From 416b3d791c11368c0d70217cf10d938a80ebf407 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mar 27 2024 20:49:48 +0000 Subject: Merge branch 'SLE15-SP6-GA' into ALP-current-GA --- diff --git a/patches.suse/0002-ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch b/patches.suse/0002-ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch index 84678fe..c9dca28 100644 --- a/patches.suse/0002-ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch +++ b/patches.suse/0002-ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch @@ -4,7 +4,7 @@ Date: Thu, 5 Oct 2023 10:12:01 +0900 Subject: [PATCH 2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Git-commit: 3971442870713de527684398416970cf025b4f89 Patch-mainline: v6.6-rc6 -References: bsc#1212514 CVE-2023-35827 +References: bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836 The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after diff --git a/patches.suse/Bluetooth-hci_codec-Fix-leaking-content-of-local_cod.patch b/patches.suse/Bluetooth-hci_codec-Fix-leaking-content-of-local_cod.patch index ae9a01a..f9c2ea0 100644 --- a/patches.suse/Bluetooth-hci_codec-Fix-leaking-content-of-local_cod.patch +++ b/patches.suse/Bluetooth-hci_codec-Fix-leaking-content-of-local_cod.patch @@ -4,7 +4,7 @@ Date: Fri, 15 Sep 2023 13:24:47 -0700 Subject: [PATCH] Bluetooth: hci_codec: Fix leaking content of local_codecs Git-commit: b938790e70540bf4f2e653dcd74b232494d06c8f Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52518 bsc#1221056 The following memory leak can be observed when the controller supports codecs which are stored in local_codecs list but the elements are never diff --git a/patches.suse/EDAC-thunderx-Fix-possible-out-of-bounds-string-acce.patch b/patches.suse/EDAC-thunderx-Fix-possible-out-of-bounds-string-acce.patch index 1667317..05bac70 100644 --- a/patches.suse/EDAC-thunderx-Fix-possible-out-of-bounds-string-acce.patch +++ b/patches.suse/EDAC-thunderx-Fix-possible-out-of-bounds-string-acce.patch @@ -4,7 +4,7 @@ Date: Wed, 22 Nov 2023 23:19:53 +0100 Subject: [PATCH] EDAC/thunderx: Fix possible out-of-bounds string access Git-commit: 475c58e1a471e9b873e3e39958c64a2d278275c8 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52464 bsc#1220330 Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): diff --git a/patches.suse/FS-JFS-UBSAN-array-index-out-of-bounds-in-dbAdjTree.patch b/patches.suse/FS-JFS-UBSAN-array-index-out-of-bounds-in-dbAdjTree.patch index 379110b..1c76e8f 100644 --- a/patches.suse/FS-JFS-UBSAN-array-index-out-of-bounds-in-dbAdjTree.patch +++ b/patches.suse/FS-JFS-UBSAN-array-index-out-of-bounds-in-dbAdjTree.patch @@ -4,7 +4,7 @@ Date: Wed, 11 Oct 2023 23:46:37 +0500 Subject: [PATCH] FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Git-commit: 9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52604 bsc#1221067 Syzkaller reported the following issue: diff --git a/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch b/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch index e5ae38d..33f544e 100644 --- a/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch +++ b/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch @@ -4,7 +4,7 @@ Date: Tue, 3 Oct 2023 08:53:32 -0700 Subject: [PATCH] HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit Git-commit: 8f02139ad9a7e6e5c05712f8c1501eebed8eacfd Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52519 bsc#1220920 The EHL (Elkhart Lake) based platforms provide a OOB (Out of band) service, which allows to wakup device when the system is in S5 (Soft-Off diff --git a/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch b/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch index 23e432f..5ea5159 100644 --- a/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch +++ b/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch @@ -4,7 +4,7 @@ Date: Sun, 3 Sep 2023 18:04:00 +0200 Subject: [PATCH] HID: sony: Fix a potential memory leak in sony_probe() Git-commit: e1cd4004cde7c9b694bbdd8def0e02288ee58c74 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52529 bsc#1220929 If an error occurs after a successful usb_alloc_urb() call, usb_free_urb() should be called. diff --git a/patches.suse/IB-ipoib-Fix-mcast-list-locking.patch b/patches.suse/IB-ipoib-Fix-mcast-list-locking.patch index 166db92..9951003 100644 --- a/patches.suse/IB-ipoib-Fix-mcast-list-locking.patch +++ b/patches.suse/IB-ipoib-Fix-mcast-list-locking.patch @@ -3,7 +3,7 @@ Date: Tue, 12 Dec 2023 09:07:45 +0100 Subject: IB/ipoib: Fix mcast list locking Patch-mainline: v6.8-rc1 Git-commit: 4f973e211b3b1c6d36f7c6a19239d258856749f9 -References: jsc#PED-6864 +References: jsc#PED-6864 CVE-2023-52587 bsc#1221082 Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to diff --git a/patches.suse/PCI-switchtec-Fix-stdev_release-crash-after-surprise.patch b/patches.suse/PCI-switchtec-Fix-stdev_release-crash-after-surprise.patch index 56be320..6074067 100644 --- a/patches.suse/PCI-switchtec-Fix-stdev_release-crash-after-surprise.patch +++ b/patches.suse/PCI-switchtec-Fix-stdev_release-crash-after-surprise.patch @@ -4,7 +4,7 @@ Date: Tue, 21 Nov 2023 20:23:16 -0800 Subject: [PATCH] PCI: switchtec: Fix stdev_release() crash after surprise hot remove Git-commit: df25461119d987b8c81d232cfe4411e91dcabe66 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52617 bsc#1221613 A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past diff --git a/patches.suse/PM-devfreq-Fix-buffer-overflow-in-trans_stat_show.patch b/patches.suse/PM-devfreq-Fix-buffer-overflow-in-trans_stat_show.patch index 5faccfd..5bed063 100644 --- a/patches.suse/PM-devfreq-Fix-buffer-overflow-in-trans_stat_show.patch +++ b/patches.suse/PM-devfreq-Fix-buffer-overflow-in-trans_stat_show.patch @@ -4,7 +4,7 @@ Date: Tue, 24 Oct 2023 20:30:15 +0200 Subject: [PATCH] PM / devfreq: Fix buffer overflow in trans_stat_show Git-commit: 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52614 bsc#1221617 Fix buffer overflow in trans_stat_show(). diff --git a/patches.suse/PM-sleep-Fix-possible-deadlocks-in-core-system-wide-.patch b/patches.suse/PM-sleep-Fix-possible-deadlocks-in-core-system-wide-.patch index 26d00bd..8862409 100644 --- a/patches.suse/PM-sleep-Fix-possible-deadlocks-in-core-system-wide-.patch +++ b/patches.suse/PM-sleep-Fix-possible-deadlocks-in-core-system-wide-.patch @@ -3,7 +3,7 @@ From: "Rafael J. Wysocki" Date: Wed, 27 Dec 2023 21:41:06 +0100 Subject: [PATCH] PM: sleep: Fix possible deadlocks in core system-wide PM code Git-commit: 7839d0078e0d5e6cc2fa0b0dfbee71de74f1e557 -References: git-fixes +References: git-fixes CVE-2023-52498 bsc#1221269 Patch-mainline: v6.8-rc1 It is reported that in low-memory situations the system-wide resume core diff --git a/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch b/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch index b754fd6..65a1f90 100644 --- a/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch +++ b/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch @@ -4,7 +4,7 @@ Date: Tue, 5 Sep 2023 16:58:22 +0200 Subject: [PATCH 1/1] RDMA/siw: Fix connection failure handling Git-commit: 53a3f777049771496f791504e7dc8ef017cba590 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52513 bsc#1221022 In case immediate MPA request processing fails, the newly created endpoint unlinks the listening endpoint and is diff --git a/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch b/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch index 415e4ae..5ef0158 100644 --- a/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch +++ b/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch @@ -4,7 +4,7 @@ Date: Wed, 23 Aug 2023 13:57:27 -0700 Subject: [PATCH 1/1] RDMA/srp: Do not call scsi_done() from srp_abort() Git-commit: e193b7955dfad68035b983a0011f4ef3590c85eb Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52515 bsc#1221048 After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: diff --git a/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch b/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch index 423dc39..c678a51 100644 --- a/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch +++ b/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch @@ -4,7 +4,7 @@ Date: Thu, 14 Sep 2023 07:15:07 +0200 Subject: [PATCH] Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" Git-commit: 29346e217b8ab8a52889b88f00b268278d6b7668 Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52564 bsc#1220938 This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. diff --git a/patches.suse/SUNRPC-Fix-a-suspicious-RCU-usage-warning.patch b/patches.suse/SUNRPC-Fix-a-suspicious-RCU-usage-warning.patch index fc1cb21..b3e3036 100644 --- a/patches.suse/SUNRPC-Fix-a-suspicious-RCU-usage-warning.patch +++ b/patches.suse/SUNRPC-Fix-a-suspicious-RCU-usage-warning.patch @@ -3,7 +3,7 @@ Date: Mon, 27 Nov 2023 