{"id":"OESA-2024-1738","summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\r\n\r\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\r\n\r\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are *signed* 32-bit values.\r\n\r\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag. This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\r\n\r\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\r\n\r\nNote that the issue does not exist with FS.StoreData - that uses *unsigned*\n32-bit values. It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\r\n\r\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing "git status" on it from a Linux afs\nclient[1]. Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\r\n\r\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\r\n\r\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\r\n\r\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\r\n\r\nNote the file position of 18446744071815340032. This is the requested file\nposition sign-extended.(CVE-2021-47366)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: Fix possible access to freed memory in link clear\r\n\r\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\r\n\r\nHere is a crash example:\r\n\r\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <IRQ>\n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n </IRQ>\n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20(CVE-2022-48673)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\r\n\r\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n <IRQ>\n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n </IRQ>(CVE-2022-48692)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrpmsg: virtio: Free driver_override when rpmsg_remove()\r\n\r\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\r\n\r\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac(CVE-2023-52670)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: avoid format-overflow warning\r\n\r\nWith gcc and W=1 option, there's a warning like this:\r\n\r\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\r\n\r\nString "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up\nto 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35".\nslab_name's size should be 35 rather than 32.(CVE-2023-52748)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: core: Run atomic i2c xfer when !preemptible\r\n\r\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\r\n\r\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\r\n\r\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\r\n\r\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.(CVE-2023-52791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel: fix a possible null pointer dereference\r\n\r\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2023-52821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: mux: Add check and kfree for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.(CVE-2023-52841)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52873)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\r\n\r\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.(CVE-2023-52882)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: do not free live element\r\n\r\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern. Quoting Pablo:\r\n\r\n add_elem("00000000") timeout 100 ms\n ...\n add_elem("0000000X") timeout 100 ms\n del_elem("0000000X") <---------------- delete one that was just added\n ...\n add_elem("00005000") timeout 100 ms\r\n\r\n 1) nft_pipapo_remove() removes element 0000000X\n Then, KASAN shows a splat.\r\n\r\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\r\n\r\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\r\n\r\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\r\n\r\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\r\n\r\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\r\n\r\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\r\n\r\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\r\n\r\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\r\n\r\nv2: avoid uneeded temporary variable (Stefano)(CVE-2024-26924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix unremoved procfs host directory regression\r\n\r\nCommit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host\ndirectory removal regression"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\r\n\r\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function "pairs" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\r\n\r\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\r\n\r\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\r\n\r\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\r\n\r\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.(CVE-2024-26935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\r\n\r\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.(CVE-2024-26936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\r\n\r\nSince commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account\nfreed memory map alignment") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\r\n\r\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\r\n\r\nthe crash backtrace like:\r\n\r\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\r\n\r\nSo check if PG_reserved was set to solve this issue.\r\n\r\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/(CVE-2024-26947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\r\n\r\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().(CVE-2024-26954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: swap: fix race between free_swap_and_cache() and swapoff()\r\n\r\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\r\n\r\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\r\n\r\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\r\n\r\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\r\n\r\n--8<-----\r\n\r\n__swap_entry_free() might be the last user and result in\n"count == SWAP_HAS_CACHE".\r\n\r\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\r\n\r\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\r\n\r\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\r\n\r\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\r\n\r\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\r\n\r\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\r\n\r\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\r\n\r\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\r\n\r\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\r\n\r\n--8<-----(CVE-2024-26960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Prevent deadlock while disabling aRFS\r\n\r\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\r\n\r\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\r\n\r\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\r\n\r\nKernel log:\r\n\r\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\r\n\r\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\r\n\r\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\r\n\r\n *** DEADLOCK ***\r\n\r\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---(CVE-2024-27014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\r\n\r\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\r\n\r\nBased on patch from Florian Westphal.(CVE-2024-27017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\r\n\r\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.(CVE-2024-27019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\r\n\r\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)(CVE-2024-27044)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ll_temac: platform_get_resource replaced by wrong function\r\n\r\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\r\n\r\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\r\n\r\n\tif (type == resource_type(r) && !strcmp(r->name, name))\r\n\r\nIt should have been replaced with devm_platform_ioremap_resource.(CVE-2024-35796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\r\n\r\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\r\n\r\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 ("net: dpaa: Adjust queue depth on rate change")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.(CVE-2024-35819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: Set page uptodate in the correct place\r\n\r\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.