SUSE-SU-2024:1983-1

The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2024-26921: Preserve kabi for sk_buff (bsc#1223138).
• CVE-2022-48686: Fix UAF when detecting digest errors (bsc#1223948).
• CVE-2021-47074: Fixed memory leak in nvmeloopcreate_ctrl() (bsc#1220854).
• CVE-2021-47378: Destroy cm id before destroy qp to avoid use after free (bsc#1225201).
• CVE-2022-48697: Fix a use-after-free (bsc#1223922).
• CVE-2024-26846: Do not wait in vain when unloading module (bsc#1223023).
• CVE-2021-47496: Fix flipped sign in tlserrabort() calls (bsc#1225354)
• CVE-2023-42755: Check user supplied offsets (bsc#1215702).
• CVE-2023-52664: Eliminate double free in error handling logic (bsc#1224747).
• CVE-2023-52796: Add ipvlanroutev6_outbound() helper (bsc#1224930).
• CVE-2021-47246: Fix page reclaim for dead peer hairpin (bsc#1224831).
• CVE-2023-52732: Blocklist the kclient when receiving corrupted snap trace (bsc#1225222).
• CVE-2024-35936: Add missing mutexunlock in btrfsrelocatesyschunks() (bsc#1224644)
• CVE-2021-47548: Fixed a possible array out-of-bounds (bsc#1225506)
• CVE-2024-36029: Pervent access to suspended controller (bsc#1225708)
• CVE-2024-26625: Call sock_orphan() at release time (bsc#1221086)
• CVE-2021-47352: Add validation for used length (bsc#1225124).
• CVE-2023-52698: Fixed memory leak in netlblcalipsoadd_pass() (bsc#1224621)
• CVE-2021-47431: Fix gart.bo pin_count leak (bsc#1225390).
• CVE-2024-35935: Handle path ref underflow in header iterateinoderef() (bsc#1224645)
• CVE-2024-26828: Fixed underflow in parseserverinterfaces() (bsc#1223084).
• CVE-2021-47423: Fix file release memory leak (bsc#1225366).
• CVE-2022-48710: Fix a possible null pointer dereference (bsc#1225230).
• CVE-2021-47497: Fixed shift-out-of-bound (UBSAN) with byte size cells (bsc#1225355).
• CVE-2024-35932: Do not check if plane->state->fb == state->fb (bsc#1224650).
• CVE-2021-47500: Fixed trigger reference couting (bsc#1225360).
• CVE-2024-35809: Drain runtime-idle callbacks before driver removal (bsc#1224738).
• CVE-2021-47383: Fiedx out-of-bound vmalloc access in imageblit (bsc#1225208).
• CVE-2021-47511: Fixed negative period/buffer sizes (bsc#1225411).
• CVE-2021-47509: Limit the period size to 16MB (bsc#1225409).
• CVE-2024-35877: Fixed VM_PAT handling in COW mappings (bsc#1224525).
• CVE-2024-35982: Avoid infinite loop trying to resize local TT (bsc#1224566)
• CVE-2024-35969: Fixed race condition between ipv6getifaddr and ipv6deladdr (bsc#1224580).
• CVE-2021-47277: Avoid speculation-based attacks from out-of-range memslot accesses (bsc#1224960).
• CVE-2024-35791: Flush pages under kvm->lock to fix UAF in svmregisterenc_region() (bsc#1224725).
• CVE-2021-47401: Fix stack information leak (bsc#1225242).
• CVE-2023-52867: Fix possible buffer overflow (bsc#1225009).
• CVE-2023-52821: Fix a possible null pointer dereference (bsc#1225022).
• CVE-2021-47265: Verify port when creating flow rule (bsc#1224957)
• CVE-2021-47362: Update intermediate power state for SI (bsc#1225153).
• CVE-2021-47361: Fix error handling in mcballocbus() (bsc#1225151).
• CVE-2023-52864: Fix opening of char device (bsc#1225132).
• CVE-2022-48708: Fix potential NULL dereference (bsc#1224942).
