Oracle Linux Security Advisory ELSA-2024-12868 http://linux.oracle.com/errata/ELSA-2024-12868.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: x86_64: kernel-uek-4.14.35-2047.543.3.el7uek.x86_64.rpm kernel-uek-debug-4.14.35-2047.543.3.el7uek.x86_64.rpm kernel-uek-debug-devel-4.14.35-2047.543.3.el7uek.x86_64.rpm kernel-uek-devel-4.14.35-2047.543.3.el7uek.x86_64.rpm kernel-uek-tools-4.14.35-2047.543.3.el7uek.x86_64.rpm kernel-uek-doc-4.14.35-2047.543.3.el7uek.noarch.rpm SRPMS: http://oss.oracle.com/ol7/SRPMS-updates//kernel-uek-4.14.35-2047.543.3.el7uek.src.rpm Related CVEs: CVE-2019-15222 CVE-2021-33655 CVE-2021-3759 CVE-2023-31083 CVE-2024-36971 CVE-2024-42131 CVE-2024-42228 CVE-2024-42259 CVE-2024-42265 CVE-2024-42271 CVE-2024-42280 CVE-2024-42284 CVE-2024-42285 CVE-2024-42289 CVE-2024-42295 CVE-2024-42297 CVE-2024-42301 CVE-2024-42304 CVE-2024-42305 CVE-2024-42309 CVE-2024-42310 CVE-2024-42311 CVE-2024-42313 CVE-2024-43839 CVE-2024-43853 CVE-2024-43854 CVE-2024-43856 CVE-2024-43858 CVE-2024-43860 CVE-2024-43861 CVE-2024-43871 CVE-2024-43882 CVE-2024-43883 CVE-2024-43884 CVE-2024-43890 CVE-2024-43893 CVE-2024-43914 CVE-2024-44944 CVE-2024-44946 CVE-2024-44947 CVE-2024-44948 CVE-2024-44954 CVE-2024-44960 CVE-2024-44968 CVE-2024-44987 CVE-2024-44998 CVE-2024-44999 CVE-2024-45008 CVE-2024-45021 CVE-2024-45028 CVE-2024-46673 CVE-2024-46674 CVE-2024-46675 CVE-2024-46677 CVE-2024-46685 CVE-2024-46721 CVE-2024-46722 CVE-2024-46723 CVE-2024-46743 CVE-2024-46744 CVE-2024-46745 CVE-2024-46750 CVE-2024-46755 CVE-2024-46756 CVE-2024-46757 CVE-2024-46758 CVE-2024-46759 CVE-2024-46761 CVE-2024-46771 CVE-2024-46780 CVE-2024-46781 CVE-2024-46800 CVE-2024-46829 CVE-2024-46840 CVE-2024-46844 CVE-2024-47669 CVE-2024-47696 CVE-2024-47709 CVE-2024-49958 CVE-2024-50074 Description of changes: [4.14.35-2047.543.3.el7uek] - rds: Add rds stuck shutdown timeout (Rohit Nair) [Orabug: 37214079] - gtp: allow -1 to be specified as file description from userspace (Pablo Neira Ayuso) - ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin (Takashi Iwai) - can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). (Kuniyuki Iwashima) - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency (Zhu Yanjun) - parport: Proper fix for array out-of-bounds access (Takashi Iwai) - net: usb: usbnet: fix name regression (Oliver Neukum) - Revert "driver core: Fix uevent_show() vs driver detach race" (Greg Kroah-Hartman) - pinctrl: single: fix missing error code in pcs_probe() (Yang Yingliang) [4.14.35-2047.543.2.el7uek] - igb: Do not free the irq resources if they are already freed by igb_close() (Yifei Liu) [Orabug: 37208307] - ocfs2: reserve space for inline xattr before attaching reflink tree (Gautham Ananthakrishna) [Orabug: 37199021] {CVE-2024-49958} - Revert "ocfs2: ocfs2 crash due to invalid h_next_leaf_blk value in extent block" (Gautham Ananthakrishna) [Orabug: 37199021] - LTS version v4.14.355 (Yifei Liu) - Revert "parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367" (Greg Kroah-Hartman) - netns: restore ops before calling ops_exit_list (Li RongQing) - cx82310_eth: fix error return code in cx82310_bind() (Zhang Changzhong) - rtmutex: Drop rt_mutex::wait_lock before scheduling (Roland Xu) [Orabug: 37116447] {CVE-2024-46829} - locking/rtmutex: Handle non enqueued waiters gracefully in remove_waiter() (Peter Zijlstra) - drm/i915/fence: Mark debug_fence_free() with __maybe_unused (Andy Shevchenko) - ACPI: processor: Fix memory leaks in error paths