From ab8a3e8fc1a1b6b76d18af61aa8847a4d0233e2c Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Apr 09 2024 05:00:05 +0000 Subject: Merge branch 'SLE15-SP6-GA' into ALP-current-GA --- diff --git a/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch b/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch new file mode 100644 index 0000000..7033579 --- /dev/null +++ b/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch @@ -0,0 +1,160 @@ +From 79d72c68c58784a3e1cd2378669d51bfd0cb7498 Mon Sep 17 00:00:00 2001 +From: Oscar Salvador +Date: Tue, 30 Jan 2024 22:04:18 +0100 +Subject: [PATCH] fs,hugetlb: fix NULL pointer dereference in + hugetlbs_fill_super +References: bsc#1219264 CVE-2024-0841 +Patch-mainline: v6.8-rc4 +Git-commit: 79d72c68c58784a3e1cd2378669d51bfd0cb7498 + +When configuring a hugetlb filesystem via the fsconfig() syscall, there is +a possible NULL dereference in hugetlbfs_fill_super() caused by assigning +NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize +is non valid. + +E.g: Taking the following steps: + + fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC); + fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0); + fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); + +Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced +with NULL, losing its previous value, and we will print an error: + + ... + ... + case Opt_pagesize: + ps = memparse(param->string, &rest); + ctx->hstate = h; + if (!ctx->hstate) { + pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); + return -EINVAL; + } + return 0; + ... + ... + +This is a problem because later on, we will dereference ctxt->hstate in +hugetlbfs_fill_super() + + ... + ... + sb->s_blocksize = huge_page_size(ctx->hstate); + ... + ... + +Causing below Oops. + +Fix this by replacing cxt->hstate value only when then pagesize is known +to be valid. + + kernel: hugetlbfs: Unsupported page size 0 MB + kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028 + kernel: #PF: supervisor read access in kernel mode + kernel: #PF: error_code(0x0000) - not-present page + kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 + kernel: Oops: 0000 [#1] PREEMPT SMP PTI + kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f + kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 + kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 + kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 + kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 + kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 + kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 + kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 + kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 + kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 + kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 + kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 + kernel: Call Trace: + kernel: + kernel: ? __die_body+0x1a/0x60 + kernel: ? page_fault_oops+0x16f/0x4a0 + kernel: ? search_bpf_extables+0x65/0x70 + kernel: ? fixup_exception+0x22/0x310 + kernel: ? exc_page_fault+0x69/0x150 + kernel: ? asm_exc_page_fault+0x22/0x30 + kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 + kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 + kernel: ? hugetlbfs_fill_super+0x28/0x1a0 + kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 + kernel: vfs_get_super+0x40/0xa0 + kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 + kernel: vfs_get_tree+0x25/0xd0 + kernel: vfs_cmd_create+0x64/0xe0 + kernel: __x64_sys_fsconfig+0x395/0x410 + kernel: do_syscall_64+0x80/0x160 + kernel: ? syscall_exit_to_user_mode+0x82/0x240 + kernel: ? do_syscall_64+0x8d/0x160 + kernel: ? syscall_exit_to_user_mode+0x82/0x240 + kernel: ? do_syscall_64+0x8d/0x160 + kernel: ? exc_page_fault+0x69/0x150 + kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 + kernel: RIP: 0033:0x7ffbc0cb87c9 + kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 + kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af + kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbc0cb87c9 + kernel: RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 + kernel: RBP: 00007ffc29d2f3b0 R08: 0000000000000000 R09: 0000000000000000 + kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 + kernel: R13: 00007ffc29d2f4c0 R14: 0000000000000000 R15: 0000000000000000 + kernel: + kernel: Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) sunrpc(E) netfs(E) af_packet(E) bridge(E) stp(E) llc(E) iscsi_ibft(E) iscsi_boot_sysfs(E) intel_rapl_msr(E) intel_rapl_common(E) iTCO_wdt(E) intel_pmc_bxt(E) sb_edac(E) iTCO_vendor_support(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) rfkill(E) ipmi_ssif(E) kvm(E) acpi_ipmi(E) irqbypass(E) pcspkr(E) igb(E) ipmi_si(E) mei_me(E) i2c_i801(E) joydev(E) intel_pch_thermal(E) i2c_smbus(E) dca(E) lpc_ich(E) mei(E) ipmi_devintf(E) ipmi_msghandler(E) acpi_pad(E) tiny_power_button(E) button(E) fuse(E) efi_pstore(E) configfs(E) ip_tables(E) x_tables(E) ext4(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) sd_mod(E) t10_pi(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) polyval_clmulni(E) ahci(E) xhci_pci(E) polyval_generic(E) gf128mul(E) ghash_clmulni_intel(E) sha512_ssse3(E) sha256_ssse3(E) xhci_pci_renesas(E) libahci(E) ehci_pci(E) sha1_ssse3(E) xhci_hcd(E) ehci_hcd(E) libata(E) + kernel: mgag200(E) i2c_algo_bit(E) usbcore(E) wmi(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) scsi_common(E) aesni_intel(E) crypto_simd(E) cryptd(E) + kernel: Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):1 + kernel: CR2: 0000000000000028 + kernel: ---[ end trace 0000000000000000 ]--- + kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 + kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 + kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 + kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 + kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 + kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 + kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 + kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 + kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 + kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 + +Link: https://lkml.kernel.org/r/20240130210418.3771-1-osalvador@suse.de +Fixes: 32021982a324 ("hugetlbfs: Convert to fs_context") +Signed-off-by: Michal Hocko +Signed-off-by: Oscar Salvador +Acked-by: Muchun Song +Cc: +Signed-off-by: Andrew Morton +--- + fs/hugetlbfs/inode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index ee13c2ca8ad2..d746866ae3b6 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -1365,6 +1365,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par + { + struct hugetlbfs_fs_context *ctx = fc->fs_private; + struct fs_parse_result result; ++ struct hstate *h; + char *rest; + unsigned long ps; + int opt; +@@ -1409,11 +1410,12 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par + + case Opt_pagesize: + ps = memparse(param->string, &rest); +- ctx->hstate = size_to_hstate(ps); +- if (!ctx->hstate) { ++ h = size_to_hstate(ps); ++ if (!h) { + pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); + return -EINVAL; + } ++ ctx->hstate = h; + return 0; + + case Opt_min_size: +-- +2.44.0 + diff --git a/patches.suse/HID-i2c-hid-of-fix-NULL-deref-on-failed-power-up.patch b/patches.suse/HID-i2c-hid-of-fix-NULL-deref-on-failed-power-up.patch index 99a77c1..cfa6f81 100644 --- a/patches.suse/HID-i2c-hid-of-fix-NULL-deref-on-failed-power-up.patch +++ b/patches.suse/HID-i2c-hid-of-fix-NULL-deref-on-failed-power-up.patch @@ -4,7 +4,7 @@ Date: Fri, 26 Jan 2024 18:09:01 +0100 Subject: [PATCH] HID: i2c-hid-of: fix NULL-deref on failed power up Git-commit: 00aab7dcb2267f2aef59447602f34501efe1a07f Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26717 