• CVE-2024-35944: Fixed memcpy() run-time warning in dgdispatchas_host() (bsc#1224648).
• CVE-2021-47238: Fix memory leak in ipmcadd1_src (bsc#1224847)
• CVE-2023-52730: Fix possible resource leaks in some error paths (bsc#1224956).
• CVE-2021-47355: Fix possible use-after-free in nicstar_cleanup() (bsc#1225141).
• CVE-2021-47245: Fix out of bounds when parsing TCP options (bsc#1224838)
• CVE-2024-35878: Prevent NULL pointer dereference in vsnprintf() (bsc#1224671).
• CVE-2023-52747: Restore allocated resources on failed copyout (bsc#1224931)
• CVE-2021-47249: Fix memory leak in rds_recvmsg (bsc#1224880)
• CVE-2021-47397: Break out if skbheaderpointer returns NULL in sctprcvootb (bsc#1225082)
• CVE-2021-47250: Fix memory leak in netlblcipsov4add_std (bsc#1224827)
• CVE-2024-35849: Fix information leak in btrfsioctllogicaltoino() (bsc#1224733).
• CVE-2024-27436: Stop parsing channels bits when all channels are found (bsc#1224803).
• CVE-2021-47281: Fix race of sndseqtimer_open() (bsc#1224983).
• CVE-2024-35789: Clear fast rx for non-4addr sta VLAN changes (bsc#1224749).
• CVE-2024-35830: Register v4l2 async device only after successful setup (bsc#1224680).
• CVE-2021-47334: Fix two use after free in ibmasminitone (bsc#1225112).
• CVE-2021-47357: Fix possible use-after-free in iamoduleexit() (bsc#1225144).
• CVE-2023-52875: Add check for mtkallocclk_data (bsc#1225096).
• CVE-2023-52865: Add check for mtkallocclk_data (bsc#1225086).
• CVE-2024-35887: Fix use-after-free bugs caused by ax25dsdel_timer (bzg#1224663)
• CVE-2021-47483: Fixed possible double-free in regcacherbtreeexit() (bsc#1224907).
• CVE-2024-26957: Fix reference counting on zcrypt card objects (bsc#1223666).
• CVE-2023-52691: Fix a double-free in sidpminit (bsc#1224607).
• CVE-2024-27398: Fixed use-after-free bugs caused by scosocktimeout (bsc#1224174).
• CVE-2023-52586: Fixed mutex lock in control vblank irq (bsc#1221081).
• CVE-2024-27062: Fixed nouveau lock inside client object tree (bsc#1223834).
• CVE-2024-26984: Fix instmem race condition around ptr stores (bsc#1223633)
• CVE-2021-46933: Fixed possible underflow in ffsdataclear() (bsc#1220487).
• CVE-2024-27396: Fixed Use-After-Free in gtp_dellink (bsc#1224096).
• CVE-2023-52655: Check packet for fixup for true limit (bsc#1217169).
• CVE-2024-26900: Fixed kmemleak of rdev->serial (bsc#1223046).
• CVE-2024-27401: Fixed user_length taken into account when fetching packet contents (bsc#1224181).
• CVE-2024-26775: Fixed potential deadlock at set_capacity (bsc#1222627).
• CVE-2024-26958: Fixed UAF in direct writes (bsc#1223653).
• CVE-2022-48704: Add a force flush to delay work when radeon (bsc#1223932)
• CVE-2021-47206: Check return value after calling platformgetresource() (bsc#1222894).
• CVE-2024-26915: Reset IH OVERFLOW_CLEAR bit (bsc#1223207)
• CVE-2024-26996: Fix UAF ncm object at re-bind after usb ep transport error (bsc#1223752).
• CVE-2024-26874: Fix a null pointer crash in mtkdrmcrtcfinishpage_flip (bsc#1223048)
• CVE-2022-48702: Fix out of bounds access in sndemu10k1pcmchannelalloc() (bsc#1223923).
• CVE-2022-48672: Fix off-by-one error in unflattendtnodes() (bsc#1223931).
• CVE-2021-47113: Abort btrfs rename_exchange if we fail to insert the second ref (bsc#1221543).
