u0026gt;] ret_from_fork+0xa/0x30\r\n\r\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.(CVE-2024-41068)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Check pipe offset before setting vblank\r\n\r\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\r\n\r\nThis fixes an OVERRUN issue reported by Coverity.(CVE-2024-42120)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL pointer check for kzalloc\r\n\r\n[Why \u0026amp; How]\nCheck return pointer of kzalloc before using it.(CVE-2024-42122)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nprotect the fetch of -\u0026gt;fd[fd] in do_dup2() from mispredictions\r\n\r\nboth callers have verified that fd is not greater than -\u0026gt;max_fds;\nhowever, misprediction might end up with\n        tofree = fdt-\u0026gt;fd[fd];\nbeing speculatively executed.  That\u0026apos;s wrong for the same reasons\nwhy it\u0026apos;s wrong in close_fd()/file_close_fd_locked(); the same\nsolution applies - array_index_nospec(fd, fdt-\u0026gt;max_fds) could differ\nfrom fd only in case of speculative execution on mispredicted path.(CVE-2024-42265)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/iucv: fix use after free in iucv_sock_close()\r\n\r\niucv_sever_path() is called from process context and from bh context.\niucv-\u0026gt;path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\r\n\r\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([\u0026lt;0000001e87f03880\u0026gt;] 0x1e87f03880)\n[452744.123966]  [\u0026lt;00000000d593001e\u0026gt;] iucv_path_sever+0x96/0x138\n[452744.124330]  [\u0026lt;000003ff801ddbca\u0026gt;] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336]  [\u0026lt;000003ff801e01b6\u0026gt;] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341]  [\u0026lt;000003ff801e08cc\u0026gt;] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345]  [\u0026lt;00000000d574794e\u0026gt;] __sock_release+0x5e/0xe8\n[452744.124815]  [\u0026lt;00000000d5747a0c\u0026gt;] sock_close+0x34/0x48\n[452744.124820]  [\u0026lt;00000000d5421642\u0026gt;] __fput+0xba/0x268\n[452744.124826]  [\u0026lt;00000000d51b382c\u0026gt;] task_work_run+0xbc/0xf0\n[452744.124832]  [\u0026lt;00000000d5145710\u0026gt;] do_notify_resume+0x88/0x90\n[452744.124841]  [\u0026lt;00000000d5978096\u0026gt;] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321]  [\u0026lt;00000000d5930018\u0026gt;] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\r\n\r\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\r\n\r\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\r\n\r\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.(CVE-2024-42271)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmISDN: Fix a use after free in hfcmulti_tx()\r\n\r\nDon\u0026apos;t dereference *sp after calling dev_kfree_skb(*sp).(CVE-2024-42280)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix a segment issue when downgrading gso_size\r\n\r\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].(CVE-2024-42281)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Return non-zero value from tipc_udp_addr2str() on error\r\n\r\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.(CVE-2024-42284)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\r\n\r\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\r\n\r\n        conn_id-\u0026gt;cm_id.iw = cm_id;\n        cm_id-\u0026gt;context = conn_id;\n        cm_id-\u0026gt;cm_handler = cma_iw_handler;\r\n\r\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.(CVE-2024-42285)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qla2xxx: Fix for possible memory corruption\r\n\r\nInit Control Block is dereferenced incorrectly.  Correctly dereference ICB(CVE-2024-42288)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to don\u0026apos;t dirty inode for readonly filesystem\r\n\r\nsyzbot reports f2fs bug as below:\r\n\r\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n  - __f2fs_find_entry\n   - f2fs_i_depth_write\n    - f2fs_mark_inode_dirty_sync\n     - f2fs_dirty_inode\n      - set_inode_flag(inode, FI_DIRTY_INODE)\r\n\r\n- umount\n - kill_f2fs_super\n  - kill_block_super\n   - generic_shutdown_super\n    - sync_filesystem\n    : sb is readonly, skip sync_filesystem()\n    - evict_inodes\n     - iput\n      - f2fs_evict_inode\n       - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n       : trigger kernel panic\r\n\r\nWhen we try to repair i_current_depth in readonly filesystem, let\u0026apos;s\nskip dirty inode to avoid panic in later f2fs_evict_inode().(CVE-2024-42297)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\r\n\r\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\r\n\r\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred.  To do so, it polls the\nconfig space of the first child device on the secondary bus.  If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\r\n\r\nThat\u0026apos;s because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device.  Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume.  Holding a\nreference wasn\u0026apos;t necessary back then because the pciehp IRQ thread\ncould never run concurrently.  (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase.  And runtime resume is\nalways awaited before a PCI device is removed.)\r\n\r\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event.  Commit 53b54ad074de (\u0026quot;PCI/DPC: Await readiness\nof secondary bus after reset\u0026quot;), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently.  The commit was backported to v5.10+ stable\nkernels, so that\u0026apos;s the oldest one affected.\r\n\r\nAdd the missing reference acquisition.\r\n\r\nAbridged stack trace:\r\n\r\n  BUG: unable to handle page fault for address: 00000000091400c0\n  CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n  RIP: pci_bus_read_config_dword+0x17/0x50\n  pci_dev_wait()\n  pci_bridge_wait_for_secondary_bus()\n  dpc_reset_link()\n  pcie_do_recovery()\n  dpc_handler()(CVE-2024-42302)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: check dot and dotdot of dx_root before making dir indexed\r\n\r\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \u0026lt;TASK\u0026gt;\n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\r\n\r\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\r\n\r\n    do_split\n      unsigned split\n      dx_make_map\n       count = 1\n      split = count/2 = 0;\n      continued = hash2 == map[split - 1].hash;\n       ---\u0026gt; map[4294967295]\r\n\r\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\r\n\r\nBut syzbot\u0026apos;s crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\r\n\r\n  bus     dentry1          hole           dentry2           free\n|xx--|xx-------------|...............|xx-------------|...............|\n0   12 (8+248)=256  268     256     524 (8+256)=264 788     236     1024\r\n\r\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\r\n\r\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That\u0026apos;s why count is equal to 1.\r\n\r\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.(CVE-2024-42305)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Check for NULL pointer\r\n\r\n[why \u0026amp; how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\r\n\r\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)(CVE-2024-42308)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlandlock: Don\u0026apos;t lose track of restrictions on cred_transfer\r\n\r\nWhen a process\u0026apos; cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent\u0026apos;s credentials), the\ncred_transfer LSM hook is used instead.  Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\r\n\r\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\r\n\r\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)(CVE-2024-42318)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkvm: s390: Reject memory region operations for ucontrol VMs\r\n\r\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm-\u0026gt;arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\r\n\r\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\r\n\r\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix](CVE-2024-43819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: fix infinite loop when replaying fast_commit\r\n\r\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct.  ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the \u0026apos;es\u0026apos; variable.\r\n\r\nBecause \u0026apos;es\u0026apos; contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\r\n\r\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\r\n\r\nThanks to Zhang Yi, for figuring out the real problem!(CVE-2024-43828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mediatek: vcodec: Handle invalid decoder vsi\r\n\r\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.(CVE-2024-43831)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\r\n\r\nAn UAF can happen when /proc/cpuset is read as reported in [1].\r\n\r\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc/\u0026lt;pid\u0026gt;/cpuset   repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/   repeatly.\r\n\r\nThe race that cause this bug can be shown as below:\r\n\r\n(umount)\t\t|\t(cat /proc/\u0026lt;pid\u0026gt;/cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css-\u0026gt;cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(\u0026amp;cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\r\n\r\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to \u0026amp;cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n\u0026amp;cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to \u0026amp;cgrp_dfl_root.cgrp.\r\n\r\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp-\u0026gt;root will not be freed.\r\n\r\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\u0026quot;cgroup: Make operations on the cgroup root_list RCU safe\u0026quot;),\ncss-\u0026gt;cgroup won\u0026apos;t be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd(CVE-2024-43853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\r\n\r\nIn imx_rproc_addr_init() \u0026quot;nph = of_count_phandle_with_args()\u0026quot; just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 \u0026lt; a \u0026lt; nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[Fixed title to fit within the prescribed 70-75 charcters](CVE-2024-43860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: qmi_wwan: fix memory leak for not ip packets\r\n\r\nFree the unused skb when not ip packets arrive.(CVE-2024-43861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Always drain health in shutdown callback\r\n\r\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\r\n\r\nHence, drain health WQ on shutdown callback.(CVE-2024-43866)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\r\n\r\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\r\n\r\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\r\n\r\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.(CVE-2024-43879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nexec: Fix ToCToU between perm check and set-uid/gid usage\r\n\r\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file\u0026apos;s metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\r\n\r\nFor example, if a file could change permissions from executable and not\nset-id:\r\n\r\n---------x 1 root root 16048 Aug  7 13:16 target\r\n\r\nto set-id and non-executable:\r\n\r\n---S------ 1 root root 16048 Aug  7 13:16 target\r\n\r\nit is possible to gain root privileges when execution should have been\ndisallowed.\r\n\r\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \u0026quot;chmod o-x,u+s target\u0026quot; makes \u0026quot;target\u0026quot; executable only\nby uid \u0026quot;root\u0026quot; and gid \u0026quot;cdrom\u0026quot;, while also becoming setuid-root:\r\n\r\n-rwxr-xr-x 1 root cdrom 16048 Aug  7 13:16 target\r\n\r\nbecomes:\r\n\r\n-rwsr-xr-- 1 root cdrom 16048 Aug  7 13:16 target\r\n\r\nBut racing the chmod means users without group \u0026quot;cdrom\u0026quot; membership can\nget the permission to execute \u0026quot;target\u0026quot; just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \u0026quot;only cdrom\ngroup members can setuid to root\u0026quot;.\r\n\r\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.(CVE-2024-43882)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-225.0.0.128.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","perf-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-225.0.0.128.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-225.0.0.128.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","perf-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-225.0.0.128.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2078"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48920"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48935"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36946"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38613"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39490"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41002"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41015"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41059"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41068"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42120"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42122"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42265"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42271"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42280"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42281"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42284"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42285"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42288"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42297"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42302"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42305"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42308"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42318"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43819"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43828"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43831"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43853"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43860"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43861"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43866"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43879"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43882"}],"database_specific":{"severity":"High"}}