of processor_add() (Jonathan Cameron) - ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() (Jonathan Cameron) - netns: add pre_exit method to struct pernet_operations (Eric Dumazet) - net: Add comment about pernet_operations methods and synchronization (Kirill Tkhai) - nilfs2: protect references to superblock parameters exposed in sysfs (Ryusuke Konishi) [Orabug: 37074678] {CVE-2024-46780} - nilfs2: replace snprintf in show functions with sysfs_emit (Qing Wang) - nilfs2: use time64_t internally (Arnd Bergmann) - tracing: Avoid possible softlockup in tracing_iter_reset() (Zheng Yejian) - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() (Steven Rostedt (VMware)) - uprobes: Use kzalloc to allocate xol area (Sven Schnelle) - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime (Jacky Bai) - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX (Jacky Bai) - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc (Geert Uytterhoeven) - iio: fix scale application in iio_convert_raw_to_processed_unlocked (Matteo Martelli) - iio: buffer-dmaengine: fix releasing dma channel on error (David Lechner) - ata: pata_macio: Use WARN instead of BUG (Michael Ellerman) - of/irq: Prevent device address out-of-bounds read in interrupt map walk (Stefan Wiehler) [Orabug: 37074490] {CVE-2024-46743} - Squashfs: sanity check symbolic link size (Phillip Lougher) [Orabug: 37074496] {CVE-2024-46744} - usbnet: ipheth: race between ipheth_close and error handling (Oliver Neukum) - Input: uinput - reject requests with unreasonable number of slots (Dmitry Torokhov) [Orabug: 37074504] {CVE-2024-46745} - btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry() (David Sterba) - PCI: Add missing bridge lock to pci_bus_lock() (Dan Williams) [Orabug: 37074533] {CVE-2024-46750} - btrfs: clean up our handling of refs == 0 in snapshot delete (Josef Bacik) [Orabug: 37116495] {CVE-2024-46840} - btrfs: replace BUG_ON with ASSERT in walk_down_proc() (Josef Bacik) - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() (Zqiang) - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() (Sascha Hauer) [Orabug: 37074562] {CVE-2024-46755} - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes (Guenter Roeck) [Orabug: 37074567] {CVE-2024-46756} - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes (Guenter Roeck) [Orabug: 37074572] {CVE-2024-46757} - hwmon: (lm95234) Fix underflows seen when writing limit attributes (Guenter Roeck) [Orabug: 37074580] {CVE-2024-46758} - hwmon: (adc128d818) Fix underflows seen when writing limit attributes (Guenter Roeck) [Orabug: 37074586] {CVE-2024-46759} - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv (Krishna Kumar) [Orabug: 37074596] {CVE-2024-46761} - devres: Initialize an uninitialized struct member (Zijun Hu) - um: line: always fill *error_out in setup_one_line() (Johannes Berg) [Orabug: 37116519] {CVE-2024-46844} - cgroup: Protect css->cgroup write under css_set_lock (Waiman Long) - iommu/vt-d: Handle volatile descriptor status read (Jacob Pan) - rfkill: fix spelling mistake contidion to condition (Richard Guy Briggs) - usbnet: modern method to get random MAC (Oliver Neukum) - net: usb: don't write directly to netdev->dev_addr (Jakub Kicinski) - drivers/net/usb: Remove all strcpy() uses (Len Baker) - cx82310_eth: re-enable ethernet mode after router reboot (Ondrej Zary) - igb: Fix not clearing TimeSync interrupts for 82580 (Daiwei Li) - can: bcm: Remove proc entry when dev is unregistered. (Kuniyuki