(RHSA-2024:6993) Important: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: uio: Fix use-after-free in uio_open (CVE-2023-52439)

• kernel: smb: client: fix potential OOBs in smb2_parse_contexts() (CVE-2023-52434)

• kernel: net: fix possible store tearing in neigh_periodic_work() (CVE-2023-52522)

• kernel: tunnels: fix out of bounds access when building IPv6 PMTU error (CVE-2024-26665)

• kernel: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove (CVE-2024-26698)

• kernel: ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (CVE-2024-26772)

• kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

• kernel: x86/xen: Add some null pointer checking to smp.c (CVE-2024-26908)

• kernel: netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851)

• kernel: af_unix: Fix garbage collector racing against connect() (CVE-2024-26923)

• kernel: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory (CVE-2022-48638)

• kernel: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (CVE-2024-27020)

• kernel: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (CVE-2024-27019)

• kernel: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout (CVE-2024-27399)

• kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)

• kernel: ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr (CVE-2024-35969)

• kernel: netfilter: nf_tables: honor table dormant flag from netdev release event path (CVE-2024-36005)

• kernel: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field (CVE-2021-47384)

• kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

• kernel: virtio-net: Add validation for used length (CVE-2021-47352)

• kernel: platform/x86: wmi: Fix opening of char device (CVE-2023-52864)

• kernel: scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool (CVE-2023-52811)

• kernel: bonding: stop the device in bond_setup_by_slave() (CVE-2023-52784)

• kernel: isdn: mISDN: Fix sleeping function called from invalid context (CVE-2021-47468)

• kernel: proc/vmcore: fix clearing user buffer by properly using clear_user() (CVE-2021-47566)

• kernel: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (CVE-2024-36016)

• kernel: net: core: reject skb_copy(_expand) for fraglist GSO skbs (CVE-2024-36929)

• kernel: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (CVE-2024-36978)

• kernel: cpufreq: exit() callback is optional (CVE-2024-38615)

• kernel: md: fix resync softlockup when bitmap size is less than array size (CVE-2024-38598)

• kernel: cppc_cpufreq: Fix possible null pointer dereference (CVE-2024-38573)

• kernel: netfilter: tproxy: bail out if IP has been disabled on the device (CVE-2024-36270)

• kernel: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (CVE-2024-40995)

• kernel: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() (CVE-2024-41041)

• kernel: ppp: reject claimed-as-LCP but actually malformed packets (CVE-2024-41044)

• kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)

• kernel: drm/amdgpu: avoid using null object of framebuffer (CVE-2024-41093)

• kernel: tcp_metrics: validate source addr length (CVE-2024-42154)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.