17:06:18 -0500 Subject: [PATCH] SUNRPC: Fix a suspicious RCU usage warning Git-commit: 31b62908693c90d4d07db597e685d9f25a120073 Patch-mainline: v6.8 -References: git-fixes +References: git-fixes CVE-2023-52623 bsc#1222060 I received the following warning while running cthon against an ontap server running pNFS: diff --git a/patches.suse/UBSAN-array-index-out-of-bounds-in-dtSplitRoot.patch b/patches.suse/UBSAN-array-index-out-of-bounds-in-dtSplitRoot.patch index 840063f..813e1d0 100644 --- a/patches.suse/UBSAN-array-index-out-of-bounds-in-dtSplitRoot.patch +++ b/patches.suse/UBSAN-array-index-out-of-bounds-in-dtSplitRoot.patch @@ -4,7 +4,7 @@ Date: Sat, 14 Oct 2023 00:10:28 +0500 Subject: [PATCH] UBSAN: array-index-out-of-bounds in dtSplitRoot Git-commit: 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52603 bsc#1221066 Syzkaller reported the following issue: diff --git a/patches.suse/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch b/patches.suse/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch index 8f71398..694cc9e 100644 --- a/patches.suse/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch +++ b/patches.suse/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch @@ -4,7 +4,7 @@ Date: Thu, 28 Dec 2023 19:07:43 +0300 Subject: [PATCH] apparmor: avoid crash when parsed profile name is empty Git-commit: 55a8210c9e7d21ff2644809699765796d4bfb200 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52443 bsc#1220240 When processing a packed profile in unpack_profile() described like diff --git a/patches.suse/arm64-dts-qcom-sdm845-db845c-Mark-cont-splash-memory.patch b/patches.suse/arm64-dts-qcom-sdm845-db845c-Mark-cont-splash-memory.patch index 9bf6101..cae750c 100644 --- a/patches.suse/arm64-dts-qcom-sdm845-db845c-Mark-cont-splash-memory.patch +++ b/patches.suse/arm64-dts-qcom-sdm845-db845c-Mark-cont-splash-memory.patch @@ -4,7 +4,7 @@ Date: Wed, 26 Jul 2023 18:57:19 +0530 Subject: [PATCH] arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved Git-commit: 110e70fccce4f22b53986ae797d665ffb1950aa6 Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52561 bsc#1220935 Adding a reserved memory region for the framebuffer memory (the splash memory region set up by the bootloader). diff --git a/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch b/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch index 66ed49b..6792064 100644 --- a/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch +++ b/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch @@ -4,7 +4,7 @@ Date: Mon, 15 Jan 2024 20:15:46 +0000 Subject: [PATCH] arm64/sme: Always exit sme_alloc() early with existing storage Git-commit: dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 Patch-mainline: v6.8-rc1 -References: git-fixes, CVE-2024-26618 +References: git-fixes CVE-2024-26618 bsc#1221295 When sme_alloc() is called with existing storage and we are not flushing we will always allocate new storage, both leaking the existing storage and diff --git a/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch b/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch index b156648..4a02a45 100644 --- a/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch +++ b/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch @@ -3,7 +3,7 @@ Date: Mon, 4 Dec 2023 22:04:19 +0800 Subject: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Patch-mainline: v6.8-rc1 Git-commit: 169410eba271afc9f0fb476d996795aa26770c6d -References: bsc#1220251 CVE-2023-52447 +References: bsc#1220251 CVE-2023-52447 CVE-2023-52621 bsc#1222073 These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock diff --git a/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch b/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch index 974dcf5..d6f5055 100644 --- a/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch +++ b/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch @@ -2,7 +2,7 @@ From: Omar Sandoval Date: Thu, 4 Jan 2024 11:48:46 -0800 Git-commit: 7081929ab2572920e94d70be3d332e5c9f97095a Patch-mainline: v6.8-rc2 -References: bsc#1221282 +References: bsc#1221282 CVE-2024-26644 bsc#1222072 Subject: [PATCH] btrfs: don't abort filesystem when attempting to snapshot deleted subvolume diff --git a/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch b/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch index ea96842..96bafdb 100644 --- a/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch +++ b/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch @@ -3,7 +3,7 @@ Message-ID: Patch-mainline: v6.8-rc2 Git-commit: f546c4282673497a06ecb6190b50ae7f6c85b02f -References: bsc#1220943 +References: bsc#1220943 CVE-2024-26616 Date: Wed, 17 Jan 2024 11:02:25 +1030 Subject: [PATCH] btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned diff --git a/patches.suse/bus-mhi-host-Add-alignment-check-for-event-ring-read.patch b/patches.suse/bus-mhi-host-Add-alignment-check-for-event-ring-read.patch index fe4363a..d8d1600 100644 --- a/patches.suse/bus-mhi-host-Add-alignment-check-for-event-ring-read.patch +++ b/patches.suse/bus-mhi-host-Add-alignment-check-for-event-ring-read.patch @@ -4,7 +4,7 @@ Date: Tue, 31 Oct 2023 15:21:05 +0530 Subject: [PATCH] bus: mhi: host: Add alignment check for event ring read pointer Git-commit: eff9704f5332a13b08fbdbe0f84059c9e7051d5f Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52494 bsc#1221273 Though we do check the event ring read pointer by "is_valid_ring_ptr" to make sure it is in the buffer range, but there is another risk the diff --git a/patches.suse/bus-mhi-host-Drop-chan-lock-before-queuing-buffers.patch b/patches.suse/bus-mhi-host-Drop-chan-lock-before-queuing-buffers.patch index e563c61..c6b52cd 100644 --- a/patches.suse/bus-mhi-host-Drop-chan-lock-before-queuing-buffers.patch +++ b/patches.suse/bus-mhi-host-Drop-chan-lock-before-queuing-buffers.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Dec 2023 14:42:52 +0800 Subject: [PATCH] bus: mhi: host: Drop chan lock before queuing buffers Git-commit: 01bd694ac2f682fb8017e16148b928482bc8fa4b Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52493 bsc#1221274 Ensure read and write locks for the channel are not taken in succession by dropping the read lock from parse_xfer_event() such that a callback given diff --git a/patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread.patch b/patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread.patch index dc6888b..6bcc199 100644 --- a/patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread.patch +++ b/patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread.patch @@ -2,7 +2,7 @@ From 7284ca0d578ecffe11dfcc62cd9cadb6a20b0315 Mon Sep 17 00:00:00 2001 From: Zhang Xiaoxu Date: Wed, 16 Nov 2022 11:11:35 +0800 Subject: [PATCH] cifs: Fix UAF in cifs_demultiplex_thread() -References: bsc#1208995 CVE-2023-1192 +References: bsc#1208995 CVE-2023-1192 CVE-2023-52572 bsc#1220946 Git-commit: d527f51331cace562393a8038d870b3e9916686f Patch-mainline: v6.6-rc3 diff --git a/patches.suse/class-fix-use-after-free-in-class_register.patch b/patches.suse/class-fix-use-after-free-in-class_register.patch index b8e5efe..362691c 100644 --- a/patches.suse/class-fix-use-after-free-in-class_register.patch +++ b/patches.suse/class-fix-use-after-free-in-class_register.patch @@ -4,7 +4,7 @@ Date: Wed, 20 Dec 2023 10:46:03 +0800 Subject: [PATCH] class: fix use-after-free in class_register() Git-commit: 93ec4a3b76404bce01bd5c9032bef5df6feb1d62 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52468 bsc#1220431 The lock_class_key is still registered and can be found in lock_keys_hash hlist after subsys_private is freed in error diff --git a/patches.suse/crypto-scomp-fix-req-dst-buffer-overflow.patch b/patches.suse/crypto-scomp-fix-req-dst-buffer-overflow.patch index 0d636d9..33e8290 100644 --- a/patches.suse/crypto-scomp-fix-req-dst-buffer-overflow.patch +++ b/patches.suse/crypto-scomp-fix-req-dst-buffer-overflow.patch @@ -4,7 +4,7 @@ Date: Wed, 27 Dec 2023 09:35:23 +0000 Subject: [PATCH] crypto: scomp - fix req->dst buffer overflow Git-commit: 744e1885922a9943458954cfea917b31064b4131 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52612 bsc#1221616 The req->dst buffer size should be checked before copying from the scomp_scratch->dst to avoid req->dst buffer overflow problem. diff --git a/patches.suse/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch b/patches.suse/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch index 25cd3c1..8baa13c 100644 --- a/patches.suse/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch +++ b/patches.suse/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch @@ -4,7 +4,7 @@ Date: Fri, 15 Sep 2023 19:00:35 +0000 Subject: [PATCH] dccp: fix dccp_v4_err()/dccp_v6_err() again Git-commit: 6af289746a636f71f4c0535a9801774118486c7a Patch-mainline: v6.6-rc3 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52577 