Oracle Linux Security Advisory ELSA-2024-12868

http://linux.oracle.com/errata/ELSA-2024-12868.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
kernel-uek-4.14.35-2047.543.3.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-2047.543.3.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-2047.543.3.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-2047.543.3.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-2047.543.3.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-2047.543.3.el7uek.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates//kernel-uek-4.14.35-2047.543.3.el7uek.src.rpm

Related CVEs:

CVE-2019-15222
CVE-2021-33655
CVE-2021-3759
CVE-2023-31083
CVE-2024-36971
CVE-2024-42131
CVE-2024-42228
CVE-2024-42259
CVE-2024-42265
CVE-2024-42271
CVE-2024-42280
CVE-2024-42284
CVE-2024-42285
CVE-2024-42289
CVE-2024-42295
CVE-2024-42297
CVE-2024-42301
CVE-2024-42304
CVE-2024-42305
CVE-2024-42309
CVE-2024-42310
CVE-2024-42311
CVE-2024-42313
CVE-2024-43839
CVE-2024-43853
CVE-2024-43854
CVE-2024-43856
CVE-2024-43858
CVE-2024-43860
CVE-2024-43861
CVE-2024-43871
CVE-2024-43882
CVE-2024-43883
CVE-2024-43884
CVE-2024-43890
CVE-2024-43893
CVE-2024-43914
CVE-2024-44944
CVE-2024-44946
CVE-2024-44947
CVE-2024-44948
CVE-2024-44954
CVE-2024-44960
CVE-2024-44968
CVE-2024-44987
CVE-2024-44998
CVE-2024-44999
CVE-2024-45008
CVE-2024-45021
CVE-2024-45028
CVE-2024-46673
CVE-2024-46674
CVE-2024-46675
CVE-2024-46677
CVE-2024-46685
CVE-2024-46721
CVE-2024-46722
CVE-2024-46723
CVE-2024-46743
CVE-2024-46744
CVE-2024-46745
CVE-2024-46750
CVE-2024-46755
CVE-2024-46756
CVE-2024-46757
CVE-2024-46758
CVE-2024-46759
CVE-2024-46761
CVE-2024-46771
CVE-2024-46780
CVE-2024-46781
CVE-2024-46800
CVE-2024-46829
CVE-2024-46840
CVE-2024-46844
CVE-2024-47669
CVE-2024-47696
CVE-2024-47709
CVE-2024-49958
CVE-2024-50074




Description of changes:

[4.14.35-2047.543.3.el7uek]
- rds: Add rds stuck shutdown timeout (Rohit Nair)  [Orabug: 37214079]
- gtp: allow -1 to be specified as file description from userspace (Pablo Neira 
Ayuso) 
- ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin (Takashi 
Iwai) 
- can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). (Kuniyuki 
Iwashima) 
- RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency (Zhu 
Yanjun) 
- parport: Proper fix for array out-of-bounds access (Takashi Iwai) 
- net: usb: usbnet: fix name regression (Oliver Neukum) 
- Revert "driver core: Fix uevent_show() vs driver detach race" (Greg 
Kroah-Hartman) 
- pinctrl: single: fix missing error code in pcs_probe() (Yang Yingliang)

[4.14.35-2047.543.2.el7uek]
- igb: Do not free the irq resources if they are already freed by igb_close() 
(Yifei Liu)  [Orabug: 37208307]
- ocfs2: reserve space for inline xattr before attaching reflink tree (Gautham 
Ananthakrishna)  [Orabug: 37199021] {CVE-2024-49958}
- Revert "ocfs2: ocfs2 crash due to invalid h_next_leaf_blk value in extent 
block" (Gautham Ananthakrishna)  [Orabug: 37199021]
- LTS version v4.14.355 (Yifei Liu) 
- Revert "parisc: Use irq_enter_rcu() to fix warning at 
kernel/context_tracking.c:367" (Greg Kroah-Hartman) 
- netns: restore ops before calling ops_exit_list (Li RongQing) 
- cx82310_eth: fix error return code in cx82310_bind() (Zhang Changzhong) 
- rtmutex: Drop rt_mutex::wait_lock before scheduling (Roland Xu) [Orabug: 
37116447] {CVE-2024-46829}
- locking/rtmutex: Handle non enqueued waiters gracefully in remove_waiter() 
(Peter Zijlstra) 
- drm/i915/fence: Mark debug_fence_free() with __maybe_unused (Andy Shevchenko) 
- ACPI: processor: Fix memory leaks in error paths of processor_add() (Jonathan 
Cameron) 
- ACPI: processor: Return an error if acpi_processor_get_info() fails in 
processor_add() (Jonathan Cameron) 
- netns: add pre_exit method to struct pernet_operations (Eric Dumazet) 