• CVE-2024-26791: Fixed properly validate device names in btrfs (bsc#1222793)
• CVE-2021-47131: Fixed a use-after-free after the TLS device goes down and up (bsc#1221545).
• CVE-2021-46955: Fixed an out-of-bounds read with openvswitch, when fragmenting IPv4 packets (bsc#1220513).
• CVE-2024-0639: Fixed a denial-of-service vulnerability due to a deadlock found in sctpautoasconf_init in net/sctp/socket.c (bsc#1218917).
• CVE-2024-27008: Fix out of bounds access (bsc#1223802).
• CVE-2024-26876: Fixed crash on irq during probe (bsc#1223119).
• CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210335).

The following non-security bugs were fixed:

• afunix: annote lockless accesses to unixtotinflight & gcin_progress (bsc#1223384).
• afunix: Do not use atomic ops for unixsk(sk)->inflight (bsc#1223384).
• afunix: Replace BUGON() with WARNONONCE() (bsc#1223384).
• ASoC: tracing: Export SNDSOCDAPMDIROUT to its value (git-fixes).
• assocarray: Fix BUGON during garbage collect.
• autofs: fix a leak in autofsexpireindirect() (git-fixes)
• Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working (git-fixes).
• btrfs: avoid null pointer dereference on fsinfo when calling btrfscrit (git-fixes)
• btrfs: check if root is readonly while setting security xattr (git-fixes)
• btrfs: defrag: use btrfsmodoutstandingextents in clusterpagesfordefrag (git-fixes)
• btrfs: do not get an EINTR during drop_snapshot for reloc (git-fixes)
• btrfs: do not stop integrity writeback too early (git-fixes)
• btrfs: Explicitly handle btrfsupdateroot failure (git-fixes)
• btrfs: fail mount when sb flag is not in BTRFSSUPERFLAG_SUPP (git-fixes)
• btrfs: fix btrfsprevleaf() to not return the same key twice (git-fixes)
• btrfs: fix deadlock when writing out space cache (git-fixes)
• Btrfs: fix incorrect {node,sector}size endianness from BTRFSIOCFS_INFO (git-fixes)
• btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes)
• btrfs: fix lost error handling when looking up extended ref on log replay (git-fixes)
• btrfs: Fix NULL pointer exception in findbiostripe (git-fixes)
• btrfs: Fix out of bounds access in btrfssearchslot (git-fixes)
• btrfs: fix race when deleting quota root from the dirty cow roots list (git-fixes)
• btrfs: fix rangeend calculation in extentwritelockedrange (git-fixes)
• btrfs: fix return value mixup in btrfsgetextent (git-fixes)
• btrfs: fix unaligned access in readdir (git-fixes)
• btrfs: limit device extents to the device size (git-fixes)
• btrfs: prevent to set invalid default subvolid (git-fixes)
• btrfs: record delayed inode root in transaction (git-fixes)
• btrfs: scrub: reject unsupported scrub flags (git-fixes)
• btrfs: send: ensure send_fd is writable (git-fixes)
• btrfs: send: in case of IO error log it (git-fixes)
• btrfs: send: limit number of clones and allocated memory size (git-fixes)
• btrfs: sysfs: use NOFS for device creation (git-fixes) Adjustment: add #include
• btrfs: tree-checker: add missing return after error in root_item (git-fixes)
• btrfs: tree-checker: add missing returns after data_ref alignment checks (git-fixes)
• btrfs: tree-checker: do not error out if extent ref hash does not match (git-fixes)
• btrfs: tree-checker: fix inline ref size in error messages (git-fixes)
• btrfs: tree-checker: Fix misleading group system information (git-fixes)
• btrfs: undo writable superblocke when sprouting fails (git-fixes)
• btrfs: validate qgroup inherit for SNAPCREATEV2 ioctl (git-fixes)
• ecryptfs: fix a memory leak bug in ecryptfsinitmessaging() (git-fixes)
• ecryptfs: fix a memory leak bug in parsetag1_packet() (git-fixes)
• ecryptfs: fix kernel panic with null dev_name (git-fixes)
• ecryptfs: Fix typo in message (git-fixes)
• epcreatewakeup_source(): dentry name can change under you (git-fixes)
• exportfsdecodefh(): negative pinned may become positive without the parent locked (git-fixes)
• fs/proc/procsysctl.c: fix the default values of iuid/i_gid on /proc/sys inodes (git-fixes)
• fscrypt: clean up some BUG_ON()s in block encryption/decryption (git-fixes)
• ila: do not generate empty messages in ilaxlatnlcmdget_mapping() (git-fixes).