Iwashima) [Orabug: 37074626] {CVE-2024-46771} - pcmcia: Use resource_size function on resource object (Jules Irenge) - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse (Chen Ni) - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 (Arend van Spriel) - af_unix: Remove put_pid()/put_cred() in copy_peercred(). (Kuniyuki Iwashima) - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 (Pali Rohár) - smack: unix sockets: fix accept()ed socket label (Konstantin Andreev) - ALSA: hda: Add input value sanity checks to HDMI channel map controls (Takashi Iwai) - nilfs2: fix state management in error path of log writing function (Ryusuke Konishi) [Orabug: 37159766] {CVE-2024-47669} - nilfs2: fix missing cleanup on rollforward recovery error (Ryusuke Konishi) [Orabug: 37074685] {CVE-2024-46781} - fuse: use unsigned type for getxattr/listxattr size truncation (Jann Horn) - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K (Sam Protsenko) - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices (Christoffer Sandberg) - sch/netem: fix use after free in netem_dequeue (Stephen Hemminger) [Orabug: 37074727] {CVE-2024-46800} - ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check (Hillf Danton) [Orabug: 30562949] {CVE-2019-15222} - ALSA: usb-audio: Sanity checks for each pipe and EP types (Takashi Iwai) - ALSA: usb-audio: add boot quirk for Axe-Fx III (Alberto Aguirre) - udf: Limit file size to 4TB (Jan Kara) - block: initialize integrity buffer to zero before writing it to media (Christoph Hellwig) [Orabug: 36964517] {CVE-2024-43854} - media: uvcvideo: Enforce alignment of frame and interval (Ricardo Ribalda) - smack: tcp: ipv4, fix incorrect labeling (Casey Schaufler) - usbip: Don't submit special requests twice (Simon Holesch) - apparmor: fix possible NULL pointer dereference (Leesoo Ahn) [Orabug: 37073079] {CVE-2024-46721} - drm/amdgpu: fix mc_data out-of-bounds read warning (Tim Huang) [Orabug: 37073084] {CVE-2024-46722} - drm/amdgpu: fix ucode out-of-bounds read warning (Tim Huang) [Orabug: 37073089] {CVE-2024-46723} - drm/amdgpu: fix overflowed array index read warning (Tim Huang) - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr (Ma Jun) - usb: dwc3: st: add missing depopulate in probe error path (Krzysztof Kozlowski) - usb: dwc3: st: Add of_node_put() before return in probe function (Nishka Dasgupta) - net: usb: qmi_wwan: add MeiG Smart SRM825L (ZHANG Yuntian) - LTS version v4.14.354 (Yifei Liu) - drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var (Daniel Vetter) - ipc: remove memcg accounting for sops objects in do_semtimedop() (Vasily Averin) - scsi: aacraid: Fix double-free on probe failure (Ben Hutchings) [Orabug: 37070701] {CVE-2024-46673} - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() (Zijun Hu) - usb: dwc3: st: fix probed platform device ref count on probe error path (Krzysztof Kozlowski) [Orabug: 37070706] {CVE-2024-46674} - usb: dwc3: core: Prevent USB core invalid event buffer address access (Selvarasu Ganesan) [Orabug: 37070711] {CVE-2024-46675} - usb: dwc3: omap: add missing depopulate in probe error path (Krzysztof Kozlowski) - USB: serial: option: add MeiG Smart SRM825L (ZHANG Yuntian) - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller (Ian Ray) - net: busy-poll: use ktime_get_ns() instead of local_clock() (Eric Dumazet) - gtp: fix a potential NULL pointer dereference (Cong Wang) [Orabug: 37070723] {CVE-2024-46677} - net: prevent mss overflow in skb_segment() (Eric Dumazet) - ida: Fix crash in ida_free when the bitmap is empty (Matthew Wilcox (Oracle)) - net:rds: Fix possible deadlock in rds_message_put (Allison Henderson) - fbmem: Check virtual screen sizes in fb_set_var() (Helge Deller) [Orabug: 34408909] {CVE-2021-33655} - fbcon: Prevent that screen size is smaller than font size (Helge Deller) [Orabug: 34408909] {CVE-2021-33655} - printk: Export is_console_locked (Hans de Goede) - memcg: enable accounting of ipc resources (Vasily Averin) [Orabug: 34214321] {CVE-2021-3759} - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (Chen Ridong) [Orabug: 36964511] {CVE-2024-43853} - media: uvcvideo: Fix integer overflow calculating timestamp (Ricardo Ribalda) - media: uvcvideo: Use ktime_t for timestamps (Arnd Bergmann) - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64 (Long Li) - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES (Damien Le Moal) - dm suspend: return -ERESTARTSYS instead of -EINTR (Mikulas Patocka) - wifi: mwifiex: duplicate static structs used in driver instances (Sascha Hauer) - pinctrl: single: fix potential NULL dereference in pcs_get_function() (Ma Ke) [Orabug: 37070745] {CVE-2024-46685} - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc (Jesse Zhang) [Orabug: 36898010] {CVE-2024-42228} - Input: MT - limit max slots (Tetsuo Handa) [Orabug: 37029138] {CVE-2024-45008} - Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (Lee, Chun-Yi) [Orabug: 36654193] {CVE-2023-31083} - mmc: dw_mmc: allow biu and ciu clocks to defer (Ben Whitten) - HID: wacom: Defer calculation of resolution until resolution_code is known (Jason Gerecke) - Bluetooth: MGMT: Add error handling to pair_device() (Griffin Kroah-Hartman) [Orabug: 36992977] {CVE-2024-43884} - mmc: mmc_test: Fix NULL dereference on allocation failure (Dan Carpenter) [Orabug: 37070692] {CVE-2024-45028} - net: xilinx: axienet: Always disable promiscuous mode (Sean Anderson) - ipv6: prevent UAF in ip6_send_skb() (Eric Dumazet) [Orabug: 37029077] {CVE-2024-44987} - netfilter: nft_counter: Synchronize nft_counter_reset() against reader. (Sebastian Andrzej Siewior) - kcm: Serialise kcm_sendmsg() for the same socket. (Kuniyuki Iwashima) [Orabug: 37013762] {CVE-2024-44946} - Bluetooth: hci_core: Fix LE quote calculation (Luiz Augusto von Dentz) - Bluetooth: hci_core: Fix not handling link timeouts propertly (Luiz Augusto von Dentz) - Bluetooth: Make use of __check_timeout on hci_sched_le (Luiz Augusto von Dentz) - block: use "unsigned long" for blk_validate_block_size(). (Tetsuo Handa) - gtp: pull network headers in gtp_dev_xmit() (Eric Dumazet) [Orabug: 37029112] {CVE-2024-44999} - hrtimer: Prevent queuing of hrtimer without a function callback (Phil Chang) - nvmet-rdma: fix possible bad dereference when freeing rsps (Sagi Grimberg) - ext4: set the type of max_zeroout to unsigned int to avoid overflow (Baokun Li) - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc (Guanrui Huang) - usb: dwc3: core: Skip setting event buffers for host only controllers (Krishna Kurapati) - s390/iucv: fix receive buffer virtual vs physical address confusion (Alexander Gordeev) - openrisc: Call setup_memory() earlier in the init sequence (Oreoluwa Babatunde) - NFS: avoid infinite loop in pnfs_update_layout. (NeilBrown) - Bluetooth: bnep: Fix out-of-bound access (Luiz Augusto von Dentz) - usb: gadget: fsl: Increase size of name buffer for endpoints (Uwe Kleine-König) - f2fs: fix to do sanity check in update_sit_entry (Zhiguo Niu) - btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() (David Sterba) - btrfs: send: handle unexpected data in header buffer in begin_cmd() (David Sterba) - btrfs: handle invalid root reference found in may_destroy_subvol() (David Sterba) - btrfs: change BUG_ON to assertion when checking for delayed_node root (David Sterba) - powerpc/boot: Only free if realloc() succeeds (Michael Ellerman) - powerpc/boot: Handle allocation failure in simple_realloc() (Li zeming) - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 (Helge Deller) - md: clean up invalid BUG_ON in md_ioctl (Li Nan) - net/sun3_82586: Avoid reading past buffer in debug output (Kees Cook) - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() (Justin Tee) - fs: binfmt_elf_efpic: don't use missing interpreter's properties (Max Filippov) - media: pci: cx23885: check cx23885_vdev_init() return (Hans Verkuil) - quota: Remove BUG_ON from dqget() (Jan Kara) - ext4: do not trim the group with corrupted block bitmap (Baokun Li) - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu (Kunwu Chan) - wifi: iwlwifi: abort scan when rfkill on but device enabled (Miri Korenblit) - gfs2: setattr_chown: Add missing initialization (Andreas Gruenbacher) - scsi: spi: Fix sshdr use (Mike Christie) - binfmt_misc: cleanup on filesystem umount (Christian Brauner) - staging: ks7010: disable bh on tx_dev_lock (Chengfeng Ye) - wifi: cw1200: Avoid processing an invalid TIM IE (Jeff Johnson) - ssb: Fix division by zero issue in ssb_calc_clock_rate (Rand Deeb) - atm: idt77252: prevent use after free in dequeue_rx() (Dan Carpenter) [Orabug: 37029106] {CVE-2024-44998} - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() (Alexander Lobakin) - overflow: Implement size_t saturating arithmetic helpers (Kees Cook) - overflow.h: Add flex_array_size() helper (Gustavo A. R. Silva) - s390/cio: rename bitmap_size() -> idset_bitmap_size() (Alexander Lobakin) - memcg_write_event_control(): fix a user-triggerable oops (Al Viro) [Orabug: 37070673] {CVE-2024-45021} - drm/amdgpu: Actually check flags for all context ops. (Bas Nieuwenhuizen) - selinux: fix potential counting error in avc_add_xperms_decision() (Zhen Lei) - include/linux/bitmap.h: make bitmap_fill() and bitmap_zero() consistent (Andy Shevchenko) - dm persistent data: fix memory allocation failure (Mikulas Patocka) - dm resume: don't return EINVAL when signalled (Khazhismel Kumykov) - ALSA: usb-audio: Support Yamaha P-125 quirk entry (Juan José Arboleda) - fuse: Initialize beyond-EOF page contents before setting uptodate (Jann Horn) [Orabug: 37017952] {CVE-2024-44947} - LTS version v4.14.353 (Yifei Liu) - net: fix __dst_negative_advice() race (Eric Dumazet) [Orabug: 36720418] {CVE-2024-36971} - nvme/pci: Add APST quirk for Lenovo N60z laptop (WangYuli) - exec: Fix ToCToU between perm check and set-uid/gid usage (Kees Cook) [Orabug: 36984018] {CVE-2024-43882} - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (Andi Shyti) [Orabug: 36953970] {CVE-2024-42259} - drm/i915: Try GGTT mmapping whole object as partial (Chris Wilson) - netfilter: nf_tables: set element extended ACK reporting support (Pablo Neira Ayuso) - kbuild: Fix '-S -c' in x86 stack protector scripts (Nathan Chancellor) - drm/mgag200: Set DDC timeout in milliseconds (Thomas Zimmermann) - drm/bridge: analogix_dp: properly handle zero sized AUX transactions (Lucas Stach) - drm/bridge: analogix_dp: Properly log AUX CH errors (Douglas Anderson) - drm/bridge: analogix_dp: Reset aux channel