- net: Add comment about pernet_operations methods and synchronization (Kirill 
Tkhai) 
- nilfs2: protect references to superblock parameters exposed in sysfs (Ryusuke 
Konishi) [Orabug: 37074678] {CVE-2024-46780}
- nilfs2: replace snprintf in show functions with sysfs_emit (Qing Wang) 
- nilfs2: use time64_t internally (Arnd Bergmann) 
- tracing: Avoid possible softlockup in tracing_iter_reset() (Zheng Yejian) 
- ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() (Steven 
Rostedt (VMware)) 
- uprobes: Use kzalloc to allocate xol area (Sven Schnelle) 
- clocksource/drivers/imx-tpm: Fix next event not taking effect sometime (Jacky 
Bai) 
- clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX 
(Jacky Bai) 
- nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc (Geert 
Uytterhoeven) 
- iio: fix scale application in iio_convert_raw_to_processed_unlocked (Matteo 
Martelli) 
- iio: buffer-dmaengine: fix releasing dma channel on error (David Lechner) 
- ata: pata_macio: Use WARN instead of BUG (Michael Ellerman) 
- of/irq: Prevent device address out-of-bounds read in interrupt map walk 
(Stefan Wiehler) [Orabug: 37074490] {CVE-2024-46743}
- Squashfs: sanity check symbolic link size (Phillip Lougher) [Orabug: 
37074496] {CVE-2024-46744}
- usbnet: ipheth: race between ipheth_close and error handling (Oliver Neukum) 
- Input: uinput - reject requests with unreasonable number of slots (Dmitry 
Torokhov) [Orabug: 37074504] {CVE-2024-46745}
- btrfs: initialize location to fix -Wmaybe-uninitialized in 
btrfs_lookup_dentry() (David Sterba) 
- PCI: Add missing bridge lock to pci_bus_lock() (Dan Williams) [Orabug: 
37074533] {CVE-2024-46750}
- btrfs: clean up our handling of refs == 0 in snapshot delete (Josef Bacik) 
[Orabug: 37116495] {CVE-2024-46840}
- btrfs: replace BUG_ON with ASSERT in walk_down_proc() (Josef Bacik) 
- smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() (Zqiang) 
- wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() (Sascha 
Hauer) [Orabug: 37074562] {CVE-2024-46755}
- hwmon: (w83627ehf) Fix underflows seen when writing limit attributes (Guenter 
Roeck) [Orabug: 37074567] {CVE-2024-46756}
- hwmon: (nct6775-core) Fix underflows seen when writing limit attributes 
(Guenter Roeck) [Orabug: 37074572] {CVE-2024-46757}
- hwmon: (lm95234) Fix underflows seen when writing limit attributes (Guenter 
Roeck) [Orabug: 37074580] {CVE-2024-46758}
- hwmon: (adc128d818) Fix underflows seen when writing limit attributes 
(Guenter Roeck) [Orabug: 37074586] {CVE-2024-46759}
- pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv (Krishna Kumar) 
[Orabug: 37074596] {CVE-2024-46761}
- devres: Initialize an uninitialized struct member (Zijun Hu) 
- um: line: always fill *error_out in setup_one_line() (Johannes Berg) [Orabug: 
37116519] {CVE-2024-46844}
- cgroup: Protect css->cgroup write under css_set_lock (Waiman Long) 
- iommu/vt-d: Handle volatile descriptor status read (Jacob Pan) 
- rfkill: fix spelling mistake contidion to condition (Richard Guy Briggs) 
- usbnet: modern method to get random MAC (Oliver Neukum) 
- net: usb: don't write directly to netdev->dev_addr (Jakub Kicinski) 
- drivers/net/usb: Remove all strcpy() uses (Len Baker) 
- cx82310_eth: re-enable ethernet mode after router reboot (Ondrej Zary) 
- igb: Fix not clearing TimeSync interrupts for 82580 (Daiwei Li) 
- can: bcm: Remove proc entry when dev is unregistered. (Kuniyuki Iwashima) 
[Orabug: 37074626] {CVE-2024-46771}
- pcmcia: Use resource_size function on resource object (Jules Irenge) 
- media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse (Chen Ni) 
- wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 (Arend van Spriel) 
- af_unix: Remove put_pid()/put_cred() in copy_peercred(). (Kuniyuki Iwashima) 
- irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 (Pali Rohár) 