bsc#1222360 A while back the I2C HID implementation was split in an ACPI and OF part, but the new OF driver never initialises the client pointer which diff --git a/patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch b/patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch index 23804a6..f154ff7 100644 --- a/patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch +++ b/patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch @@ -3,7 +3,7 @@ Date: Wed, 20 Dec 2023 13:53:17 +0100 Subject: KVM: s390: vsie: fix race during shadow creation Git-commit: fe752331d4b361d43cfd0b89534b4b2176057c32 Patch-mainline: v6.8-rc4 -References: git-fixes bsc#1219810 +References: git-fixes bsc#1219810 CVE-2023-52639 bsc#1222300 Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the diff --git a/patches.suse/arm64-entry-fix-ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD.patch b/patches.suse/arm64-entry-fix-ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD.patch index 5e14cc2..5a58a36 100644 --- a/patches.suse/arm64-entry-fix-ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD.patch +++ b/patches.suse/arm64-entry-fix-ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD.patch @@ -3,7 +3,7 @@ Date: Tue, 16 Jan 2024 11:02:20 +0000 Subject: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD Git-commit: 832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26670 bsc#1222356 Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't quite right, as it is supposed to be applied after the last explicit diff --git a/patches.suse/can-j1939-Fix-UAF-in-j1939_sk_match_filter-during-se.patch b/patches.suse/can-j1939-Fix-UAF-in-j1939_sk_match_filter-during-se.patch index a181919..74f9fbc 100644 --- a/patches.suse/can-j1939-Fix-UAF-in-j1939_sk_match_filter-during-se.patch +++ b/patches.suse/can-j1939-Fix-UAF-in-j1939_sk_match_filter-during-se.patch @@ -4,7 +4,7 @@ Date: Fri, 20 Oct 2023 15:38:14 +0200 Subject: [PATCH] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Git-commit: efe7cf828039aedb297c1f9920b638fffee6aabc Patch-mainline: v6.8-rc5 -References: git-fixes +References: git-fixes CVE-2023-52637 bsc#1222291 Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. diff --git a/patches.suse/can-j1939-prevent-deadlock-by-changing-j1939_socks_l.patch b/patches.suse/can-j1939-prevent-deadlock-by-changing-j1939_socks_l.patch index 0f61bd6..f13502c 100644 --- a/patches.suse/can-j1939-prevent-deadlock-by-changing-j1939_socks_l.patch +++ b/patches.suse/can-j1939-prevent-deadlock-by-changing-j1939_socks_l.patch @@ -4,7 +4,7 @@ Date: Fri, 21 Jul 2023 09:22:26 -0700 Subject: [PATCH] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock Git-commit: 6cdedc18ba7b9dacc36466e27e3267d201948c8d Patch-mainline: v6.8-rc5 -References: git-fixes +References: git-fixes CVE-2023-52638 bsc#1222299 The following 3 locks would race against each other, causing the deadlock situation in the Syzbot bug report: diff --git a/patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_pla.patch b/patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_pla.patch index a495e92..2d48215 100644 --- a/patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_pla.patch +++ b/patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_pla.patch @@ -4,7 +4,7 @@ Date: Thu, 25 Jan 2024 17:12:53 -0600 Subject: [PATCH] crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked Git-commit: ccb88e9549e7cfd8bcd511c538f437e20026e983 Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26695 bsc#1222373 The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: diff --git a/patches.suse/dpll-fix-possible-deadlock-during-netlink-dump-opera.patch b/patches.suse/dpll-fix-possible-deadlock-during-netlink-dump-opera.patch index 92d99a7..391a36d 100644 --- a/patches.suse/dpll-fix-possible-deadlock-during-netlink-dump-opera.patch +++ b/patches.suse/dpll-fix-possible-deadlock-during-netlink-dump-opera.patch @@ -3,7 +3,7 @@ Date: Wed, 7 Feb 2024 12:59:02 +0100 Subject: dpll: fix possible deadlock during netlink dump operation Patch-mainline: v6.8-rc5 Git-commit: 53c0441dd2c44ee93fddb5473885fd41e4bc2361 -References: jsc#PED-6079 +References: jsc#PED-6079 CVE-2024-26725 bsc#1222369 Recently, I've been hitting following deadlock warning during dpll pin dump: diff --git a/patches.suse/drm-amd-display-Add-NULL-test-for-timing-generator-i.patch b/patches.suse/drm-amd-display-Add-NULL-test-for-timing-generator-i.patch index 40a8a07..4d4a080 100644 --- a/patches.suse/drm-amd-display-Add-NULL-test-for-timing-generator-i.patch +++ b/patches.suse/drm-amd-display-Add-NULL-test-for-timing-generator-i.patch @@ -4,7 +4,7 @@ Date: Wed, 31 Jan 2024 08:49:41 +0530 Subject: [PATCH] drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' Git-commit: 66951d98d9bf45ba25acf37fe0747253fafdf298 Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26661 bsc#1222323 Alt-commit: fb5a3d037082b52a5c52be647c3936ca7651d7d5 In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;" diff --git a/patches.suse/drm-amd-display-Fix-disable_otg_wa-logic.patch b/patches.suse/drm-amd-display-Fix-disable_otg_wa-logic.patch index a7592bd..fc18e9b 100644 --- a/patches.suse/drm-amd-display-Fix-disable_otg_wa-logic.patch +++ b/patches.suse/drm-amd-display-Fix-disable_otg_wa-logic.patch @@ -4,7 +4,7 @@ Date: Fri, 1 Dec 2023 06:25:15 -0700 Subject: [PATCH] drm/amd/display: Fix disable_otg_wa logic Git-commit: 2ce156482a6fef349d2eba98e5070c412d3af662 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52634 bsc#1222278 [ Upstream commit 2ce156482a6fef349d2eba98e5070c412d3af662 ] diff --git a/patches.suse/drm-amd-display-Fix-panel_cntl-could-be-null-in-dcn2.patch b/patches.suse/drm-amd-display-Fix-panel_cntl-could-be-null-in-dcn2.patch index b7c8844..ab38515 100644 --- a/patches.suse/drm-amd-display-Fix-panel_cntl-could-be-null-in-dcn2.patch +++ b/patches.suse/drm-amd-display-Fix-panel_cntl-could-be-null-in-dcn2.patch @@ -4,7 +4,7 @@ Date: Sat, 27 Jan 2024 18:34:01 +0530 Subject: [PATCH] drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' Git-commit: e96fddb32931d007db12b1fce9b5e8e4c080401b Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26662 bsc#1222324 Alt-commit: 886571d217d7cc4e0f96f68b21238e3e25694e74 'panel_cntl' structure used to control the display panel could be null, diff --git a/patches.suse/drm-amd-display-Implement-bounds-check-for-stream-en.patch b/patches.suse/drm-amd-display-Implement-bounds-check-for-stream-en.patch index 8e96d1d..e261f80 100644 --- a/patches.suse/drm-amd-display-Implement-bounds-check-for-stream-en.patch +++ b/patches.suse/drm-amd-display-Implement-bounds-check-for-stream-en.patch @@ -4,7 +4,7 @@ Date: Wed, 7 Feb 2024 10:20:57 +0530 Subject: [PATCH] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Git-commit: 58fca355ad37dcb5f785d9095db5f748b79c5dc2 Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26660 bsc#1222266 Alt-commit: 15dba12c5659772f9a5e5194f18160ed5dda470e [ Upstream commit 58fca355ad37dcb5f785d9095db5f748b79c5dc2 ] diff --git a/patches.suse/drm-amd-display-Refactor-DMCUB-enter-exit-idle-inter.patch b/patches.suse/drm-amd-display-Refactor-DMCUB-enter-exit-idle-inter.patch index 1d78399..bf0e6f8 100644 --- a/patches.suse/drm-amd-display-Refactor-DMCUB-enter-exit-idle-inter.patch +++ b/patches.suse/drm-amd-display-Refactor-DMCUB-enter-exit-idle-inter.patch @@ -4,7 +4,7 @@ Date: Mon, 4 Dec 2023 14:10:05 -0500 Subject: [PATCH] drm/amd/display: Refactor DMCUB enter/exit idle interface Git-commit: 8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52625 bsc#1222085 [ Upstream commit 8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa ] diff --git a/patches.suse/drm-amd-display-Wake-DMCUB-before-executing-GPINT-co.patch b/patches.suse/drm-amd-display-Wake-DMCUB-before-executing-GPINT-co.patch index 0438c9d..b168f0f 100644 --- a/patches.suse/drm-amd-display-Wake-DMCUB-before-executing-GPINT-co.patch +++ b/patches.suse/drm-amd-display-Wake-DMCUB-before-executing-GPINT-co.patch @@ -4,7 +4,7 @@ Date: Tue, 5 Dec 2023 11:22:56 -0500 Subject: [PATCH] drm/amd/display: Wake DMCUB before executing GPINT commands Git-commit: e5ffd1263dd5b44929c676171802e7b6af483f21 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52624 bsc#1222083 [ Upstream commit e5ffd1263dd5b44929c676171802e7b6af483f21 ] diff --git a/patches.suse/drm-amd-display-fix-null-pointer-dereference-on-edid.patch b/patches.suse/drm-amd-display-fix-null-pointer-dereference-on-edid.patch index 6c2c129..79baacb 100644 --- a/patches.suse/drm-amd-display-fix-null-pointer-dereference-on-edid.patch +++ b/patches.suse/drm-amd-display-fix-null-pointer-dereference-on-edid.patch @@ -4,7 +4,7 @@ Date: Fri, 16 Feb 2024 09:23:19 -0300 Subject: drm/amd/display: fix null-pointer dereference on edid reading Git-commit: 9671761792156f2339627918bafcd713a8a6f777 Patch-mainline: v6.8-rc6 -References: git-fixes +References: git-fixes CVE-2024-26728 bsc#1222370 Alt-commit: 21db6199f201fab18d225cce7d94b5fcbc459bf6 Use i2c adapter when there isn't aux_mode in dc_link to fix a diff --git a/patches.suse/drm-amdgpu-Fix-variable-mca_funcs-dereferenced-befor.patch b/patches.suse/drm-amdgpu-Fix-variable-mca_funcs-dereferenced-befor.patch index d2b7974..ebd96e7 100644 --- a/patches.suse/drm-amdgpu-Fix-variable-mca_funcs-dereferenced-befor.patch +++ b/patches.suse/drm-amdgpu-Fix-variable-mca_funcs-dereferenced-befor.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 4f32504a2f85a7b40fe149436881381f48e9c0c0 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26672 bsc#1222358 [ Upstream commit 4f32504a2f85a7b40fe149436881381f48e9c0c0 ] diff --git a/patches.suse/drm-amdkfd-Fix-lock-dependency-warning-with-srcu.patch b/patches.suse/drm-amdkfd-Fix-lock-dependency-warning-with-srcu.patch index 3edfac5..846ebae 100644 --- a/patches.suse/drm-amdkfd-Fix-lock-dependency-warning-with-srcu.patch +++ b/patches.suse/drm-amdkfd-Fix-lock-dependency-warning-with-srcu.patch @@ -4,7 +4,7 @@ Date: Fri, 29 Dec 2023 15:19:25 -0500 Subject: [PATCH] drm/amdkfd: Fix lock dependency warning with srcu Git-commit: 2a9de42e8d3c82c6990d226198602be44f43f340 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2023-52632 bsc#1222274 ====================================================== Warning: possible circular locking dependency detected diff --git a/patches.suse/drm-i915-dsc-Fix-the-macro-that-calculates-DSCC_-DSC.patch b/patches.suse/drm-i915-dsc-Fix-the-macro-that-calculates-DSCC_-DSC.patch index 7a5d825..5728691 100644 --- a/patches.suse/drm-i915-dsc-Fix-the-macro-that-calculates-DSCC_-DSC.patch +++ b/patches.suse/drm-i915-dsc-Fix-the-macro-that-calculates-DSCC_-DSC.patch @@ -6,7 +6,7 @@ Subject: drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg Git-commit: 962ac2dce56bb3aad1f82a4bbe3ada57a020287c Alt-commit: 6074be620c31dc2ae11af96a1a5ea95580976fb5 Patch-mainline: v6.8-rc5 -References: git-fixes +References: git-fixes CVE-2024-26721 bsc#1222365 Commit bd077259d0a9 ("drm/i915/vdsc: Add function to read any PPS register") defines a new macro to calculate the DSC PPS register diff --git a/patches.suse/drm-msm-dpu-check-for-valid-hw_pp-in-dpu_encoder_hel.patch b/patches.suse/drm-msm-dpu-check-for-valid-hw_pp-in-dpu_encoder_hel.patch index 0b5ad6c..b85de1c 100644 --- a/patches.suse/drm-msm-dpu-check-for-valid-hw_pp-in-dpu_encoder_hel.patch +++ b/patches.suse/drm-msm-dpu-check-for-valid-hw_pp-in-dpu_encoder_hel.patch @@ -4,7 +4,7 @@ Date: Wed, 17 Jan 2024 11:41:09 -0800 Subject: [PATCH] drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Git-commit: 7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52 Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26667 bsc#1222331 The commit 8b45a26f2ba9 ("drm/msm/dpu: reserve cdm blocks for writeback in case of YUV output") introduced a smatch warning about another diff --git a/patches.suse/hwmon-coretemp-Fix-out-of-bounds-memory-access.patch b/patches.suse/hwmon-coretemp-Fix-out-of-bounds-memory-access.patch index 3bf06d6..b1d6eac 100644 --- a/patches.suse/hwmon-coretemp-Fix-out-of-bounds-memory-access.patch +++ b/patches.suse/hwmon-coretemp-Fix-out-of-bounds-memory-access.patch @@ -4,7 +4,7 @@ Date: Fri, 2 Feb 2024 17:21:34 +0800 Subject: [PATCH] hwmon: (coretemp) Fix out-of-bounds memory access Git-commit: 4e440abc894585a34c2904a32cd54af1742311b3 Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26664 bsc#1222355 Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. The problem might be triggered on systems with more than 128 cores per diff --git a/patches.suse/lan966x-Fix-crash-when-adding-interface-under-a-lag.patch b/patches.suse/lan966x-Fix-crash-when-adding-interface-under-a-lag.patch index 0ce18b0..6e71583 100644 --- a/patches.suse/lan966x-Fix-crash-when-adding-interface-under-a-lag.patch +++ b/patches.suse/lan966x-Fix-crash-when-adding-interface-under-a-lag.patch @@ -4,7 +4,7 @@ Date: Tue, 6 Feb 2024 13:30:54 +0100 Subject: [PATCH 03/16] lan966x: Fix crash when adding interface under a lag Git-commit: 15faa1f67ab405d47789d4702f587ec7df7ef03e Patch-mainline: v6.8-rc5 -References: git-fixes +References: git-fixes CVE-2024-26723 bsc#1222367 There is a crash when adding one of the lan966x interfaces under a lag interface. The issue can be reproduced like this: diff --git a/patches.suse/libceph-just-wait-for-more-data-to-be-available-on-th.patch b/patches.suse/libceph-just-wait-for-more-data-to-be-available-on-th.patch index 796a15f..65edf5c 100644 --- a/patches.suse/libceph-just-wait-for-more-data-to-be-available-on-th.patch +++ b/patches.suse/libceph-just-wait-for-more-data-to-be-available-on-th.patch @@ -3,7 +3,7 @@ Date: Thu, 14 Dec 2023 16:01:03 +0800 Subject: libceph: just wait for more data to be available on the socket Git-commit: 8e46a2d068c92a905d01cbb018b00d66991585ab Patch-mainline: v6.8-rc4 -References: bsc#1221390 +References: bsc#1221390 CVE-2023-52636 bsc#1222247 A short read may occur while reading the message footer from the socket. Later, when the socket is ready for another read, the diff --git a/patches.suse/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch b/patches.suse/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch index 8fb74f6..5991943 100644 --- a/patches.suse/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch +++ b/patches.suse/mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch @@ -3,7 +3,7 @@ Date: Thu, 18 Jan 2024 10:19:53 -0800 Subject: mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again Git-commit: 9319b647902cbd5cc884ac08a8a6d54ce111fc78 Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26720 bsc#1222364 (struct dirty_throttle_control *)->thresh is an unsigned long, but is passed as the u32 divisor argument to div_u64(). On architectures where diff --git a/patches.suse/msft-hv-2940-hv_netvsc-Fix-race-condition-between-netvsc_probe-an.patch b/patches.suse/msft-hv-2940-hv_netvsc-Fix-race-condition-between-netvsc_probe-an.patch index c1eb4eb..9ce25d6 100644 --- a/patches.suse/msft-hv-2940-hv_netvsc-Fix-race-condition-between-netvsc_probe-an.patch +++ b/patches.suse/msft-hv-2940-hv_netvsc-Fix-race-condition-between-netvsc_probe-an.patch @@ -3,7 +3,7 @@ Date: Tue, 30 Jan 2024 23:35:51 -0800 Patch-mainline: v6.8-rc3 Subject: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove Git-commit: e0526ec5360a48ad3ab2e26e802b0532302a7e11 -References: git-fixes +References: git-fixes CVE-2024-26698 bsc#1222374 In commit ac5047671758 ("hv_netvsc: Disable NAPI before closing the VMBus channel"), napi_disable was getting called for all channels, diff --git