diff --git a/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch b/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch index 66ed49b..6792064 100644 --- a/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch +++ b/patches.suse/arm64-sme-Always-exit-sme_alloc-early-with-existing-.patch @@ -4,7 +4,7 @@ Date: Mon, 15 Jan 2024 20:15:46 +0000 Subject: [PATCH] arm64/sme: Always exit sme_alloc() early with existing storage Git-commit: dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 Patch-mainline: v6.8-rc1 -References: git-fixes, CVE-2024-26618 +References: git-fixes CVE-2024-26618 bsc#1221295 When sme_alloc() is called with existing storage and we are not flushing we will always allocate new storage, both leaking the existing storage and diff --git a/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch b/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch index 974dcf5..d6f5055 100644 --- a/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch +++ b/patches.suse/btrfs-don-t-abort-filesystem-when-attempting-to-snap.patch @@ -2,7 +2,7 @@ From: Omar Sandoval Date: Thu, 4 Jan 2024 11:48:46 -0800 Git-commit: 7081929ab2572920e94d70be3d332e5c9f97095a Patch-mainline: v6.8-rc2 -References: bsc#1221282 +References: bsc#1221282 CVE-2024-26644 bsc#1222072 Subject: [PATCH] btrfs: don't abort filesystem when attempting to snapshot deleted subvolume diff --git a/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch b/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch index ea96842..96bafdb 100644 --- a/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch +++ b/patches.suse/btrfs-scrub-avoid-use-after-free-when-chunk-length-i.patch @@ -3,7 +3,7 @@ Message-ID: Patch-mainline: v6.8-rc2 Git-commit: f546c4282673497a06ecb6190b50ae7f6c85b02f -References: bsc#1220943 +References: bsc#1220943 CVE-2024-26616 Date: Wed, 17 Jan 2024 11:02:25 +1030 Subject: [PATCH] btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned diff --git a/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch b/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch index cd32488..8b0436e 100644 --- a/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch +++ b/patches.suse/drm-amd-display-Fix-late-derefrence-dsc-check-in-lin.patch @@ -4,7 +4,7 @@ Date: Wed, 10 Jan 2024 20:58:35 +0530 Subject: [PATCH] drm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()' Git-commit: 3bb9b1f958c3d986ed90a3ff009f1e77e9553207 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26647 bsc#1222066 In link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc' was dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc' diff --git a/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch b/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch index 198fe08..ee7914d 100644 --- a/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch +++ b/patches.suse/drm-amd-display-Fix-variable-deferencing-before-NULL.patch @@ -4,7 +4,7 @@ Date: Mon, 8 Jan 2024 21:20:28 +0530 Subject: [PATCH] drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay() Git-commit: 7073934f5d73f8b53308963cee36f0d389ea857c Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26648 bsc#1222067 In edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay' was dereferenced before the pointer 'link' & 'replay' NULL check. diff --git a/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch b/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch index 254d750..292d18e 100644 --- a/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch +++ b/patches.suse/drm-amdgpu-Fix-the-null-pointer-when-load-rlc-firmwa.patch @@ -4,7 +4,7 @@ Date: Fri, 12 Jan 2024 13:33:24 +0800 Subject: [PATCH] drm/amdgpu: Fix the null pointer when load rlc firmware Git-commit: bc03c02cc1991a066b23e69bbcc0f66e8f1f7453 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26649 bsc#1222055 If the RLC firmware is invalid because of wrong header size, the pointer to the rlc firmware is released in function diff --git a/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch b/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch index c6f19e0..899b928 100644 --- a/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch +++ b/patches.suse/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch @@ -4,7 +4,7 @@ Date: Wed, 10 Jan 2024 14:14:00 +0800 Subject: [PATCH 11/15] net: qualcomm: rmnet: fix global oob in rmnet_policy Git-commit: b33fb5b801c6db408b774a68e7c8722796b59ecc Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26597 bsc#1220363 The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug diff --git a/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch b/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch index 31db651..e226c27 100644 --- a/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch +++ b/patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch @@ -3,7 +3,7 @@ Date: Mon, 22 Jan 2024 14:01:10 +1100 Subject: [PATCH] nfsd: fix RELEASE_LOCKOWNER Patch-mainline: v6.8 Git-commit: edcf9725150e42beeca42d085149f4c88fa97afd -References: bsc#1218968 +References: bsc#1218968 CVE-2024-26629 bsc#1221379 The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. diff --git a/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch b/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch index b21fc67..7156aa8 100644 --- a/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch +++ b/patches.suse/pwm-Fix-out-of-bounds-access-in-of_pwm_single_xlate.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: a297d07b9a1e4fb8cda25a4a2363a507d294b7c9 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26599 bsc#1220365 With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. diff --git a/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch b/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch index eea859d..8d45f4a 100644 --- a/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch +++ b/patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-for-waking-up-EH-handler.patch @@ -4,7 +4,7 @@ Subject: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Git-commit: 4373534a9850627a2695317944898eb1283a2db0 Patch-mainline: v6.8-rc3 -References: git-fixes +References: git-fixes CVE-2024-26627 bsc#1221090 Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host lock every time for deciding if error handler kthread needs to be waken up. diff --git a/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch b/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch index a598501..c346ec8 100644 --- a/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch +++ b/patches.suse/thermal-intel-hfi-Add-syscore-callbacks-for-system-w.patch @@ -4,7 +4,7 @@ Date: Tue, 9 Jan 2024 19:07:04 -0800 Subject: [PATCH] thermal: intel: hfi: Add syscore callbacks for system-wide PM Git-commit: 97566d09fd02d2ab329774bb89a2cdf2267e86d9 Patch-mainline: v6.8-rc1 -References: git-fixes +References: git-fixes CVE-2024-26646 bsc#1222070 The kernel allocates a memory buffer and provides its location to the hardware, which uses it to update the HFI table. This allocation occurs diff --git a/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch b/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch index 01dbdcd..79d7ceb 100644 --- a/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch +++ b/patches.suse/tracing-Ensure-visibility-when-inserting-an-element-into-tracing_map.patch @@ -3,7 +3,7 @@ Date: Mon, 22 Jan 2024 16:09:28 +0100 Subject: tracing: Ensure visibility when inserting an element into tracing_map Git-commit: 2b44760609e9eaafc9d234a6883d042fc21132a7 Patch-mainline: v6.8-rc2 -References: git-fixes +References: git-fixes CVE-2024-26645 bsc#1222056 Running the following two commands in parallel on a multi-processor AArch64 machine can sporadically produce an unexpected warning about diff --git a/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch index 1b3376a..7a1f5b9 100644 --- a/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch +++ b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch @@ -4,7 +4,7 @@ Date: Thu, 11 Jan 2024 15:07:25 +0200 Subject: [PATCH] wifi: iwlwifi: fix a memory corruption Git-commit: cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d Patch-mainline: v6.8-rc2 -References: git-fixes +References: git-fixes CVE-2024-26610 bsc#1221299 iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in diff --git a/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch b/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch index ff63321..8834b03 100644 --- a/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch +++ b/patches.suse/x86-fpu-Stop-relying-on-userspace-for-info-to-fault-in-xsa.patch @@ -3,7 +3,7 @@ Date: Mon, 29 Jan 2024 22:36:03 -0800 Subject: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Git-commit: d877550eaf2dc9090d782864c96939397a3c6835 Patch-mainline: v6.8-rc4 -References: bsc#1220335 +References: bsc#1220335 CVE-2024-26603 Before this change, the expected size of the user space buffer was taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed