Security update for the Linux Kernel

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2024-35965: Fix not validating setsockopt user input (bsc#1224579).
• CVE-2024-35933: Fixed build regression (bsc#1224640).
• CVE-2024-43883: Do not drop references before new references are gained (bsc#1229707).
• CVE-2024-41062: Sync sock recv cb and release (bsc#1228576).
• CVE-2024-42259: Fix Virtual Memory mapping boundaries calculation (bsc#1229156)
• CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229500).
• CVE-2024-43863: Fix a deadlock in dma buf fence polling (bsc#1229497)
• CVE-2024-41087: Fix double free on error (bsc#1228466).
• CVE-2024-43907: Fix the null pointer dereference in apply_state_adjust_rules (bsc#1229787).
• CVE-2024-43905: Fix the null pointer dereference for vega10_hwmgr (bsc#1229784).
• CVE-2024-43893: Check uartclk for zero to avoid divide by zero (bsc#1229759).
• CVE-2024-43900: Avoid use-after-free in load_firmware_cb() (bsc#1229756).
• CVE-2024-43902: Add null checker before passing variables (bsc#1229767).
• CVE-2022-48920: Get rid of warning on transaction commit when using flushoncommit (bsc#1229658).
• CVE-2024-26812: Struct virqfd kABI workaround (bsc#1222808).
• CVE-2024-43882: Fixed ToCToU between perm check and set-uid/gid usage. (bsc#1229503)
• CVE-2024-43866: Always drain health in shutdown callback (bsc#1229495).
• CVE-2022-48910: Ensure we call ipv6_mc_down() at most once (bsc#1229632)
• CVE-2023-52893: Fix null-deref in gsmi_get_variable (bsc#1229535)
• CVE-2024-42155: Wipe copies of protected- and secure-keys (bsc#1228733).
• CVE-2022-48875: Initialize struct pn533_out_arg properly (bsc#1229516).
• CVE-2023-52907: Wait for out_urb’s completion in pn533_usb_send_frame() (bsc#1229526).
• CVE-2024-43871: Fix memory leakage caused by driver API devm_free_percpu() (bsc#1229490)
• CVE-2024-42158: Use kfree_sensitive() to fix Coccinelle warnings (bsc#1228720).
• CVE-2024-43872: Fix soft lockup under heavy CEQE load (bsc#1229489)
• CVE-2024-39489: Fix memleak in seg6_hmac_init_algo (bsc#1227623)
• CVE-2024-42226: Prevent potential failure in handle_tx_event() for Transfer events without TRB (bsc#1228709).
• CVE-2024-42236: Prevent OOB read/write in usb_string_copy() (bsc#1228964).
• CVE-2024-42244: Fix crash on resume (bsc#1228967).
• CVE-2024-43879: Handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() (bsc#1229482).
• CVE-2024-27011: Fix memleak in map from abort path (bsc#1223803).
• CVE-2024-36013: Fix slab-use-after-free in l2cap_connect() (bsc#1225578).
• CVE-2024-41020: Fix fcntl/close race recovery compat path (bsc#1228427).
• CVE-2024-41012: Remove locks reliably when fcntl/close race is detected (bsc#1228247).
• CVE-2024-26668: Reject configurations that cause integer overflow (bsc#1222335).
• CVE-2024-43819: Reject memory region operations for ucontrol VMs (bsc#1229290).
• CVE-2024-42157: Wipe sensitive data on failure (bsc#1228727).
• CVE-2021-47341: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio (bsc#1224923).
• CVE-2024-43839: Adjust ‘name’ buf size of bna_tcb and bna_ccb structures (bsc#1229301).
• CVE-2022-48769: Avoid EFIv2 runtime services on Apple x86 machines (bsc#1226629).
• CVE-2024-43856: Fix call order in dmam_free_coherent (bsc#1229346).
• CVE-2024-36286: Acquire rcu_read_lock() in instance_destroy_rcu() (bsc#1226801)
• CVE-2024-26851: Add protection for bmp length out of range (bsc#1223074)
• CVE-2024-40984: Revert ‘ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.’ (bsc#1227820).
• CVE-2024-26677: Blacklist e7870cf13d20 (’ Fix delayed ACKs to not set the reference serial number’) (bsc#1222387)
• CVE-2024-42280: Fix a use after free in hfcmulti_tx() (bsc#1229388)
• CVE-2024-42284: Return non-zero value from tipc_udp_addr2str() on error (bsc#1229382)
• CVE-2024-42312: Always initialize i_uid/i_gid (bsc#1229357)
• CVE-2024-42310: Fix null pointer dereference in cdv_intel_lvds_get_modes (bsc#1229358)
• CVE-2024-42309: Fix null pointer dereference in psb_intel_lvds_get_modes (bsc#1229359)
• CVE-2024-43854: Initialize integrity buffer to zero before writing it to media (bsc#1229345)
• CVE-2024-42322: Properly dereference pe in ip_vs_add_service (bsc#1229347)
• CVE-2024-42301: Fix the array out-of-bounds risk (bsc#1229407).
• CVE-2024-42285: Fix a use-after-free related to destroying CM IDs (bsc#1229381)
• CVE-2024-43831: Handle invalid decoder vsi (bsc#1229309).
• CVE-2024-42281: Fix a segment issue when downgrading gso_size (bsc#1229386).
• CVE-2024-42271: Fixed a use after free in iucv_sock_close(). (bsc#1229400)
• CVE-2024-38618: Set lower bound of start tick time (bsc#1226754).
• CVE-2024-41035: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (bsc#1228485)
• CVE-2024-42162: Account for stopped queues when reading NIC stats (bsc#1228706).
• CVE-2023-52708: Fix error handling in mmc_spi_probe() (bsc#1225483).
• CVE-2021-47549: Fix UAF in sata_fsl_port_stop when rmmod sata_fsl (bsc#1225508).
• CVE-2021-47373: Fix potential VPE leak on error (bsc#1225190).
• CVE-2021-47425: Fix resource leak in reconfiguration device addition (bsc#1225223).
• CVE-2024-42246: Remap EPERM in case of connection failure in xs_tcp_setup_socket (bsc#1228989).
• CVE-2024-41098: Fix null pointer dereference on error (bsc#1228467).
• CVE-2021-4440: Drop USERGS_SYSRET64 paravirt call ( bsc#1227069).
• CVE-2022-48786: Remove vsock from connected table when connect is interrupted by a signal (bsc#1227996).
• CVE-2024-42232: Fixed a race between delayed_work() and ceph_monc_stop(). (bsc#1228959)
• CVE-2024-35915: Fix uninit-value in nci_dev_up and nci_ntf_packet (bsc#1224479).
• CVE-2024-38662: Cover verifier checks for mutating sockmap/sockhash (bsc#1226885).
• CVE-2024-42110: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() (bsc#1228501).
• CVE-2024-42148: Fix multiple UBSAN array-index-out-of-bounds (bsc#1228487).
• CVE-2024-42106: Initialize pad field in struct inet_diag_req_v2 (bsc#1228493).
• CVE-2022-48865: Fix kernel panic when enabling bearer (bsc#1228065).
• CVE-2024-41068: Fix sclp_init() cleanup on failure (bsc#1228579).
• CVE-2024-42082: Remove WARN() from __xdp_reg_mem_model() (bsc#1228482).
• CVE-2024-42090: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER (bsc#1228449).
• CVE-2024-42101: Fix null pointer dereference in nouveau_connector_get_modes (bsc#1228495).
• CVE-2024-42228: Using uninitialized value *size when calling amdgpu_vce_cs_reloc (bsc#1228667).
• CVE-2021-47257: fix null deref in parse dev addr (bsc#1224896).

The following non-security bugs were fixed:

• arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to (git-fixes)
• Bluetooth: L2CAP: Fix deadlock (git-fixes).
• btrfs: fix processing of delayed tree block refs during backref walking (bsc#1228982).
• btrfs: Remove unused op_key var from add_delayed_refs (bsc#1228982).
• cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801).
• char: tpm: Protect tpm_pm_suspend with locks (bsc#1082555).
• cpu/SMT: Enable SMT only if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes).
• fuse: Initialize beyond-EOF page contents before setting uptodate (bsc#1229457).
• genirq: Delay deactivation in free_irq() (git-fixes).
• genirq: Make sure the initial affinity is not empty (git-fixes).
• genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware (git-fixes).
• genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask() (git-fixes).
• genirq/irqdesc: Do not try to remove non-existing sysfs files (git-fixes).
• genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy() (git-fixes).
• genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set (git-fixes).
• genirq/msi: Ensure deactivation on teardown (git-fixes).
• genirq/proc: Reject invalid affinity masks (again) (git-fixes).
• gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey (git-fixes).
• ip6_tunnel: Fix broken GRO (bsc#1226323).
• irqdomain: Drop bogus fwspec-mapping error handling (git-fixes).
• irqdomain: Fix association race (git-fixes).
• irqdomain: Fix domain registration race (git-fixes).
• irqdomain: Fix mapping-creation race (git-fixes).
• irqdomain: Fixed unbalanced fwnode get and put (git-fixes).
• irqdomain: Look for existing mapping only once (git-fixes).
• irqdomain: Refactor __irq_domain_alloc_irqs() (git-fixes).
• kABI: do not change return type of tpm_tis_update_timeouts (bsc#1082555).
• kABI: do not rename tpm_do_selftest, tpm_pcr_read_dev, and tpm1_getcap (bsc#1082555).
• kABI: Do not rename tpm_getcap (bsc#1082555).
• kABI: genirq: Delay deactivation in free_irq() (kabi git-fixes).
• kABI: Hide the new last_cc member in a hole in struct tpm_chip (bsc#1082555).
• kABI: Instead of changing the pcr argument type add a local variable of the desired type, and assign it from the actual argument (bsc#1082555).
• kABI: no need to store the tpm long long duration in tpm_chip struct, it is an arbitrary hardcoded value (bsc#1082555).
• kABI: re-export tpm2_calc_ordinal_duration (bsc#1082555).
• kABI: tpm-interface: Hide new include from genksyms (bsc#1082555).
• kABI: tpm2-space: Do not add buf_size to struct tpm_space (bsc#1082555).
• kabi/severities: Ignore tpm_transmit_cmd and tpm_tis_core_init (bsc#1082555).
• KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID (git-fixes bsc#1229222).
• memcg: protect concurrent access to mem_cgroup_idr (git-fixes).
• net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings (bsc#1229154).
• net: mana: Fix race on per-CQ variable napi work_done (bsc#1229154).
• netfilter: nf_conntrack_h323: restore boundary check correctness (bsc#1223074)
• netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function (bsc#1223074)
• netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well (bsc#1223074)
• netfilter: nf_ct_h323: Out Of Bound Read in Netfilter Conntrack (bsc#1223074)
• nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() (git-fixes).
• nfc: nci: Fix kcov check in nci_rx_work() (git-fixes).
• nfc: nci: Fix uninit-value in nci_rx_work (git-fixes).
• powerpc/topology: Check if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes).
• s390/uv: Panic for set and remove shared access UVC errors (git-fixes bsc#1229229).
• scsi: target: core: Silence the message about unknown VPD pages (bsc#1221252 bsc#1229462).
• tpm_tis_core: Turn on the TPM before probing IRQ’s (bsc#1082555).
• tpm_tis: Add a check for invalid status (bsc#1082555).
• tpm_tis: Explicitly check for error code (bsc#1082555).
• tpm_tis: Fix an error handling path in ‘tpm_tis_core_init()’ (bsc#1082555).
• tpm_tis: Resend command to recover from data transfer errors (bsc#1082555).
• tpm_tis: reserve chip for duration of tpm_tis_core_init (bsc#1082555).
• tpm_tis: Use tpm_chip_{start,stop} decoration inside tpm_tis_resume (bsc#1082555).
• tpm, tpm_tis: Avoid cache incoherency in test for interrupts (bsc#1082555).
• tpm, tpm_tis: Claim locality before writing interrupt registers (bsc#1082555).
• tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register (bsc#1082555).
• tpm, tpm_tis: Claim locality when interrupts are reenabled on resume (bsc#1082555).
• tpm, tpm_tis: correct tpm_tis_flags enumeration values (bsc#1082555).
• tpm, tpm_tis: Decorate tpm_get_timeouts() with request_locality() (bsc#1082555).
• tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality() (bsc#1082555).
• tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed (bsc#1082555).
• tpm, tpm_tis: Do not skip reset of original interrupt vector (bsc#1082555).
• tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() (bsc#1082555).
• tpm, tpm_tis: Only handle supported interrupts (bsc#1082555).
• tpm, tpm_tis: Reserve locality in tpm_tis_resume() (bsc#1082555).
• tpm, tpm: Implement usage counter for locality (bsc#1082555).
• tpm, tpmrm: Mark tpmrm_write as static (bsc#1082555).
• tpm: access command header through struct in tpm_try_transmit() (bsc#1082555).
• tpm: Actually fail on TPM errors during ‘get random’ (bsc#1082555).
• tpm: Add a flag to indicate TPM power is managed by firmware (bsc#1082555).
• tpm: add ptr to the tpm_space struct to file_priv (bsc#1082555).
• tpm: add support for nonblocking operation (bsc#1082555).
• tpm: add support for partial reads (bsc#1082555).
• tpm: add tpm_auto_startup() into tpm-interface.c (bsc#1082555).
• tpm: add tpm_calc_ordinal_duration() wrapper (bsc#1082555).
• tpm: Allow system suspend to continue when TPM suspend fails (bsc#1082555).
• tpm: clean up tpm_try_transmit() error handling flow (bsc#1082555).
• tpm: declare struct tpm_header (bsc#1082555).
• tpm: do not return bool from update_timeouts (bsc#1082555).
• tpm: encapsulate tpm_dev_transmit() (bsc#1082555).
• tpm: factor out tpm 1.x duration calculation to tpm1-cmd.c (bsc#1082555).
• tpm: factor out tpm 1.x pm suspend flow into tpm1-cmd.c (bsc#1082555).
• tpm: factor out tpm_get_timeouts() (bsc#1082555).
• tpm: factor out tpm_startup function (bsc#1082555).
• tpm: factor out tpm1_get_random into tpm1-cmd.c (bsc#1082555).
• tpm: fix an invalid condition in tpm_common_poll (bsc#1082555).
• tpm: fix Atmel TPM crash caused by too frequent queries (bsc#1082555).
• tpm: Fix buffer access in tpm2_get_tpm_pt() (bsc#1082555).
• tpm: fix buffer type in tpm_transmit_cmd (bsc#1082555).
• tpm: fix byte order related arithmetic inconsistency in tpm_getcap() (bsc#1082555).
• tpm: Fix error handling in async work (bsc#1082555).
• tpm: fix invalid locking in NONBLOCKING mode (bsc#1082555).
• tpm: fix invalid return value in pubek_show() (bsc#1082555).
• tpm: fix NPE on probe for missing device (bsc#1082555).
• tpm: Fix null pointer dereference on chip register error path (bsc#1082555).
• tpm: Fix TIS locality timeout problems (bsc#1082555).
• tpm: Handle negative priv->response_len in tpm_common_read() (bsc#1082555).
• tpm: introduce tpm_chip_start() and tpm_chip_stop() (bsc#1082555).
• tpm: migrate pubek_show to struct tpm_buf (bsc#1082555).
• tpm: migrate tpm2_get_random() to use struct tpm_buf (bsc#1082555).
• tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf (bsc#1082555).
• tpm: migrate tpm2_probe() to use struct tpm_buf (bsc#1082555).
• tpm: migrate tpm2_shutdown() to use struct tpm_buf (bsc#1082555).
• tpm: move TPM 1.2 code of tpm_pcr_extend() to tpm1_pcr_extend() (bsc#1082555).
• tpm: move tpm 1.x selftest code from tpm-interface.c tpm1-cmd.c (bsc#1082555).
• tpm: move TPM space code out of tpm_transmit() (bsc#1082555).
• tpm: move tpm_getcap to tpm1-cmd.c (bsc#1082555).
• tpm: move tpm_validate_commmand() to tpm2-space.c (bsc#1082555).
• tpm: move tpm1_pcr_extend to tpm1-cmd.c (bsc#1082555).
• tpm: Prevent hwrng from activating during resume (bsc#1082555).
• tpm: print tpm2_commit_space() error inside tpm2_commit_space() (bsc#1082555).
• tpm: remove @flags from tpm_transmit() (bsc#1082555).
• tpm: remove @space from tpm_transmit() (bsc#1082555).
• tpm: remove struct tpm_pcrextend_in (bsc#1082555).
• tpm: Remove tpm_dev_wq_lock (bsc#1082555).
• tpm: remove TPM_TRANSMIT_UNLOCKED flag (bsc#1082555).
• tpm: rename tpm_chip_find_get() to tpm_find_get_ops() (bsc#1082555).
• tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED (bsc#1082555).
• tpm: Replace WARN_ONCE() with dev_err_once() in tpm_tis_status() (bsc#1082555).
• tpm: return 0 from pcrs_show() when tpm1_pcr_read() fails (bsc#1082555).
• tpm: Revert ‘tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts’ (bsc#1082555).
• tpm: Revert ‘tpm_tis_core: Turn on the TPM before probing IRQ’s’ (bsc#1082555).
• tpm: Revert ‘tpm_tis: reserve chip for duration of tpm_tis_core_init’ (bsc#1082555).
• tpm: take TPM chip power gating out of tpm_transmit() (bsc#1082555).
• tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak (bsc#1082555).
• tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak (bsc#1082555).
• tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation (bsc#1082555).
• tpm: tpm1_bios_measurements_next should increase position index (bsc#1082555).
• tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure (bsc#1082555).
• tpm: turn on TPM on suspend for TPM 1.x (bsc#1082555).
• tpm: Unify the mismatching TPM space buffer sizes (bsc#1082555).
• tpm: use tpm_buf in tpm_transmit_cmd() as the IO parameter (bsc#1082555).
• tpm: use tpm_msleep() value as max delay (bsc#1082555).
• tpm: use tpm_try_get_ops() in tpm-sysfs.c (bsc#1082555).
• tpm: use u32 instead of int for PCR index (bsc#1082555).
• tpm: vtpm_proxy: Avoid reading host log when using a virtual device (bsc#1082555).
• tpm: vtpm_proxy: Prevent userspace from sending driver command (bsc#1082555).
• tpm: Wrap the buffer from the caller to tpm_buf in tpm_send() (bsc#1082555).
• tpm/tpm_crb: Fix error message in __crb_relinquish_locality() (bsc#1082555).
• tpm1: implement tpm1_pcr_read_dev() using tpm_buf structure (bsc#1082555).
• tpm1: reimplement SAVESTATE using tpm_buf (bsc#1082555).
• tpm1: reimplement tpm1_continue_selftest() using tpm_buf (bsc#1082555).
• tpm1: rename tpm1_pcr_read_dev to tpm1_pcr_read() (bsc#1082555).
• tpm2: add longer timeouts for creation commands (bsc#1082555).
• vfio/pci: fix potential memory leak in vfio_intx_enable() (git-fixes).
• vsock: correct removal of socket from the list (bsc#1227996).
• xfs: fix getfsmap reporting past the last rt extent (git-fixes).
• xfs: Fix the owner setting issue for rmap query in xfs fsmap (git-fixes).
• xfs: fix uninitialized variable access (git-fixes).