- smack: unix sockets: fix accept()ed socket label (Konstantin Andreev) 
- ALSA: hda: Add input value sanity checks to HDMI channel map controls 
(Takashi Iwai) 
- nilfs2: fix state management in error path of log writing function (Ryusuke 
Konishi) [Orabug: 37159766] {CVE-2024-47669}
- nilfs2: fix missing cleanup on rollforward recovery error (Ryusuke Konishi) 
[Orabug: 37074685] {CVE-2024-46781}
- fuse: use unsigned type for getxattr/listxattr size truncation (Jann Horn) 
- mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K (Sam Protsenko) 
- ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices 
(Christoffer Sandberg) 
- sch/netem: fix use after free in netem_dequeue (Stephen Hemminger) [Orabug: 
37074727] {CVE-2024-46800}
- ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check (Hillf Danton) [Orabug: 
30562949] {CVE-2019-15222}
- ALSA: usb-audio: Sanity checks for each pipe and EP types (Takashi Iwai) 
- ALSA: usb-audio: add boot quirk for Axe-Fx III (Alberto Aguirre) 
- udf: Limit file size to 4TB (Jan Kara) 
- block: initialize integrity buffer to zero before writing it to media 
(Christoph Hellwig) [Orabug: 36964517] {CVE-2024-43854}
- media: uvcvideo: Enforce alignment of frame and interval (Ricardo Ribalda) 
- smack: tcp: ipv4, fix incorrect labeling (Casey Schaufler) 
- usbip: Don't submit special requests twice (Simon Holesch) 
- apparmor: fix possible NULL pointer dereference (Leesoo Ahn) [Orabug: 
37073079] {CVE-2024-46721}
- drm/amdgpu: fix mc_data out-of-bounds read warning (Tim Huang) [Orabug: 
37073084] {CVE-2024-46722}
- drm/amdgpu: fix ucode out-of-bounds read warning (Tim Huang) [Orabug: 
37073089] {CVE-2024-46723}
- drm/amdgpu: fix overflowed array index read warning (Tim Huang) 
- drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr (Ma Jun) 
- usb: dwc3: st: add missing depopulate in probe error path (Krzysztof 
Kozlowski) 
- usb: dwc3: st: Add of_node_put() before return in probe function (Nishka 
Dasgupta) 
- net: usb: qmi_wwan: add MeiG Smart SRM825L (ZHANG Yuntian) 
- LTS version v4.14.354 (Yifei Liu) 
- drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var (Daniel Vetter) 
- ipc: remove memcg accounting for sops objects in do_semtimedop() (Vasily 
Averin) 
- scsi: aacraid: Fix double-free on probe failure (Ben Hutchings) [Orabug: 
37070701] {CVE-2024-46673}
- usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in 
remove_power_attributes() (Zijun Hu) 
- usb: dwc3: st: fix probed platform device ref count on probe error path 
(Krzysztof Kozlowski) [Orabug: 37070706] {CVE-2024-46674}
- usb: dwc3: core: Prevent USB core invalid event buffer address access 
(Selvarasu Ganesan) [Orabug: 37070711] {CVE-2024-46675}
- usb: dwc3: omap: add missing depopulate in probe error path (Krzysztof 
Kozlowski) 
- USB: serial: option: add MeiG Smart SRM825L (ZHANG Yuntian) 
- cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller (Ian Ray) 
- net: busy-poll: use ktime_get_ns() instead of local_clock() (Eric Dumazet) 
- gtp: fix a potential NULL pointer dereference (Cong Wang) [Orabug: 37070723] 
{CVE-2024-46677}
- net: prevent mss overflow in skb_segment() (Eric Dumazet) 
- ida: Fix crash in ida_free when the bitmap is empty (Matthew Wilcox (Oracle)) 
- net:rds: Fix possible deadlock in rds_message_put (Allison Henderson) 
- fbmem: Check virtual screen sizes in fb_set_var() (Helge Deller) [Orabug: 
34408909] {CVE-2021-33655}
- fbcon: Prevent that screen size is smaller than font size (Helge Deller) 
[Orabug: 34408909] {CVE-2021-33655}
- printk: Export is_console_locked (Hans de Goede) 
- memcg: enable accounting of ipc resources (Vasily Averin) [Orabug: 34214321] 
{CVE-2021-3759}
- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (Chen Ridong) [Orabug: 
36964511] {CVE-2024-43853}
- media: uvcvideo: Fix integer overflow calculating timestamp (Ricardo Ribalda) 
- media: uvcvideo: Use ktime_t for timestamps (Arnd Bergmann) 
- filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64 (Long Li) 
- scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES (Damien Le Moal) 
- dm suspend: return -ERESTARTSYS instead of -EINTR (Mikulas Patocka) 
- wifi: mwifiex: duplicate static structs used in driver instances (Sascha 
Hauer) 
- pinctrl: single: fix potential NULL dereference in pcs_get_function() (Ma Ke) 
[Orabug: 37070745] {CVE-2024-46685}
- drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc 
(Jesse Zhang) [Orabug: 36898010] {CVE-2024-42228}
- Input: MT - limit max slots (Tetsuo Handa) [Orabug: 37029138] {CVE-2024-45008}
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO 
(Lee, Chun-Yi) [Orabug: 36654193] {CVE-2023-31083}
- mmc: dw_mmc: allow biu and ciu clocks to defer (Ben Whitten) 
- HID: wacom: Defer calculation of resolution until resolution_code is known 
(Jason Gerecke) 
- Bluetooth: MGMT: Add error handling to pair_device() (Griffin Kroah-Hartman) 
[Orabug: 36992977] {CVE-2024-43884}
- mmc: mmc_test: Fix NULL dereference on allocation failure (Dan Carpenter) 
[Orabug: 37070692] {CVE-2024-45028}
- net: xilinx: axienet: Always disable promiscuous mode (Sean Anderson) 
- ipv6: prevent UAF in ip6_send_skb() (Eric Dumazet) [Orabug: 37029077] 
{CVE-2024-44987}
- netfilter: nft_counter: Synchronize nft_counter_reset() against reader. 
(Sebastian Andrzej Siewior) 
- kcm: Serialise kcm_sendmsg() for the same socket. (Kuniyuki Iwashima) 
[Orabug: 37013762] {CVE-2024-44946}
- Bluetooth: hci_core: Fix LE quote calculation (Luiz Augusto von Dentz) 
- Bluetooth: hci_core: Fix not handling link timeouts propertly (Luiz Augusto 
von Dentz) 
- Bluetooth: Make use of __check_timeout on hci_sched_le (Luiz Augusto von 
Dentz) 
- block: use "unsigned long" for blk_validate_block_size(). (Tetsuo Handa) 
- gtp: pull network headers in gtp_dev_xmit() (Eric Dumazet) [Orabug: 37029112] 
{CVE-2024-44999}
- hrtimer: Prevent queuing of hrtimer without a function callback (Phil Chang) 
- nvmet-rdma: fix possible bad dereference when freeing rsps (Sagi Grimberg) 
- ext4: set the type of max_zeroout to unsigned int to avoid overflow (Baokun 
Li) 
- irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc (Guanrui Huang) 
- usb: dwc3: core: Skip setting event buffers for host only controllers 
(Krishna Kurapati) 
- s390/iucv: fix receive buffer virtual vs physical address confusion 
(Alexander Gordeev) 
- openrisc: Call setup_memory() earlier in the init sequence (Oreoluwa 
Babatunde) 
- NFS: avoid infinite loop in pnfs_update_layout. (NeilBrown) 
- Bluetooth: bnep: Fix out-of-bound access (Luiz Augusto von Dentz) 
- usb: gadget: fsl: Increase size of name buffer for endpoints (Uwe 
Kleine-König) 
- f2fs: fix to do sanity check in update_sit_entry (Zhiguo Niu) 
- btrfs: delete pointless BUG_ON check on quota root in 
btrfs_qgroup_account_extent() (David Sterba) 
- btrfs: send: handle unexpected data in header buffer in begin_cmd() (David 
Sterba) 
- btrfs: handle invalid root reference found in may_destroy_subvol() (David 
Sterba) 
- btrfs: change BUG_ON to assertion when checking for delayed_node root (David 
Sterba) 
- powerpc/boot: Only free if realloc() succeeds (Michael Ellerman) 
- powerpc/boot: Handle allocation failure in simple_realloc() (Li zeming) 
- parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 
(Helge Deller) 
- md: clean up invalid BUG_ON in md_ioctl (Li Nan) 
- net/sun3_82586: Avoid reading past buffer in debug output (Kees Cook) 
- scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() 
(Justin Tee) 
- fs: binfmt_elf_efpic: don't use missing interpreter's properties (Max 
Filippov) 
- media: pci: cx23885: check cx23885_vdev_init() return (Hans Verkuil) 
- quota: Remove BUG_ON from dqget() (Jan Kara) 
- ext4: do not trim the group with corrupted block bitmap (Baokun Li) 
- powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu 
(Kunwu Chan) 
- wifi: iwlwifi: abort scan when rfkill on but device enabled (Miri Korenblit) 
- gfs2: setattr_chown: Add missing initialization (Andreas Gruenbacher) 
- scsi: spi: Fix sshdr use (Mike Christie) 
- binfmt_misc: cleanup on filesystem umount (Christian Brauner) 
- staging: ks7010: disable bh on tx_dev_lock (Chengfeng Ye) 
- wifi: cw1200: Avoid processing an invalid TIM IE (Jeff Johnson) 
- ssb: Fix division by zero issue in ssb_calc_clock_rate (Rand Deeb) 
- atm: idt77252: prevent use after free in dequeue_rx() (Dan Carpenter) 
[Orabug: 37029106] {CVE-2024-44998}
- btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() (Alexander 
Lobakin) 
- overflow: Implement size_t saturating arithmetic helpers (Kees Cook) 
- overflow.h: Add flex_array_size() helper (Gustavo A. R. Silva) 
- s390/cio: rename bitmap_size() -> idset_bitmap_size() (Alexander Lobakin) 
- memcg_write_event_control(): fix a user-triggerable oops (Al Viro) [Orabug: 
37070673] {CVE-2024-45021}
- drm/amdgpu: Actually check flags for all context ops. (Bas Nieuwenhuizen) 
- selinux: fix potential counting error in avc_add_xperms_decision() (Zhen Lei) 
- include/linux/bitmap.h: make bitmap_fill() and bitmap_zero() consistent (Andy 
Shevchenko) 
- dm persistent data: fix memory allocation failure (Mikulas Patocka) 
- dm resume: don't return EINVAL when signalled (Khazhismel Kumykov) 
- ALSA: usb-audio: Support Yamaha P-125 quirk entry (Juan José Arboleda) 
- fuse: Initialize beyond-EOF page contents before setting uptodate (Jann Horn) 
[Orabug: 37017952] {CVE-2024-44947}
- LTS version v4.14.353 (Yifei Liu) 
- net: fix __dst_negative_advice() race (Eric Dumazet)  [Orabug: 36720418]  
{CVE-2024-36971}
- nvme/pci: Add APST quirk for Lenovo N60z laptop (WangYuli) 
- exec: Fix ToCToU between perm check and set-uid/gid usage (Kees Cook) 
[Orabug: 36984018] {CVE-2024-43882}
- drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (Andi Shyti) 
[Orabug: 36953970] {CVE-2024-42259}
- drm/i915: Try GGTT mmapping whole object as partial (Chris Wilson) 
- netfilter: nf_tables: set element extended ACK reporting support (Pablo Neira 
Ayuso) 
- kbuild: Fix '-S -c' in x86 stack protector scripts (Nathan Chancellor) 
- drm/mgag200: Set DDC timeout in milliseconds (Thomas Zimmermann) 
- drm/bridge: analogix_dp: properly handle zero sized AUX transactions (Lucas 
Stach) 
- drm/bridge: analogix_dp: Properly log AUX CH errors (Douglas Anderson) 
- drm/bridge: analogix_dp: Reset aux channel if an error occurred (Lin Huang) 
- drm/bridge: analogix_dp: Check AUX_EN status when doing AUX transfer (Lin 
Huang) 
- x86/mtrr: Check if fixed MTRRs exist before saving them (Andi Kleen) [Orabug: 
37028937] {CVE-2024-44948}
- tracing: Fix overflow in get_free_elt() (Tze-nan Wu) [Orabug: 36992999] 
{CVE-2024-43890}
- power: supply: axp288_charger: Round constant_charge_voltage writes down 
(Hans de Goede) 
- power: supply: axp288_charger: Fix constant_charge_voltage writes (Hans de 
Goede) 
- serial: core: check uartclk for zero to avoid divide by zero (George Kennedy) 
[Orabug: 36993010] {CVE-2024-43893}
- ntp: Safeguard against time_constant overflow (Justin Stitt) 
- ntp: Clamp maxerror and esterror to operating range (Justin Stitt) 
- tick/broadcast: Move per CPU pointer access into the atomic section (Thomas 
Gleixner) [Orabug: 37242882] {CVE-2024-44968}
- scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic 
(Vamshi Gajjela) 
- usb: gadget: core: Check for unset descriptor (Chris Wulff) [Orabug: 
37028989] {CVE-2024-44960}
- USB: serial: debug: do not echo input by default (Marek Marczykowski-Górecki) 
- usb: vhci-hcd: Do not drop references before new references are gained 
(Oliver Neukum) [Orabug: 36992972] {CVE-2024-43883}
- ALSA: line6: Fix racy access to midibuf (Takashi Iwai) [Orabug: 37028959] 
{CVE-2024-44954}
- spi: spi-fsl-lpspi: Fix scldiv calculation (Stefan Wahren) 
- spi: fsl-lpspi: remove unneeded array (Oleksandr Suvorov) 
- spi: lpspi: add the error info of transfer speed setting (Clark Wang) 
- spi: lpspi: Add i.MX8 boards support for lpspi (Clark Wang) 
- spi: lpspi: Let watermark change with send data length (Clark Wang) 
- spi: lpspi: Add slave mode support (Clark Wang) 
- spi: lpspi: Replace all "master" with "controller" (Clark Wang) 
- spi: lpspi: Switch to SPDX identifier (Fabio Estevam) 
- i2c: smbus: Send alert notifications to all devices if source not found 
(Guenter Roeck) 
- i2c: smbus: Improve handling of stuck alerts (Guenter Roeck) 
- i2c: smbus: Don't filter out duplicate alerts (Corey Minyard) 
- ext4: fix wrong unit use in ext4_mb_find_by_goal (Kemeng Shi) 
- SUNRPC: Fix a race to wake a sync task (Benjamin Coddington) 
- jbd2: avoid memleak in jbd2_journal_write_metadata_buffer (Kemeng Shi) 
- media: uvcvideo: Fix the bandwdith quirk on USB 3.x (Michal Pecio) 
- media: uvcvideo: Ignore empty TS packets (Ricardo Ribalda) 
- btrfs: fix bitmap leak when loading free space cache on duplicate entry 
(Filipe Manana) 
- wifi: nl80211: don't give key data to userspace (Johannes Berg) 
- udf: prevent integer overflow in udf_bitmap_free_blocks() (Roman Smirnov) 
- udf: Fix signed/unsigned format specifiers (Steve Magnani) 
- PCI: Add Edimax Vendor ID to pci_ids.h (FUJITA Tomonori) 
- clocksource/drivers/sh_cmt: Address race condition for clock events (Niklas 
Söderlund) 
- md/raid5: avoid BUG_ON() while continue reshape after reassembling (Yu Kuai) 
[Orabug: 36993128] {CVE-2024-43914}
- net: fec: Stop PPS on driver remove (Csókás, Bence) 
- Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() (Dmitry 
Antipov) 
- net: linkwatch: use system_unbound_wq (Eric Dumazet) 
- net: usb: qmi_wwan: fix memory leak for not ip packets (Daniele Palmas) 
[Orabug: 36983960] {CVE-2024-43861}
- irqchip/mbigen: Fix mbigen node address layout (Yipeng Zou) 
- net: usb: sr9700: fix uninitialized variable use in sr_mdio_read (Ma Ke) 
- ALSA: usb-audio: Correct surround channels in UAC1 channel map (Takashi Iwai) 
- protect the fetch of ->fd[fd] in do_dup2() from mispredictions (Al Viro) 
[Orabug: 36963809] {CVE-2024-42265}
- ipv6: fix ndisc_is_useropt() handling for PIO (Maciej Żenczykowski) 
- net/iucv: fix use after free in iucv_sock_close() (Alexandra Winter) [Orabug: 
36964007] {CVE-2024-42271}
- drm/vmwgfx: Fix overlay when using Screen Targets (Ian Forbes) 
- remoteproc: imx_rproc: Skip over memory region when node value is NULL 
(Aleksandr Mishin) [Orabug: 36964539] {CVE-2024-43860}
- remoteproc: imx_rproc: Fix ignoring mapping vdev regions (Dong Aisheng) 
- remoteproc: imx_rproc: ignore mapping vdev regions (Peng Fan) 
- perf/x86/intel/pt: Fix a topa_entry base address calculation (Adrian Hunter) 
- perf/x86/intel/pt: Split ToPA metadata and page layout (Alexander Shishkin) 
- perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation 
(Alexander Shishkin) 
- perf/x86/intel/pt: Use helpers to obtain ToPA entry size (Alexander Shishkin) 
- devres: Fix memory leakage caused by driver API devm_free_percpu() (Zijun Hu) 
[Orabug: 36983992] {CVE-2024-43871}
- driver core: Cast to (void *) with __force for __percpu pointer (Andy 
Shevchenko) 
- dev/parport: fix the array out-of-bounds risk (tuhaowen) [Orabug: 36964224] 
{CVE-2024-42301}
- parport: Standardize use of printmode (Joe Perches) 
to pr_<level>( (Joe Perches) 
- parport: parport_pc: Mark expected switch fall-through (Gustavo A. R. Silva) 
- PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio (Manivannan 
Sadhasivam) 
- PCI: rockchip: Make 'ep-gpios' DT property optional (Chen-Yu Tsai) 
- mm: avoid overflows in dirty throttling logic (Jan Kara) [Orabug: 36897804] 
{CVE-2024-42131}
- mISDN: Fix a use after free in hfcmulti_tx() (Dan Carpenter) [Orabug: 
36964033] {CVE-2024-42280}
- tipc: Return non-zero value from tipc_udp_addr2str() on error (Shigeru 
Yoshida) [Orabug: 36964048] {CVE-2024-42284}
- net: bonding: correctly annotate RCU in bond_should_notify_peers() (Johannes 
Berg) 
- ipv4: Fix incorrect source address in Record Route option (Ido Schimmel) 
- net: ip_rt_get_source() - use new style struct initializer instead of memset 
(Maciej Żenczykowski) 
- MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later (Gregory 
CLEMENT) 
- dma: fix call order in dmam_free_coherent (Lance Richardson) [Orabug: 
36964524] {CVE-2024-43856}
- jfs: Fix array-index-out-of-bounds in diFree (Jeongjun Park) [Orabug: 
36964531] {CVE-2024-43858}
- kdb: address -Wformat-security warnings (Arnd Bergmann) 
- kdb: Fix bound check compiler warning (Wenlin Kang) 
- nilfs2: handle inconsistent state in nilfs_btnode_create_block() (Ryusuke 
Konishi) [Orabug: 36964204] {CVE-2024-42295}
- selftests/sigaltstack: Fix ppc64 GCC build (Michael Ellerman) 
- RDMA/iwcm: Fix a use-after-free related to destroying CM IDs (Bart Van 
Assche) [Orabug: 36964055] {CVE-2024-42285}
- RDMA/iwcm: Remove a set-but-not-used variable (Bart Van Assche) 
- platform: mips: cpu_hwmon: Disable driver on unsupported hardware (Jiaxun 
Yang) 
- watchdog/perf: properly initialize the turbo mode timestamp and rearm counter 
(Thomas Gleixner) 
- perf/x86/intel/pt: Fix topa_entry base length (Marco Cavenati) 
- scsi: qla2xxx: During vport delete send async logout explicitly (Manish 
Rangankar) [Orabug: 36964081] {CVE-2024-42289}
- decompress_bunzip2: fix rare decompression failure (Ross Lagerwall) 
- ubi: eba: properly rollback inside self_check_eba (Fedor Pchelkin) 
- f2fs: fix to don't dirty inode for readonly filesystem (Chao Yu) [Orabug: 
36964214] {CVE-2024-42297}
- f2fs: prevent newly created inode from being dirtied incorrectly (Daeho 
Jeong) 
- scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (Saurav 
Kashyap) 
- binder: fix hang of unregistered readers (Carlos Llamas) 
- PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN (Wei Liu) 
- hwrng: amd - Convert PCIBIOS_* return codes to errnos (Ilpo Järvinen) 
- leds: ss4200: Convert PCIBIOS_* return codes to errnos (Ilpo Järvinen) 
- wifi: mwifiex: Fix interface type change (Rafael Beims) 
- ext4: make sure the first directory block is not a hole (Baokun Li) [Orabug: 
36964233] {CVE-2024-42304}
- ext4: check dot and dotdot of dx_root before making dir indexed (Baokun Li) 
[Orabug: 36964238] {CVE-2024-42305}
- m68k: amiga: Turn off Warp1260 interrupts during boot (Paolo Pisati) 
- drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (Ma Ke) 
[Orabug: 36964254] {CVE-2024-42309}
- drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (Ma Ke) 
[Orabug: 36964261] {CVE-2024-42310}
- hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() (Chao 
Yu) [Orabug: 36964266] {CVE-2024-42311}
- media: venus: fix use after free in vdec_close (Dikshita Agarwal) [Orabug: 
36964276] {CVE-2024-42313}
- ipv6: take care of scope when choosing the src addr (Nicolas Dichtel) 
- af_packet: Handle outgoing VLAN packets without hardware offloading (Chengen 
Du) 
- net: netconsole: Disable target before netpoll cleanup (Breno Leitao) 
- tick/broadcast: Make takeover of broadcast hrtimer reliable (Yu Liao) 
- nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro (Ryusuke Konishi) 
- fs/nilfs2: remove some unused macros to tame gcc (Alex Shi) 
- pinctrl: freescale: mxs: Fix refcount of child (Peng Fan) 
- pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails 
(Yang Yingliang) 