a/patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch b/patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch index 2149aa3..6d2ab24 100644 --- a/patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch +++ b/patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch @@ -3,7 +3,7 @@ Date: Tue, 5 Sep 2023 23:13:56 +0200 Subject: netfilter: nftables: exthdr: fix 4-byte stack OOB write Patch-mainline: v6.6-rc1 Git-commit: fd94d9dadee58e09b49075240fe83423eb1dcd36 -References: CVE-2023-4881 bsc#1215221 +References: CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117 If priv->len is a multiple of 4, then dst[len / 4] can write past the destination array which leads to stack corruption. diff --git a/patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch b/patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch index b298de4..8983e48 100644 --- a/patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch +++ b/patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch @@ -4,7 +4,7 @@ Date: Tue, 5 Mar 2024 07:59:27 +0000 Subject: [PATCH] sr9800: Add check for usbnet_get_endpoints Git-commit: 07161b2416f740a2cb87faa5566873f401440a61 Patch-mainline: v6.9-rc1 -References: git-fixes +References: git-fixes CVE-2024-26651 bsc#1221337 Add check for usbnet_get_endpoints() and return the error if it fails in order to transfer the error. diff --git a/patches.suse/usb-core-Prevent-null-pointer-dereference-in-update_.patch b/patches.suse/usb-core-Prevent-null-pointer-dereference-in-update_.patch index f8cfe27..c63ec89 100644 --- a/patches.suse/usb-core-Prevent-null-pointer-dereference-in-update_.patch +++ b/patches.suse/usb-core-Prevent-null-pointer-dereference-in-update_.patch @@ -4,7 +4,7 @@ Date: Wed, 10 Jan 2024 15:28:14 +0530 Subject: [PATCH] usb: core: Prevent null pointer dereference in update_port_device_state Git-commit: 12783c0b9e2c7915a50d5ec829630ff2da50472c Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26716 bsc#1222359 Currently, the function update_port_device_state gets the usb_hub from udev->parent by calling usb_hub_to_struct_hub. diff --git a/patches.suse/wifi-mac80211-fix-RCU-use-in-TDLS-fast-xmit.patch b/patches.suse/wifi-mac80211-fix-RCU-use-in-TDLS-fast-xmit.patch index 2434d9a..226281d 100644 --- a/patches.suse/wifi-mac80211-fix-RCU-use-in-TDLS-fast-xmit.patch +++ b/patches.suse/wifi-mac80211-fix-RCU-use-in-TDLS-fast-xmit.patch @@ -4,7 +4,7 @@ Date: Mon, 29 Jan 2024 15:53:48 +0100 Subject: [PATCH] wifi: mac80211: fix RCU use in TDLS fast-xmit Git-commit: 9480adfe4e0f0319b9da04b44e4eebd5ad07e0cd Patch-mainline: v6.8-rc4 -References: git-fixes +References: git-fixes CVE-2024-26666 bsc#1222293 This looks up the link under RCU protection, but isn't guaranteed to actually have protection. Fix that. diff --git a/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch b/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch index 512bd7a..4e5bbed 100644 --- a/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch +++ b/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch @@ -4,7 +4,7 @@ Date: Thu, 25 Jan 2024 17:27:37 +0200 Subject: [PATCH] xhci: handle isoc Babble and Buffer Overrun events properly Git-commit: 7c4650ded49e5b88929ecbbb631efb8b0838e811 Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26659 bsc#1222317 xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the diff --git a/series.conf b/series.conf index d29fe1b..2fff074 100644 --- a/series.conf +++ b/series.conf @@ -19245,6 +19245,7 @@ patches.suse/firewire-core-send-bus-reset-promptly-on-gap-count-e.patch patches.suse/nvme-host-fix-the-updating-of-the-firmware-version.patch patches.suse/nilfs2-fix-data-corruption-in-dsync-block-recovery-f.patch + patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch patches.suse/nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch patches.suse/x86-Kconfig-Transmeta-Crusoe-is-CPU-family-5-not-6.patch