bsc#1220873 dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr", not in the "byte 7" as Jann claimed. diff --git a/patches.suse/dmaengine-fix-NULL-pointer-in-channel-unregistration.patch b/patches.suse/dmaengine-fix-NULL-pointer-in-channel-unregistration.patch index dfc7f28..948c6e6 100644 --- a/patches.suse/dmaengine-fix-NULL-pointer-in-channel-unregistration.patch +++ b/patches.suse/dmaengine-fix-NULL-pointer-in-channel-unregistration.patch @@ -4,7 +4,7 @@ Date: Wed, 13 Dec 2023 17:04:52 +0100 Subject: [PATCH] dmaengine: fix NULL pointer in channel unregistration function Git-commit: f5c24d94512f1b288262beda4d3dcb9629222fc7 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52492 bsc#1221276 __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. diff --git a/patches.suse/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch b/patches.suse/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch index 2e8affb..2998749 100644 --- a/patches.suse/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch +++ b/patches.suse/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch @@ -4,7 +4,7 @@ Date: Fri, 15 Dec 2023 00:24:58 +0800 Subject: [PATCH] drivers/amd/pm: fix a use-after-free in kv_parse_power_table Git-commit: 28dd788382c43b330480f57cd34cde0840896743 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52469 bsc#1220411 When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control diff --git a/patches.suse/drm-Don-t-unref-the-same-fb-many-times-by-mistake-du.patch b/patches.suse/drm-Don-t-unref-the-same-fb-many-times-by-mistake-du.patch index 67f03c5..5a95f90 100644 --- a/patches.suse/drm-Don-t-unref-the-same-fb-many-times-by-mistake-du.patch +++ b/patches.suse/drm-Don-t-unref-the-same-fb-many-times-by-mistake-du.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52486 bsc#1221277 If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. diff --git a/patches.suse/drm-amd-display-Fix-NULL-pointer-dereference-at-hibe.patch b/patches.suse/drm-amd-display-Fix-NULL-pointer-dereference-at-hibe.patch index 360dfca..1a956f7 100644 --- a/patches.suse/drm-amd-display-Fix-NULL-pointer-dereference-at-hibe.patch +++ b/patches.suse/drm-amd-display-Fix-NULL-pointer-dereference-at-hibe.patch @@ -4,7 +4,7 @@ Date: Tue, 28 Nov 2023 18:35:09 -0600 Subject: drm/amd/display: Fix NULL pointer dereference at hibernate Git-commit: b719a9c15d52d4f56bdea8241a5d90fd9197ce99 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52460 bsc#1220319 During hibernate sequence the source context might not have a clk_mgr. So don't use it to look for DML2 support. diff --git a/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch b/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch index cd32488..8b0436e 100644 --- a/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch +++ b/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch @@ -4,7 +4,7 @@ Date: Wed, 10 Jan 2024 20:58:35 +0530 Subject: [PATCH] drm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()' Git-commit: 3bb9b1f958c3d986ed90a3ff009f1e77e9553207 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26647 bsc#1222066 In link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc' was dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc' diff --git a/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch b/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch index 198fe08..ee7914d 100644 --- a/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch +++ b/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch @@ -4,7 +4,7 @@ Date: Mon, 8 Jan 2024 21:20:28 +0530 Subject: [PATCH] drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay() Git-commit: 7073934f5d73f8b53308963cee36f0d389ea857c Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26648 bsc#1222067 In edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay' was dereferenced before the pointer 'link' & 'replay' NULL check. diff --git a/patches.suse/drm-amdgpu-Fix-possible-NULL-dereference-in-amdgpu_r.patch b/patches.suse/drm-amdgpu-Fix-possible-NULL-dereference-in-amdgpu_r.patch index ebc4942..edfa3c2 100644 --- a/patches.suse/drm-amdgpu-Fix-possible-NULL-dereference-in-amdgpu_r.patch +++ b/patches.suse/drm-amdgpu-Fix-possible-NULL-dereference-in-amdgpu_r.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: b8d55a90fd55b767c25687747e2b24abd1ef8680 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52585 bsc#1221080 [ Upstream commit b8d55a90fd55b767c25687747e2b24abd1ef8680 ] diff --git a/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch b/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch index 254d750..292d18e 100644 --- a/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch +++ b/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch @@ -4,7 +4,7 @@ Date: Fri, 12 Jan 2024 13:33:24 +0800 Subject: [PATCH] drm/amdgpu: Fix the null pointer when load rlc firmware Git-commit: bc03c02cc1991a066b23e69bbcc0f66e8f1f7453 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26649 bsc#1222055 If the RLC firmware is invalid because of wrong header size, the pointer to the rlc firmware is released in function diff --git a/patches.suse/drm-meson-fix-memory-leak-on-hpd_notify-callback.patch b/patches.suse/drm-meson-fix-memory-leak-on-hpd_notify-callback.patch index 277121e..0da0de1 100644 --- a/patches.suse/drm-meson-fix-memory-leak-on-hpd_notify-callback.patch +++ b/patches.suse/drm-meson-fix-memory-leak-on-hpd_notify-callback.patch @@ -4,7 +4,7 @@ Date: Thu, 14 Sep 2023 16:10:15 +0300 Subject: drm/meson: fix memory leak on ->hpd_notify callback Git-commit: 099f0af9d98231bb74956ce92508e87cbcb896be Patch-mainline: v6.6-rc3 -References: jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 +References: jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52563 bsc#1220937 The EDID returned by drm_bridge_get_edid() needs to be freed. diff --git a/patches.suse/drm-msm-dpu-Add-mutex-lock-in-control-vblank-irq.patch b/patches.suse/drm-msm-dpu-Add-mutex-lock-in-control-vblank-irq.patch index 2381768..aa2e712 100644 --- a/patches.suse/drm-msm-dpu-Add-mutex-lock-in-control-vblank-irq.patch +++ b/patches.suse/drm-msm-dpu-Add-mutex-lock-in-control-vblank-irq.patch @@ -4,7 +4,7 @@ Date: Tue, 12 Dec 2023 15:10:58 -0800 Subject: [PATCH] drm/msm/dpu: Add mutex lock in control vblank irq Git-commit: 45284ff733e4caf6c118aae5131eb7e7cf3eea5a Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52586 bsc#1221081 [ Upstream commit 45284ff733e4caf6c118aae5131eb7e7cf3eea5a ] diff --git a/patches.suse/drm-radeon-check-the-alloc_workqueue-return-value-in.patch b/patches.suse/drm-radeon-check-the-alloc_workqueue-return-value-in.patch index 887bb11..a676fa3 100644 --- a/patches.suse/drm-radeon-check-the-alloc_workqueue-return-value-in.patch +++ b/patches.suse/drm-radeon-check-the-alloc_workqueue-return-value-in.patch @@ -4,7 +4,7 @@ Date: Thu, 30 Nov 2023 15:50:16 +0800 Subject: [PATCH] drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() Git-commit: 7a2464fac80d42f6f8819fed97a553e9c2f43310 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52470 bsc#1220413 check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. diff --git a/patches.suse/drm-sched-Fix-bounds-limiting-when-given-a-malformed.patch b/patches.suse/drm-sched-Fix-bounds-limiting-when-given-a-malformed.patch index 3678a0d..121a04a 100644 --- a/patches.suse/drm-sched-Fix-bounds-limiting-when-given-a-malformed.patch +++ b/patches.suse/drm-sched-Fix-bounds-limiting-when-given-a-malformed.patch @@ -7,7 +7,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 2bbe6ab2be53858507f11f99f856846d04765ae3 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52461 bsc#1220322 If we're given a malformed entity in drm_sched_entity_init()--shouldn't happen, but we verify--with out-of-bounds priority value, we set it to an diff --git a/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-cons.patch b/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-cons.patch index 356351d..34ee443 100644 --- a/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-cons.patch +++ b/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-cons.patch @@ -4,7 +4,7 @@ Date: Wed, 20 Dec 2023 17:21:12 +0000 Subject: [PATCH] firmware: arm_scmi: Check mailbox/SMT channel for consistency Git-commit: 437a310b22244d4e0b78665c3042e5d1c0f45306 Patch-mainline: v6.8-rc2 -References: git-fixes +References: git-fixes CVE-2023-52608 bsc#1221375 On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence diff --git a/patches.suse/gfs2-Fix-kernel-NULL-pointer-dereference-in-gfs2_rgrp_dump.patch b/patches.suse/gfs2-Fix-kernel-NULL-pointer-dereference-in-gfs2_rgrp_dump.patch index fa91527..4595dae 100644 --- a/patches.suse/gfs2-Fix-kernel-NULL-pointer-dereference-in-gfs2_rgrp_dump.patch +++ b/patches.suse/gfs2-Fix-kernel-NULL-pointer-dereference-in-gfs2_rgrp_dump.patch @@ -4,7 +4,7 @@ Date: Mon, 6 Nov 2023 21:21:29 +0500 Subject: [PATCH] gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Git-commit: 8877243beafa7c6bfc42022cbfdf9e39b25bd4fa Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52448 bsc#1220253 Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating diff --git a/patches.suse/hwrng-core-Fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch b/patches.suse/hwrng-core-Fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch index 3c00e80..bb25cc5 100644 --- a/patches.suse/hwrng-core-Fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch +++ b/patches.suse/hwrng-core-Fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch @@ -4,7 +4,7 @@ Date: Sat, 2 Dec 2023 09:01:54 +0800 Subject: [PATCH] hwrng: core - Fix page fault dead lock on mmap-ed hwrng Git-commit: 78aafb3884f6bc6636efcc1760c891c8500b9922 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52615 bsc#1221614 There is a dead-lock in the hwrng device read path. This triggers when the user reads from /dev/hwrng into memory also mmap-ed from diff --git a/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch b/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch index d30c366..79fdf65 100644 --- a/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch +++ b/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch @@ -4,7 +4,7 @@ Date: Sat, 7 Oct 2023 11:30:49 +0800 Subject: [PATCH] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Git-commit: f990874b1c98fe8e57ee9385669f501822979258 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52510 bsc#1220898 If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an diff --git a/patches.suse/iio-adc-ad7091r-Allow-users-to-configure-device-even.patch b/patches.suse/iio-adc-ad7091r-Allow-users-to-configure-device-even.patch index ee8c692..da51973 100644 --- a/patches.suse/iio-adc-ad7091r-Allow-users-to-configure-device-even.patch +++ b/patches.suse/iio-adc-ad7091r-Allow-users-to-configure-device-even.patch @@ -4,7 +4,7 @@ Date: Tue, 19 Dec 2023 17:26:01 -0300 Subject: [PATCH] iio: adc: ad7091r: Allow users to configure device events Git-commit: 020e71c7ffc25dfe29ed9be6c2d39af7bd7f661f Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52627 bsc#1222051 AD7091R-5 devices are supported by the ad7091r-5 driver together with the ad7091r-base driver. Those drivers declared iio events for notifying diff --git a/patches.suse/iommu-Don-t-reserve-0-length-IOVA-region.patch b/patches.suse/iommu-Don-t-reserve-0-length-IOVA-region.patch index c62969c..3455fa6 100644 --- a/patches.suse/iommu-Don-t-reserve-0-length-IOVA-region.patch +++ b/patches.suse/iommu-Don-t-reserve-0-length-IOVA-region.patch @@ -3,7 +3,7 @@ Date: Tue, 5 Dec 2023 12:26:56 +0530 Subject: iommu: Don't reserve 0-length IOVA region Git-commit: bb57f6705960bebeb832142ce9abf43220c3eab1 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52455 bsc#1220332 When the bootloader/firmware doesn't setup the framebuffers, their address and size are 0 in "iommu-addresses" property. If IOVA region is diff --git a/patches.suse/iommu-arm-smmu-v3-Fix-soft-lockup-triggered-by-arm_smmu_mm_invalidate_range.patch b/patches.suse/iommu-arm-smmu-v3-Fix-soft-lockup-triggered-by-arm_smmu_mm_invalidate_range.patch index e4f6659..1fc93ae 100644 --- a/patches.suse/iommu-arm-smmu-v3-Fix-soft-lockup-triggered-by-arm_smmu_mm_invalidate_range.patch +++ b/patches.suse/iommu-arm-smmu-v3-Fix-soft-lockup-triggered-by-arm_smmu_mm_invalidate_range.patch @@ -4,7 +4,7 @@ Subject: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range Git-commit: d5afb4b47e13161b3f33904d45110f9e6463bad6 Patch-mainline: v6.6-rc5 -References: bsc#1215921 +References: bsc#1215921 CVE-2023-52484 bsc#1220797 When running an SVA case, the following soft lockup is triggered: -------------------------------------------------------------------- diff --git a/patches.suse/iommu-vt-d-Avoid-memory-allocation-in-iommu_suspend b/patches.suse/iommu-vt-d-Avoid-memory-allocation-in-iommu_suspend index ee282eb..f832177 100644 --- a/patches.suse/iommu-vt-d-Avoid-memory-allocation-in-iommu_suspend +++ b/patches.suse/iommu-vt-d-Avoid-memory-allocation-in-iommu_suspend @@ -3,7 +3,7 @@ Date: Mon, 25 Sep 2023 20:04:17 +0800 Subject: iommu/vt-d: Avoid memory allocation in iommu_suspend() Git-commit: 59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e Patch-mainline: v6.6-rc5 -References: jsc#PED-7779 jsc#PED-7780 +References: jsc#PED-7779 jsc#PED-7780 CVE-2023-52559 bsc#1220933 The iommu_suspend() syscore suspend callback is invoked with IRQ disabled. Allocating memory with the GFP_KERNEL flag may re-enable IRQs during diff --git a/patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch b/patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch index d1ddf66..10231db 100644 --- a/patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch +++ b/patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch @@ -5,7 +5,7 @@ Subject: [PATCH] ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() Git-commit: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 Patch-mainline: v6.6-rc5 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52527 bsc#1220928 Including the transhdrlen in length is a problem when the packet is partially filled (e.g. something like send(MSG_MORE) happened previously) diff --git a/patches.suse/jfs-fix-array-index-out-of-bounds-in-dbAdjTree.patch b/patches.suse/jfs-fix-array-index-out-of-bounds-in-dbAdjTree.patch index 8e4b802..d6e6322 100644 --- a/patches.suse/jfs-fix-array-index-out-of-bounds-in-dbAdjTree.patch +++ b/patches.suse/jfs-fix-array-index-out-of-bounds-in-dbAdjTree.patch @@ -4,7 +4,7 @@ Date: Tue, 17 Oct 2023 17:33:56 +0530 Subject: [PATCH] jfs: fix array-index-out-of-bounds in dbAdjTree Git-commit: 74ecdda68242b174920fe7c6133a856fb7d8559b Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52601 bsc#1221068 Currently there is a bound check missing in the dbAdjTree while accessing the dmt_stree. To add the required check added the bool is_ctl diff --git a/patches.suse/jfs-fix-array-index-out-of-bounds-in-diNewExt.patch b/patches.suse/jfs-fix-array-index-out-of-bounds-in-diNewExt.patch index d3af0eb..03dbb60 100644 --- a/patches.suse/jfs-fix-array-index-out-of-bounds-in-diNewExt.patch +++ b/patches.suse/jfs-fix-array-index-out-of-bounds-in-diNewExt.patch @@ -4,7 +4,7 @@ Date: Tue, 12 Dec 2023 09:36:22 +0800 Subject: [PATCH] jfs: fix array-index-out-of-bounds in diNewExt Git-commit: 49f9637aafa6e63ba686c13cb8549bf5e6920402 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52599 bsc#1221062 [Syz report] Ubsan: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2 diff --git a/patches.suse/jfs-fix-slab-out-of-bounds-Read-in-dtSearch.patch b/patches.suse/jfs-fix-slab-out-of-bounds-Read-in-dtSearch.patch index c3c813a..9fcabf0 100644 --- a/patches.suse/jfs-fix-slab-out-of-bounds-Read-in-dtSearch.patch +++ b/patches.suse/jfs-fix-slab-out-of-bounds-Read-in-dtSearch.patch @@ -4,7 +4,7 @@ Date: Wed, 25 Oct 2023 11:39:07 +0530 Subject: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch Git-commit: fa5492ee89463a7590a1449358002ff7ef63529f Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52602 bsc#1221070 Currently while searching for current page in the sorted entry table of the page there is a out of bound access. Added a bound check to fix diff --git a/patches.suse/jfs-fix-uaf-in-jfs_evict_inode.patch b/patches.suse/jfs-fix-uaf-in-jfs_evict_inode.patch index aa0b912..059bf4b 100644 --- a/patches.suse/jfs-fix-uaf-in-jfs_evict_inode.patch +++ b/patches.suse/jfs-fix-uaf-in-jfs_evict_inode.patch @@ -4,7 +4,7 @@ Date: Tue, 31 Oct 2023 13:39:04 +0800 Subject: [PATCH] jfs: fix uaf in jfs_evict_inode Git-commit: e0e1958f4c365e380b17ccb35617345b31ef7bf3 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52600 bsc#1221071 When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs diff --git a/patches.suse/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmss.patch b/patches.suse/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmss.patch index e669a9b..36c1ab6 100644 --- a/patches.suse/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmss.patch +++ b/patches.suse/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmss.patch @@ -1,7 +1,7 @@ From: Namjae Jeon Date: Fri, 25 Aug 2023 23:40:31 +0900 Subject: [PATCH] ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() -References: bsc#1012628 +References: bsc#1012628 CVE-2023-52440 bsc#1220182 Patch-mainline: 6.4.15 Git-commit: 4b081ce0d830b684fdf967abc3696d1261387254 diff --git a/patches.suse/media-mtk-jpeg-Fix-use-after-free-bug-due-to-error-p.patch b/patches.suse/media-mtk-jpeg-Fix-use-after-free-bug-due-to-error-p.patch index eebb253..5b6b8dc 100644 --- a/patches.suse/media-mtk-jpeg-Fix-use-after-free-bug-due-to-error-p.patch +++ b/patches.suse/media-mtk-jpeg-Fix-use-after-free-bug-due-to-error-p.patch @@ -4,7 +4,7 @@ Date: Mon, 6 Nov 2023 15:48:10 +0100 Subject: [PATCH] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Git-commit: 206c857dd17d4d026de85866f1b5f0969f2a109e Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52491 bsc#1221281 In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. diff --git a/patches.suse/media-rkisp1-Fix-IRQ-disable-race-issue.patch b/patches.suse/media-rkisp1-Fix-IRQ-disable-race-issue.patch index 9750e26..d081859 100644 --- a/patches.suse/media-rkisp1-Fix-IRQ-disable-race-issue.patch +++ b/patches.suse/media-rkisp1-Fix-IRQ-disable-race-issue.patch @@ -4,7 +4,7 @@ Date: Thu, 7 Dec 2023 08:57:48 +0100 Subject: [PATCH] media: rkisp1: Fix IRQ disable race issue Git-commit: 870565f063a58576e8a4529f122cac4325c6b395 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52589 bsc#1221084 In rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the interrupts and then apparently assumes that the interrupt handler won't diff --git a/patches.suse/media-uvcvideo-Fix-OOB-read.patch b/patches.suse/media-uvcvideo-Fix-OOB-read.patch index 62a7789..7c3c1f1 100644 --- a/patches.suse/media-uvcvideo-Fix-OOB-read.patch +++ b/patches.suse/media-uvcvideo-Fix-OOB-read.patch @@ -4,7 +4,7 @@ Date: Thu, 20 Jul 2023 17:46:54 +0000 Subject: [PATCH] media: uvcvideo: Fix OOB read Git-commit: 41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb Patch-mainline: v6.6-rc3 -References: git-fixes +References: git-fixes CVE-2023-52565 bsc#1220939 If the index provided by the user is bigger than the mask size, we might do an out of bound read. diff --git a/patches.suse/mfd-syscon-Fix-null-pointer-dereference-in-of_syscon.patch b/patches.suse/mfd-syscon-Fix-null-pointer-dereference-in-of_syscon.patch index e7616b7..5069ca8 100644 --- a/patches.suse/mfd-syscon-Fix-null-pointer-dereference-in-of_syscon.patch +++ b/patches.suse/mfd-syscon-Fix-null-pointer-dereference-in-of_syscon.patch @@ -4,7 +4,7 @@ Date: Mon, 4 Dec 2023 17:24:43 +0800 Subject: [PATCH] mfd: syscon: Fix null pointer dereference in of_syscon_register() Git-commit: 41673c66b3d0c09915698fec5c13b24336f18dd1 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52467 bsc#1220433 kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. diff --git a/patches.suse/mm-migrate-fix-getting-incorrect-page-mapping-during-page-migration.patch b/patches.suse/mm-migrate-fix-getting-incorrect-page-mapping-during-page-migration.patch index bdc15f0..e3fae39 100644 --- a/patches.suse/mm-migrate-fix-getting-incorrect-page-mapping-during-page-migration.patch +++ b/patches.suse/mm-migrate-fix-getting-incorrect-page-mapping-during-page-migration.patch @@ -3,7 +3,7 @@ Date: Fri, 15 Dec 2023 20:07:52 +0800 Subject: mm: migrate: fix getting incorrect page mapping during page migration Git-commit: d1adb25df7111de83b64655a80b5a135adbded61 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52490 bsc#1221325 When running stress-ng testing, we found below kernel crash after a few hours: diff --git a/patches.suse/mm-slab_common-fix-slab_caches-list-corruption-after-kmem_cache_destroy.patch b/patches.suse/mm-slab_common-fix-slab_caches-list-corruption-after-kmem_cache_destroy.patch index 1b1228a..8ae86e9 100644 --- a/patches.suse/mm-slab_common-fix-slab_caches-list-corruption-after-kmem_cache_destroy.patch +++ b/patches.suse/mm-slab_common-fix-slab_caches-list-corruption-after-kmem_cache_destroy.patch @@ -4,7 +4,7 @@ Subject: mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy() Git-commit: 46a9ea6681907a3be6b6b0d43776dccc62cad6cf Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52562 bsc#1220936 After the commit in Fixes:, if a module that created a slab cache does not release all of its allocated objects before destroying the cache (at rmmod diff --git a/patches.suse/mtd-Fix-gluebi-NULL-pointer-dereference-caused-by-ft.patch b/patches.suse/mtd-Fix-gluebi-NULL-pointer-dereference-caused-by-ft.patch index bb65000..5e31fc8 100644 --- a/patches.suse/mtd-Fix-gluebi-NULL-pointer-dereference-caused-by-ft.patch +++ b/patches.suse/mtd-Fix-gluebi-NULL-pointer-dereference-caused-by-ft.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52449 bsc#1220238 If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access diff --git a/patches.suse/net-bridge-use-DEV_STATS_INC.patch b/patches.suse/net-bridge-use-DEV_STATS_INC.patch index cdef214..ad70f1e 100644 --- a/patches.suse/net-bridge-use-DEV_STATS_INC.patch +++ b/patches.suse/net-bridge-use-DEV_STATS_INC.patch @@ -4,7 +4,7 @@ Date: Mon, 18 Sep 2023 09:13:51 +0000 Subject: [PATCH] net: bridge: use DEV_STATS_INC() Git-commit: 44bdb313da57322c9b3c108eb66981c6ec6509f4 Patch-mainline: v6.6-rc3 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52578 bsc#1220874 syzbot/KCSAN reported data-races in br_handle_frame_finish() [1] This function can run from multiple cpus without mutual exclusion. diff --git a/patches.suse/net-core-Fix-ETH_P_1588-flow-dissector.patch b/patches.suse/net-core-Fix-ETH_P_1588-flow-dissector.patch index 28e0137..1d78280 100644 --- a/patches.suse/net-core-Fix-ETH_P_1588-flow-dissector.patch +++ b/patches.suse/net-core-Fix-ETH_P_1588-flow-dissector.patch @@ -4,7 +4,7 @@ Date: Wed, 13 Sep 2023 09:39:05 +0300 Subject: [PATCH] net/core: Fix ETH_P_1588 flow dissector Git-commit: 75ad80ed88a182ab2ad5513e448cf07b403af5c3 Patch-mainline: v6.6-rc3 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52580 bsc#1220876 When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation diff --git a/patches.suse/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch b/patches.suse/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch index 1d4d9e1..642553a 100644 --- a/patches.suse/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch +++ b/patches.suse/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch @@ -4,7 +4,7 @@ Date: Thu, 21 Sep 2023 08:46:26 +0000 Subject: [PATCH] net: fix possible store tearing in neigh_periodic_work() Git-commit: 25563b581ba3a1f263a00e8c9a97f5e7363be6fd Patch-mainline: v6.6-rc5 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52522 bsc#1220924 While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an diff --git a/patches.suse/net-mlx5e-Fix-operation-precedence-bug-in-port-times.patch b/patches.suse/net-mlx5e-Fix-operation-precedence-bug-in-port-times.patch index 0ec4f47..5f469a0 100644 --- a/patches.suse/net-mlx5e-Fix-operation-precedence-bug-in-port-times.patch +++ b/patches.suse/net-mlx5e-Fix-operation-precedence-bug-in-port-times.patch @@ -4,7 +4,7 @@ Subject: net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context Patch-mainline: v6.8-rc2 Git-commit: 3876638b2c7ebb2c9d181de1191db0de8cac143a -References: jsc#PED-3311 +References: jsc#PED-3311 CVE-2023-52626 bsc#1222054 Indirection (*) is of lower precedence than postfix increment (++). Logic in napi_poll context would cause an out-of-bound read by first increment diff --git a/patches.suse/net-mlx5e-Fix-peer-flow-lists-handling.patch b/patches.suse/net-mlx5e-Fix-peer-flow-lists-handling.patch index cb7d0ac..8cec627 100644 --- a/patches.suse/net-mlx5e-Fix-peer-flow-lists-handling.patch +++ b/patches.suse/net-mlx5e-Fix-peer-flow-lists-handling.patch @@ -3,7 +3,7 @@ Date: Fri, 10 Nov 2023 11:10:22 +0100 Subject: net/mlx5e: Fix peer flow lists handling Patch-mainline: v6.8-rc2 Git-commit: d76fdd31f953ac5046555171620f2562715e9b71 -References: jsc#PED-3311 +References: jsc#PED-3311 CVE-2023-52487 bsc#1221341 The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent diff --git a/patches.suse/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch b/patches.suse/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch index 5e3d1cc..143bb9f 100644 --- a/patches.suse/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch +++ b/patches.suse/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch @@ -4,7 +4,7 @@ Date: Mon, 9 Oct 2023 12:31:10 +0000 Subject: [PATCH] net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Git-commit: 31c07dffafce914c1d1543c135382a11ff058d93 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52502 bsc#1220831 Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. diff --git a/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch b/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch index 0810522..5ce319f 100644 --- a/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch +++ b/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch @@ -4,7 +4,7 @@ Date: Fri, 8 Sep 2023 19:58:53 -0400 Subject: [PATCH] net: nfc: llcp: Add lock when modifying device list Git-commit: dfc7f7a988dad34c3bf4c053124fb26aa6c5f916 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52524 bsc#1220927 The device list needs its associated lock held when modifying it, or the list could become corrupted, as syzbot discovered. diff --git a/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch b/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch index c6f19e0..899b928 100644 --- a/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch +++ b/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch @@ -4,7 +4,7 @@ Date: Wed, 10 Jan 2024 14:14:00 +0800 Subject: [PATCH 11/15] net: qualcomm: rmnet: fix global oob in rmnet_policy Git-commit: b33fb5b801c6db408b774a68e7c8722796b59ecc Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26597 bsc#1220363 The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug diff --git a/patches.suse/net-rds-Fix-possible-NULL-pointer-dereference.patch b/patches.suse/net-rds-Fix-possible-NULL-pointer-dereference.patch index 8f0a065..74c3cf2 100644 --- a/patches.suse/net-rds-Fix-possible-NULL-pointer-dereference.patch +++ b/patches.suse/net-rds-Fix-possible-NULL-pointer-dereference.patch @@ -4,7 +4,7 @@ Date: Mon, 18 Sep 2023 16:56:23 +0300 Subject: [PATCH] net: rds: Fix possible NULL-pointer dereference Git-commit: f1d95df0f31048f1c59092648997686e3f7d9478 Patch-mainline: v6.6-rc3 -References: bsc#1220419 +References: bsc#1220419 CVE-2023-52573 bsc#1220869 In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists before dereferencing it as rdma_set_service_type() argument diff --git a/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch b/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch index 34cdcde..9f9e8e1 100644 --- a/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch +++ b/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch @@ -4,7 +4,7 @@ Date: Sun, 24 Sep 2023 02:35:49 +0900 Subject: [PATCH] net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg Git-commit: e9c65989920f7c28775ec4e0c11b483910fb67b8 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52528 bsc#1220843 syzbot reported the following uninit-value access issue: diff --git a/patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch b/patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch index 31e6398..6a8db72 100644 --- a/patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch +++ b/patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch @@ -5,7 +5,7 @@ Subject: [PATCH 1/3] netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Git-commit: 2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52433 bsc#1220137 New elements in this transaction might expired before such transaction ends. Skip sync GC for such elements otherwise commit path might walk diff --git a/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch b/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch index b81da54..1966a99 100644 --- a/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch +++ b/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch @@ -4,7 +4,7 @@ Date: Mon, 9 Oct 2023 16:00:54 -0400 Subject: [PATCH] nfc: nci: assert requested protocol is valid Git-commit: 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52507 bsc#1220833 The protocol is used in a bit mask to determine if the protocol is supported. Assert the provided protocol is less than the maximum diff --git a/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch b/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch index 31db651..e226c27 100644 --- a/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch +++ b/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch @@ -3,7 +3,7 @@ Date: Mon, 22 Jan 2024 14:01:10 +1100 Subject: [PATCH] nfsd: fix RELEASE_LOCKOWNER Patch-mainline: v6.8 Git-commit: edcf9725150e42beeca42d085149f4c88fa97afd -References: bsc#1218968 +References: bsc#1218968 CVE-2024-26629 bsc#1221379 The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. diff --git a/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch b/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch index c969fb6..7d564fb 100644 --- a/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch +++ b/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch @@ -4,7 +4,7 @@ Date: Thu, 21 Sep 2023 23:17:31 +0900 Subject: [PATCH] nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() Git-commit: 7ee29facd8a9c5a26079148e36bcf07141b3a6bc Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52566 bsc#1220940 In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If diff --git a/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch b/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch index 4e282c4..8c8aa54 100644 --- a/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch +++ b/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch @@ -3,7 +3,7 @@ Date: Thu, 17 Aug 2023 12:43:01 -0700 Subject: nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() Patch-mainline: v6.6-rc2 Git-commit: 8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c -References: bsc#1214842 +References: bsc#1214842 CVE-2023-52508 bsc#1221015 The nvme_fc_fcp_op structure describing an AEN operation is initialized with a null request structure pointer. An FC LLDD may make a call to diff --git a/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch b/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch index 835edac..d82f6cf 100644 --- a/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch +++ b/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch @@ -4,7 +4,7 @@ Subject: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length Patch-mainline: v6.8-rc1 Git-commit: efa56305908ba20de2104f1b8508c6a7401833be -References: bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 +References: bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 CVE-2023-52454 bsc#1220320 If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). diff --git a/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch b/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch index 5a0d9aa..74325de 100644 --- a/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch +++ b/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch @@ -5,7 +5,7 @@ Subject: [PATCH] ocfs2: Avoid touching renamed directory if parent does not change Git-commit: 9d618d19b29c2943527e3a43da0a35aea91062fc Patch-mainline: v6.8-rc1 -References: bsc#1221044 CVE-2023-52591 +References: bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088 The VFS will not be locking moved directory if its parent does not change. Change ocfs2 rename code to avoid touching renamed directory if diff --git a/patches.suse/perf-x86-intel-uncore-Fix-NULL-pointer-dereference-issue-in-upi_fill_topology.patch b/patches.suse/perf-x86-intel-uncore-Fix-NULL-pointer-dereference-issue-in-upi_fill_topology.patch index 658f54e..6294f38 100644 --- a/patches.suse/perf-x86-intel-uncore-Fix-NULL-pointer-dereference-issue-in-upi_fill_topology.patch +++ b/patches.suse/perf-x86-intel-uncore-Fix-NULL-pointer-dereference-issue-in-upi_fill_topology.patch @@ -4,7 +4,7 @@ Subject: perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Git-commit: 1692cf434ba13ee212495b5af795b6a07e986ce4 Patch-mainline: v6.7 or v6.7-rc9 (next release) -References: bsc#1218958 +References: bsc#1218958 CVE-2023-52450 bsc#1220237 Get logical socket id instead of physical id in discover_upi_topology() to avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line diff --git a/patches.suse/perf-x86-lbr-Filter-vsyscall-addresses.patch b/patches.suse/perf-x86-lbr-Filter-vsyscall-addresses.patch index 07f294f..4aea7f5 100644 --- a/patches.suse/perf-x86-lbr-Filter-vsyscall-addresses.patch +++ b/patches.suse/perf-x86-lbr-Filter-vsyscall-addresses.patch @@ -3,7 +3,7 @@ Date: Fri, 6 Oct 2023 11:57:26 -0700 Subject: perf/x86/lbr: Filter vsyscall addresses Git-commit: e53899771a02f798d436655efbd9d4b46c0f9265 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52476 bsc#1220703 We found that a panic can occur when a vsyscall is made while LBR sampling is active. If the vsyscall is interrupted (NMI) for perf sampling, this diff --git a/patches.suse/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch b/patches.suse/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch index bc2399a..785fd99 100644 --- a/patches.suse/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch +++ b/patches.suse/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch @@ -4,7 +4,7 @@ Date: Wed, 4 Oct 2023 14:17:08 +0300 Subject: [PATCH] phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers Git-commit: 139ad1143151a07be93bf741d4ea7c89e59f89ce Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52505 bsc#1220830 The protocol converter configuration registers PCC8, PCCC, PCCD (implemented by the driver), as well as others, control protocol diff --git a/patches.suse/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch b/patches.suse/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch index 2af4aa0..76877d7 100644 --- a/patches.suse/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch +++ b/patches.suse/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 87d315a34133edcb29c4cadbf196ec6c30dfd47b Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52512 