• ipv4, ipv6: Fix handling of transhdrlen in _ip{,6}append_data() (git-fixes).
• kprobes: Fix possible use-after-free issue on kprobe registration (git-fixes).
• KVM: s390: Check kvm pointer when testing KVMCAPS390HPAGE1M (git-fixes bsc#1225059).
• l2tp: pass correct message length to ip6appenddata (git-fixes).
• lib/mpi: use kcalloc in mpi_resize (git-fixes).
• list: fix a data-race around ep->rdllist (git-fixes).
• net: 9p: avoid freeing uninit memory in p9pdu_vreadf (git-fixes).
• net: tcp: fix unexcepted socket die when snd_wnd is 0 (git-fixes).
• net: usb: ax88179_178a: stop lying about skb->truesize (git-fixes).
• net: usb: smsc95xx: stop lying about skb->truesize (git-fixes).
• net: usb: sr9700: stop lying about skb->truesize (git-fixes).
• net: vmxnet3: Fix NULL pointer dereference in vmxnet3rqrx_complete() (bsc#1223360).
• net/smc: fix fallback failed while sendmsg with fastopen (git-fixes).
• net/tls: Remove the context from the list in tlsdevicedown (bsc#1221545).
• netfilter: nfqueue: augment nfqacfg_policy (git-fixes).
• netfilter: nft_compat: explicitly reject ERROR and standard target (git-fixes).
• netfilter: x_tables: set module owner for icmp(6) matches (git-fixes).
• nfc: change order inside nfcseio error path (git-fixes).
• powerpc/pseries/lparcfg: drop error message from guest name lookup (bsc#1187716 ltc#193451 git-fixes).
• ppdev: Add an error check in register_device (git-fixes).
• printk: Disable passing console lock owner completely during panic() (bsc#1197894).
• printk: Update @consolemayschedule in consoletrylockspinning() (bsc#1223969).
• rds: avoid unenecessary cong_update in loop transport (git-fixes).
• rds: ib: Fix missing call to rdsibdevput in rdsibsetupqp (git-fixes).
• ring-buffer: Clean ringbufferpoll_wait() error return (git-fixes).
• ring-buffer: Fix a race between readers and resize checks (bsc#1222893).
• rxrpc: Do not put crypto buffers on the stack (git-fixes).
• rxrpc: Fix a memory leak in rxkadverifyresponse() (git-fixes).
• rxrpc: Provide a different lockdep key for call->user_mutex for kernel calls (git-fixes).
• rxrpc: The mutex lock returned by rxrpcacceptcall() needs releasing (git-fixes).
• rxrpc: Work around usercopy check (git-fixes).
• s390/cpum_cf: make crypto counters upward compatible across machine types (bsc#1224347).
• s390/pci: fix max size calculation in zpcimemcpytoio() (git-fixes bsc#1225062).
• tcp: tcpmakesynack() can be called from process context (git-fixes).
• tls: Fix context leak on tlsdevicedown (bsc#1221545).
• tracing: Fix blocked reader of snapshot buffer (git-fixes).
• tracing: hide unused ftraceeventid_fops (git-fixes).
• tracing: Use .flush() call to wake up readers (git-fixes).
• tracing: Use strncpy instead of memcpy when copying comm in trace.c (git-fixes).
• tty/sysrq: replace smpprocessorid() with get_cpu() (bsc#1223540).
• usb: aqc111: stop lying about skb->truesize (git-fixes).
• wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
• wifi: radiotap: fix kernel-doc notation warnings (git-fixes).