(CVE-2024-35821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\r\n\r\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().(CVE-2024-35828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix UAF in smb2_reconnect_server()\r\n\r\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\r\n\r\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\r\n\r\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\r\n\r\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-35870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\r\n\r\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\r\n\r\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\r\n\r\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.(CVE-2024-35887)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: properly terminate timers for kernel sockets\r\n\r\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\r\n\r\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\r\n\r\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\r\n\r\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\r\n\r\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\r\n\r\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\r\n\r\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\r\n\r\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\r\n\r\nIt is very possible we can revert in the future commit\n3a58f13a881e ("net: rds: acquire refcount on TCP sockets")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\r\n\r\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.(CVE-2024-35910)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\r\n\r\nsyzbot reported the following uninit-value access issue [1][2]:\r\n\r\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\r\n\r\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.(CVE-2024-35915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vc4: don't check if plane->state->fb == state->fb\r\n\r\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\r\n\r\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\r\n\r\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\r\n\r\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---(CVE-2024-35932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\r\n\r\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.(CVE-2024-35935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: check A-MSDU format more carefully\r\n\r\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.(CVE-2024-35937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\r\n\r\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\r\n\r\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.(CVE-2024-35951)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix not validating setsockopt user input\r\n\r\nCheck user input length before copying data.(CVE-2024-35965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: RFCOMM: Fix not validating setsockopt user input\r\n\r\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064(CVE-2024-35966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\r\n\r\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-iocost: avoid out of bounds shift\r\n\r\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\r\n\r\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\r\n\r\nAvoid that undefined behavior by simply taking the\n"delay = 0" branch if the shift is too large.\r\n\r\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.(CVE-2024-36916)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vmwgfx: Fix invalid reads in fence signaled events\r\n\r\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\r\n\r\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.(CVE-2024-36960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\r\n\r\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\r\n\r\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\r\n\r\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---(CVE-2024-36968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix __dst_negative_advice() race\r\n\r\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\r\n\r\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\r\n\r\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\r\n\r\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\r\n\r\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\r\n\r\nMany thanks to Clement Lecigne for tracking this issue.\r\n\r\nThis old bug became visible after the blamed commit, using UDP sockets.(CVE-2024-36971)","modified":"2026-03-11T06:47:19.014281Z","published":"2024-06-21T11:08:18Z","upstream":["CVE-2021-47366","CVE-2022-48673","CVE-2022-48692","CVE-2023-52670","CVE-2023-52748","CVE-2023-52791","CVE-2023-52821","CVE-2023-52841","CVE-2023-52873","CVE-2023-52882","CVE-2024-26924","CVE-2024-26935","CVE-2024-26936","CVE-2024-26947","CVE-2024-26954","CVE-2024-26960","CVE-2024-27014","CVE-2024-27017","CVE-2024-27019","CVE-2024-27044","CVE-2024-35796","CVE-2024-35819","CVE-2024-35821","CVE-2024-35828","CVE-2024-35870","CVE-2024-35887","CVE-2024-35910","CVE-2024-35915","CVE-2024-35932","CVE-2024-35935","CVE-2024-35937","CVE-2024-35951","CVE-2024-35965","CVE-2024-35966","CVE-2024-36016","CVE-2024-36905","CVE-2024-36916","CVE-2024-36919","CVE-2024-36952","CVE-2024-36960","CVE-2024-36968","CVE-2024-36971"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1738"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47366"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48673"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48692"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52670"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52748"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52791"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52821"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52841"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52873"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52882"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26924"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26935"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26936"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26947"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26954"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26960"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27014"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27017"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27019"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27044"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35796"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35819"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35821"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35828"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35870"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35887"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35910"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35932"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35935"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35937"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35951"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35965"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35966"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36016"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36905"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36916"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36919"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36952"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36960"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36968"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36971"}],"affected":[{"package":{"name":"kernel","ecosystem":"openEuler:22.03-LTS-SP3","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-209.0.0.117.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-tools-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","perf-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-209.0.0.117.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-209.0.0.117.oe2203sp3.src.rpm"],"x86_64":["kernel-tools-devel-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","perf-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-209.0.0.117.oe2203sp3.x86_64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2024-1738.json"}}],"schema_version":"1.7.5"}