bsc#1221021 Write into 'pctrl->gpio_bank' happens before the check for GPIO index validity, so out of bounds write may happen. diff --git a/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch b/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch index 9ed58bd..bb0180c 100644 --- a/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch +++ b/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52520 bsc#1220921 If a duplicate attribute is found using kset_find_obj(), a reference to that attribute is returned which needs to be disposed accordingly diff --git a/patches.suse/power-supply-rk817-Fix-node-refcount-leak.patch b/patches.suse/power-supply-rk817-Fix-node-refcount-leak.patch index 4f80a1c..0329bfd 100644 --- a/patches.suse/power-supply-rk817-Fix-node-refcount-leak.patch +++ b/patches.suse/power-supply-rk817-Fix-node-refcount-leak.patch @@ -4,7 +4,7 @@ Date: Wed, 20 Sep 2023 09:56:44 -0500 Subject: [PATCH] power: supply: rk817: Fix node refcount leak Git-commit: 488ef44c068e79752dba8eda0b75f524f111a695 Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52571 bsc#1220945 Dan Carpenter reports that the Smatch static checker warning has found that there is another refcount leak in the probe function. While diff --git a/patches.suse/powerpc-lib-Validate-size-for-vector-operations.patch b/patches.suse/powerpc-lib-Validate-size-for-vector-operations.patch index 1805f84..931eb80 100644 --- a/patches.suse/powerpc-lib-Validate-size-for-vector-operations.patch +++ b/patches.suse/powerpc-lib-Validate-size-for-vector-operations.patch @@ -3,7 +3,7 @@ From: Naveen N Rao Date: Thu, 23 Nov 2023 12:47:05 +0530 Subject: [PATCH] powerpc/lib: Validate size for vector operations -References: bsc#1215199 +References: bsc#1215199 CVE-2023-52606 bsc#1221069 Patch-mainline: v6.8-rc1 Git-commit: 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 diff --git a/patches.suse/powerpc-mm-Fix-null-pointer-dereference-in-pgtable_c.patch b/patches.suse/powerpc-mm-Fix-null-pointer-dereference-in-pgtable_c.patch index 3fa8d36..80dada7 100644 --- a/patches.suse/powerpc-mm-Fix-null-pointer-dereference-in-pgtable_c.patch +++ b/patches.suse/powerpc-mm-Fix-null-pointer-dereference-in-pgtable_c.patch @@ -3,7 +3,7 @@ From: Kunwu Chan Date: Mon, 4 Dec 2023 10:32:23 +0800 Subject: [PATCH] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add -References: bsc#1215199 +References: bsc#1215199 CVE-2023-52607 bsc#1221061 Patch-mainline: v6.8-rc1 Git-commit: f46c8a75263f97bda13c739ba1c90aced0d3b071 diff --git a/patches.suse/pstore-ram-Fix-crash-when-setting-number-of-cpus-to-.patch b/patches.suse/pstore-ram-Fix-crash-when-setting-number-of-cpus-to-.patch index d671823..a347fec 100644 --- a/patches.suse/pstore-ram-Fix-crash-when-setting-number-of-cpus-to-.patch +++ b/patches.suse/pstore-ram-Fix-crash-when-setting-number-of-cpus-to-.patch @@ -4,7 +4,7 @@ Date: Fri, 24 Feb 2023 10:36:32 +0800 Subject: [PATCH] pstore/ram: Fix crash when setting number of cpus to an odd number Git-commit: d49270a04623ce3c0afddbf3e984cb245aa48e9c Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52619 bsc#1221618 When the number of cpu cores is adjusted to 7 or other odd numbers, the zone size will become an odd number. diff --git a/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch b/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch index b21fc67..7156aa8 100644 --- a/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch +++ b/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: a297d07b9a1e4fb8cda25a4a2363a507d294b7c9 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26599 bsc#1220365 With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. diff --git a/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch b/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch index bc60756..421e248 100644 --- a/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch +++ b/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch @@ -3,7 +3,7 @@ Date: Thu, 7 Sep 2023 12:28:20 -0400 Subject: ring-buffer: Do not attempt to read past "commit" Git-commit: 95a404bd60af6c4d9d8db01ad14fe8957ece31ca Patch-mainline: v6.6-rc2 -References: git-fixes +References: git-fixes CVE-2023-52501 bsc#1220885 When iterating over the ring buffer while the ring buffer is active, the writer can corrupt the reader. There's barriers to help detect this and diff --git a/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch b/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch index eea859d..8d45f4a 100644 --- a/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch +++ b/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch @@ -4,7 +4,7 @@ Subject: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Git-commit: 4373534a9850627a2695317944898eb1283a2db0 Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26627 bsc#1221090 Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host lock every time for deciding if error handler kthread needs to be waken up. diff --git a/patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch b/patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch index e399519..db3d139 100644 --- a/patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch +++ b/patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch @@ -4,7 +4,7 @@ Subject: scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command Git-commit: c13e7331745852d0dd7c35eabbe181cbd5b01172 Patch-mainline: v6.6-rc2 -References: jsc#PED-6874 +References: jsc#PED-6874 CVE-2023-52500 bsc#1220883 Tags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed when we receive the response. diff --git a/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch b/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch index c00b39a..d55b5de 100644 --- a/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch +++ b/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch @@ -4,7 +4,7 @@ Date: Fri, 1 Sep 2023 01:25:55 +0300 Subject: [PATCH] serial: 8250_port: Check IRQ data before use Git-commit: cce7fc8b29961b64fadb1ce398dc5ff32a79643b Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52567 bsc#1220839 In case the leaf driver wants to use IRQ polling (irq = 0) and IIR register shows that an interrupt happened in the 8250 hardware diff --git a/patches.suse/serial-sc16is7xx-convert-from-_raw_-to-_noinc_-regma.patch b/patches.suse/serial-sc16is7xx-convert-from-_raw_-to-_noinc_-regma.patch index 501361e..a85a1d4 100644 --- a/patches.suse/serial-sc16is7xx-convert-from-_raw_-to-_noinc_-regma.patch +++ b/patches.suse/serial-sc16is7xx-convert-from-_raw_-to-_noinc_-regma.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Dec 2023 12:13:52 -0500 Subject: [PATCH] serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO Git-commit: dbf4ab821804df071c8b566d9813083125e6d97b Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52488 bsc#1221162 The SC16IS7XX IC supports a burst mode to access the FIFOs where the initial register address is sent ($00), followed by all the FIFO data diff --git a/patches.suse/soc-qcom-pmic_glink_altmode-fix-port-sanity-check.patch b/patches.suse/soc-qcom-pmic_glink_altmode-fix-port-sanity-check.patch index c94cd7d..20b9c3b 100644 --- a/patches.suse/soc-qcom-pmic_glink_altmode-fix-port-sanity-check.patch +++ b/patches.suse/soc-qcom-pmic_glink_altmode-fix-port-sanity-check.patch @@ -4,7 +4,7 @@ Date: Thu, 9 Nov 2023 10:31:00 +0100 Subject: [PATCH] soc: qcom: pmic_glink_altmode: fix port sanity check Git-commit: c4fb7d2eac9ff9bfc35a2e4d40c7169a332416e0 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52495 bsc#1221271 The PMIC GLINK altmode driver currently supports at most two ports. diff --git a/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch b/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch index d6ac3eb..464fb81 100644 --- a/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch +++ b/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch @@ -4,7 +4,7 @@ Date: Sun, 27 Aug 2023 17:25:58 +0200 Subject: [PATCH] spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain Git-commit: 1f11f4202caf5710204d334fe63392052783876d Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52517 bsc#1221055 Previously the transfer complete IRQ immediately drained to RX FIFO to read any data remaining in FIFO to the RX buffer. This behaviour is diff --git a/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch b/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch index 86ab506..8705111 100644 --- a/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch +++ b/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch @@ -4,7 +4,7 @@ Date: Sun, 27 Aug 2023 17:25:57 +0200 Subject: [PATCH] spi: sun6i: reduce DMA RX transfer width to single byte Git-commit: 171f8a49f212e87a8b04087568e1b3d132e36a18 Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52511 