- pinctrl: ti: ti-iodelay: Drop if block with always false condition (Uwe 
Kleine-König) 
- pinctrl: single: fix possible memory leak when pinctrl_enable() fails (Yang 
Yingliang) 
- pinctrl: core: fix possible memory leak when pinctrl_enable() fails (Yang 
Yingliang) 
- netfilter: ctnetlink: use helper function to calculate expect ID (Pablo Neira 
Ayuso) [Orabug: 37013756] {CVE-2024-44944}
- bnxt_re: Fix imm_data endianness (Jack Wang) 
- macintosh/therm_windtunnel: fix module unload. (Nick Bowler) 
- powerpc/xmon: Fix disassembly CPU feature checks (Michael Ellerman) 
- Input: elan_i2c - do not leave interrupt disabled on suspend failure (Dmitry 
Torokhov) 
- mtd: make mtd_test.c a separate module (Arnd Bergmann) 
- RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs (Honggang LI) 
- RDMA/mlx4: Fix truncated output warning in alias_GUID.c (Leon Romanovsky) 
- RDMA/mlx4: Fix truncated output warning in mad.c (Leon Romanovsky) 
- PCI: Fix resource double counting on remove & rescan (Ilpo Järvinen) 
- PCI: Equalize hotplug memory and io for occupied and empty slots (Jon 
Derrick) 
- sparc64: Fix incorrect function signature and add prototype for prom_cif_init 
(Andreas Larsson) 
- ext4: avoid writing unitialized memory to disk in EA inodes (Jan Kara) 
- drm/etnaviv: fix DMA direction handling for cached RW buffers (Lucas Stach) 
- perf report: Fix condition in sort__sym_cmp() (Namhyung Kim) 
- media: renesas: vsp1: Store RPF partition configuration per RPF instance 
(Laurent Pinchart) 
- media: renesas: vsp1: Fix _irqsave and _irq mix (Laurent Pinchart) 
- media: v4l: vsp1: Store pipeline pointer in vsp1_entity (Laurent Pinchart) 
- saa7134: Unchecked i2c_transfer function result fixed (Aleksandr Burakov) 
- media: imon: Fix race getting ictx->lock (Ricardo Ribalda) 
- bna: adjust 'name' buf size of bna_tcb and bna_ccb structures (Alexey 
Kodanev) [Orabug: 36964481] {CVE-2024-43839}
- perf: Prevent passing zero nr_pages to rb_alloc_aux() (Adrian Hunter) 
- perf: Fix perf_aux_size() for greater-than 32-bit size (Adrian Hunter) 
- net: fec: Fix FEC_ECR_EN1588 being cleared on link-down (Csókás, Bence) 
- net: fec: Refactor: #define magic constants (Csókás Bence) 
- wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device (Samasth 
Norway Ananda) 
- m68k: cmpxchg: Fix return value for default case in __arch_xchg() (Thorsten 
Blum) 
- x86/xen: Convert comma to semicolon (Chen Ni) 
- m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages (Eero 
Tamminen) 
- arm64: dts: rockchip: Increase VOP clk rate on RK3328 (Jonas Karlman) 
- hwmon: (max6697) Fix swapped temp{1,8} critical alarms (Guenter Roeck) 
- hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO} (Guenter 
Roeck) 
- hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants (Guenter Roeck) 
- hwmon: (max6697) Fix underflow when writing limit attributes (Guenter Roeck) 
- pwm: stm32: Always do lazy disabling (Uwe Kleine-König) 
- hwmon: (adt7475) Fix default duty on fan is disabled (Wayne Tung) 
- x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos (Ilpo 
Järvinen) 
- x86/pci/xen: Fix PCIBIOS_* return code handling (Ilpo Järvinen) 
- x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling (Ilpo Järvinen) 
- x86/of: Return consistent error type from x86_of_pci_irq_enable() (Ilpo 
Järvinen) 
- platform/chrome: cros_ec_debugfs: fix wrong EC message version (Tzung-Bi Shih)

[4.14.35-2047.543.1.el7uek]
- A/A Bonding: check port count during RDMA device addition (Arumugam Kolappan) 
 [Orabug: 37202761]
- net/mlx5: E-Switch, Increase supported number of forward destinations to 32 
(Maor Dickman)  [Orabug: 36817112]
- net/mlx5e: Parse mirroring action for offloaded TC eswitch flows (Chris Mi)  
[Orabug: 36817112]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata

Reply via email to