bsc#1221012 Through empirical testing it has been determined that sometimes RX SPI transfers with DMA enabled return corrupted data. This is down to single diff --git a/patches.suse/spmi-mediatek-Fix-UAF-on-device-remove.patch b/patches.suse/spmi-mediatek-Fix-UAF-on-device-remove.patch index de2c516..041c6b9 100644 --- a/patches.suse/spmi-mediatek-Fix-UAF-on-device-remove.patch +++ b/patches.suse/spmi-mediatek-Fix-UAF-on-device-remove.patch @@ -4,7 +4,7 @@ Date: Wed, 6 Dec 2023 15:17:25 -0800 Subject: [PATCH] spmi: mediatek: Fix UAF on device remove Git-commit: e821d50ab5b956ed0effa49faaf29912fd4106d9 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52584 bsc#1221079 The pmif driver data that contains the clocks is allocated along with spmi_controller. diff --git a/patches.suse/thermal-core-Fix-NULL-pointer-dereference-in-zone-re.patch b/patches.suse/thermal-core-Fix-NULL-pointer-dereference-in-zone-re.patch index 181f05b..40b7016 100644 --- a/patches.suse/thermal-core-Fix-NULL-pointer-dereference-in-zone-re.patch +++ b/patches.suse/thermal-core-Fix-NULL-pointer-dereference-in-zone-re.patch @@ -4,7 +4,7 @@ Date: Thu, 14 Dec 2023 11:52:25 +0100 Subject: [PATCH] thermal: core: Fix NULL pointer dereference in zone registration error path Git-commit: 04e6ccfc93c5a1aa1d75a537cf27e418895e20ea Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52473 bsc#1220430 If device_register() in thermal_zone_device_register_with_trips() returns an error, the tz variable is set to NULL and subsequently diff --git a/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch b/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch index a598501..c346ec8 100644 --- a/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch +++ b/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch @@ -4,7 +4,7 @@ Date: Tue, 9 Jan 2024 19:07:04 -0800 Subject: [PATCH] thermal: intel: hfi: Add syscore callbacks for system-wide PM Git-commit: 97566d09fd02d2ab329774bb89a2cdf2267e86d9 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26646 bsc#1222070 The kernel allocates a memory buffer and provides its location to the hardware, which uses it to update the HFI table. This allocation occurs diff --git a/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch b/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch index 01dbdcd..79d7ceb 100644 --- a/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch +++ b/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch @@ -3,7 +3,7 @@ Date: Mon, 22 Jan 2024 16:09:28 +0100 Subject: tracing: Ensure visibility when inserting an element into tracing_map Git-commit: 2b44760609e9eaafc9d234a6883d042fc21132a7 Patch-mainline: v6.8-rc2 -References: git-fixes +References: git-fixes CVE-2024-26645 bsc#1222056 Running the following two commands in parallel on a multi-processor AArch64 machine can sporadically produce an unexpected warning about diff --git a/patches.suse/uio-Fix-use-after-free-in-uio_open.patch b/patches.suse/uio-Fix-use-after-free-in-uio_open.patch index dc36c42..8e1de0c 100644 --- a/patches.suse/uio-Fix-use-after-free-in-uio_open.patch +++ b/patches.suse/uio-Fix-use-after-free-in-uio_open.patch @@ -4,7 +4,7 @@ Date: Thu, 21 Dec 2023 17:57:43 +0800 Subject: [PATCH] uio: Fix use-after-free in uio_open Git-commit: 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52439 bsc#1220140 core-1 core-2 diff --git a/patches.suse/wifi-ath9k-Fix-potential-array-index-out-of-bounds-r.patch b/patches.suse/wifi-ath9k-Fix-potential-array-index-out-of-bounds-r.patch index 7416a83..64e1584 100644 --- a/patches.suse/wifi-ath9k-Fix-potential-array-index-out-of-bounds-r.patch +++ b/patches.suse/wifi-ath9k-Fix-potential-array-index-out-of-bounds-r.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 2adc886244dff60f948497b59affb6c6ebb3c348 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52594 bsc#1221045 Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is diff --git a/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch index 1b3376a..7a1f5b9 100644 --- a/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch +++ b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch @@ -4,7 +4,7 @@ Date: Thu, 11 Jan 2024 15:07:25 +0200 Subject: [PATCH] wifi: iwlwifi: fix a memory corruption Git-commit: cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d Patch-mainline: v6.8-rc2 -References: git-fixes +References: git-fixes CVE-2024-26610 bsc#1221299 iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in diff --git a/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch b/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch index f40ff19..7b32be5 100644 --- a/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch +++ b/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch @@ -4,7 +4,7 @@ Date: Fri, 8 Sep 2023 18:41:12 +0800 Subject: [PATCH] wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet Git-commit: aef7a0300047e7b4707ea0411dc9597cba108fc8 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52525 bsc#1220840 Only skip the code path trying to access the rfc1042 headers when the buffer is too small, so the driver can still process packets without diff --git a/patches.suse/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch b/patches.suse/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch index 2c51427..0a71123 100644 --- a/patches.suse/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch +++ b/patches.suse/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch @@ -4,7 +4,7 @@ Date: Sat, 4 Nov 2023 16:58:00 +0800 Subject: [PATCH] wifi: rt2x00: restart beacon queue when hardware reset Git-commit: a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52595 bsc#1221046 When a hardware reset is triggered, all registers are reset, so all queues are forced to stop in hardware interface. However, mac80211 diff --git a/patches.suse/wifi-rtw88-sdio-Honor-the-host-max_req_size-in-the-R.patch b/patches.suse/wifi-rtw88-sdio-Honor-the-host-max_req_size-in-the-R.patch index 9f6e1c7..0e45067 100644 --- a/patches.suse/wifi-rtw88-sdio-Honor-the-host-max_req_size-in-the-R.patch +++ b/patches.suse/wifi-rtw88-sdio-Honor-the-host-max_req_size-in-the-R.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Nov 2023 12:57:26 +0100 Subject: [PATCH] wifi: rtw88: sdio: Honor the host max_req_size in the RX path Git-commit: 00384f565a91c08c4bedae167f749b093d10e3fe Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52611 bsc#1221611 Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth diff --git a/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch b/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch index 376fd36..c0a2c63 100644 --- a/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch +++ b/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52593 bsc#1221042 Since 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()' should check the return value before examining skb data. So convert diff --git a/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch b/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch index d492ddf..97fba04 100644 --- a/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch +++ b/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch @@ -3,7 +3,7 @@ Date: Thu, 12 Oct 2023 13:04:24 +0300 Subject: x86/alternatives: Disable KASAN in apply_alternatives() Git-commit: d35652a5fc9944784f6f50a5c979518ff8dacf61 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52504 bsc#1221553 Fei has reported that KASAN triggers during apply_alternatives() on a 5-level paging machine: diff --git a/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch b/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch index ff63321..8834b03 100644 --- a/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch +++ b/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch @@ -3,7 +3,7 @@ Date: Mon, 29 Jan 2024 22:36:03 -0800 Subject: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Git-commit: d877550eaf2dc9090d782864c96939397a3c6835 Patch-mainline: v6.8-rc4 -References: bsc#1220335 +References: bsc#1220335 CVE-2024-26603 Before this change, the expected size of the user space buffer was taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed diff --git a/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch b/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch index 79e1d63..e2b76d8 100644 --- a/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch +++ b/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch @@ -3,7 +3,7 @@ Date: Mon, 4 Sep 2023 22:04:48 -0700 Subject: x86/srso: Fix SBPB enablement for spec_rstack_overflow=off Git-commit: 01b057b2f4cc2d905a0bd92195657dbd9a7005ab Patch-mainline: v6.6-rc3 -References: git-fixes +References: git-fixes CVE-2023-52575 bsc#1220871 If the user has requested no SRSO mitigation, other mitigations can use the lighter-weight SBPB instead of IBPB.