if an error occurred (Lin Huang) - drm/bridge: analogix_dp: Check AUX_EN status when doing AUX transfer (Lin Huang) - x86/mtrr: Check if fixed MTRRs exist before saving them (Andi Kleen) [Orabug: 37028937] {CVE-2024-44948} - tracing: Fix overflow in get_free_elt() (Tze-nan Wu) [Orabug: 36992999] {CVE-2024-43890} - power: supply: axp288_charger: Round constant_charge_voltage writes down (Hans de Goede) - power: supply: axp288_charger: Fix constant_charge_voltage writes (Hans de Goede) - serial: core: check uartclk for zero to avoid divide by zero (George Kennedy) [Orabug: 36993010] {CVE-2024-43893} - ntp: Safeguard against time_constant overflow (Justin Stitt) - ntp: Clamp maxerror and esterror to operating range (Justin Stitt) - tick/broadcast: Move per CPU pointer access into the atomic section (Thomas Gleixner) [Orabug: 37242882] {CVE-2024-44968} - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic (Vamshi Gajjela) - usb: gadget: core: Check for unset descriptor (Chris Wulff) [Orabug: 37028989] {CVE-2024-44960} - USB: serial: debug: do not echo input by default (Marek Marczykowski-Górecki) - usb: vhci-hcd: Do not drop references before new references are gained (Oliver Neukum) [Orabug: 36992972] {CVE-2024-43883} - ALSA: line6: Fix racy access to midibuf (Takashi Iwai) [Orabug: 37028959] {CVE-2024-44954} - spi: spi-fsl-lpspi: Fix scldiv calculation (Stefan Wahren) - spi: fsl-lpspi: remove unneeded array (Oleksandr Suvorov) - spi: lpspi: add the error info of transfer speed setting (Clark Wang) - spi: lpspi: Add i.MX8 boards support for lpspi (Clark Wang) - spi: lpspi: Let watermark change with send data length (Clark Wang) - spi: lpspi: Add slave mode support (Clark Wang) - spi: lpspi: Replace all "master" with "controller" (Clark Wang) - spi: lpspi: Switch to SPDX identifier (Fabio Estevam) - i2c: smbus: Send alert notifications to all devices if source not found (Guenter Roeck) - i2c: smbus: Improve handling of stuck alerts (Guenter Roeck) - i2c: smbus: Don't filter out duplicate alerts (Corey Minyard) - ext4: fix wrong unit use in ext4_mb_find_by_goal (Kemeng Shi) - SUNRPC: Fix a race to wake a sync task (Benjamin Coddington) - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer (Kemeng Shi) - media: uvcvideo: Fix the bandwdith quirk on USB 3.x (Michal Pecio) - media: uvcvideo: Ignore empty TS packets (Ricardo Ribalda) - btrfs: fix bitmap leak when loading free space cache on duplicate entry (Filipe Manana) - wifi: nl80211: don't give key data to userspace (Johannes Berg) - udf: prevent integer overflow in udf_bitmap_free_blocks() (Roman Smirnov) - udf: Fix signed/unsigned format specifiers (Steve Magnani) - PCI: Add Edimax Vendor ID to pci_ids.h (FUJITA Tomonori) - clocksource/drivers/sh_cmt: Address race condition for clock events (Niklas Söderlund) - md/raid5: avoid BUG_ON() while continue reshape after reassembling (Yu Kuai) [Orabug: 36993128] {CVE-2024-43914} - net: fec: Stop PPS on driver remove (Csókás, Bence) - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() (Dmitry Antipov) - net: linkwatch: use system_unbound_wq (Eric Dumazet) - net: usb: qmi_wwan: fix memory leak for not ip packets (Daniele Palmas) [Orabug: 36983960] {CVE-2024-43861} - irqchip/mbigen: Fix mbigen node address layout (Yipeng Zou) - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read (Ma Ke) - ALSA: usb-audio: Correct surround channels in UAC1 channel map (Takashi Iwai) - protect the fetch of ->fd[fd] in do_dup2() from mispredictions (Al Viro) [Orabug: 36963809] {CVE-2024-42265} - ipv6: fix ndisc_is_useropt() handling for PIO (Maciej Żenczykowski) - net/iucv: fix use after free in iucv_sock_close() (Alexandra Winter) [Orabug: 36964007] {CVE-2024-42271} - drm/vmwgfx: Fix overlay when using Screen Targets (Ian Forbes) - remoteproc: imx_rproc: Skip over memory region when node value is NULL (Aleksandr Mishin) [Orabug: 36964539] {CVE-2024-43860} - remoteproc: imx_rproc: Fix ignoring mapping vdev regions (Dong Aisheng) - remoteproc: imx_rproc: ignore mapping vdev regions (Peng Fan) - perf/x86/intel/pt: Fix a topa_entry base address calculation (Adrian Hunter) - perf/x86/intel/pt: Split ToPA metadata and page layout (Alexander Shishkin) - perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation (Alexander Shishkin) - perf/x86/intel/pt: Use helpers to obtain ToPA entry size (Alexander Shishkin) - devres: Fix memory leakage caused by driver API devm_free_percpu() (Zijun Hu) [Orabug: 36983992] {CVE-2024-43871} - driver core: Cast to (void *) with __force for __percpu pointer (Andy Shevchenko) - dev/parport: fix the array out-of-bounds risk (tuhaowen) [Orabug: 36964224] {CVE-2024-42301} - parport: Standardize use of printmode (Joe Perches) to pr_<level>( (Joe Perches) - parport: parport_pc: Mark expected switch fall-through (Gustavo A. R. Silva) - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio (Manivannan Sadhasivam) - PCI: rockchip: Make 'ep-gpios' DT property optional (Chen-Yu Tsai) - mm: avoid overflows in dirty throttling logic (Jan Kara) [Orabug: 36897804] {CVE-2024-42131} - mISDN: Fix a use after free in hfcmulti_tx() (Dan Carpenter) [Orabug: 36964033] {CVE-2024-42280} - tipc: Return non-zero value from tipc_udp_addr2str() on error (Shigeru Yoshida) [Orabug: 36964048] {CVE-2024-42284} - net: bonding: correctly annotate RCU in bond_should_notify_peers() (Johannes Berg) - ipv4: Fix incorrect source address in Record Route option (Ido Schimmel) - net: ip_rt_get_source() - use new style struct initializer instead of memset (Maciej Żenczykowski) - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later (Gregory CLEMENT) - dma: fix call order in dmam_free_coherent (Lance Richardson) [Orabug: 36964524] {CVE-2024-43856} - jfs: Fix array-index-out-of-bounds in diFree (Jeongjun Park) [Orabug: 36964531] {CVE-2024-43858} - kdb: address -Wformat-security warnings (Arnd Bergmann) - kdb: Fix bound check compiler warning (Wenlin Kang) - nilfs2: handle inconsistent state in nilfs_btnode_create_block() (Ryusuke Konishi) [Orabug: 36964204] {CVE-2024-42295} - selftests/sigaltstack: Fix ppc64 GCC build (Michael Ellerman) - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs (Bart Van Assche) [Orabug: 36964055] {CVE-2024-42285} - RDMA/iwcm: Remove a set-but-not-used variable (Bart Van Assche) - platform: mips: cpu_hwmon: Disable driver on unsupported hardware (Jiaxun Yang) - watchdog/perf: properly initialize the turbo mode timestamp and rearm counter (Thomas Gleixner) - perf/x86/intel/pt: Fix topa_entry base length (Marco Cavenati) - scsi: qla2xxx: During vport delete send async logout explicitly (Manish Rangankar) [Orabug: 36964081] {CVE-2024-42289} - decompress_bunzip2: fix rare decompression failure (Ross Lagerwall) - ubi: eba: properly rollback inside self_check_eba (Fedor Pchelkin) - f2fs: fix to don't dirty inode for readonly filesystem (Chao Yu) [Orabug: 36964214] {CVE-2024-42297} - f2fs: prevent newly created inode from being dirtied incorrectly (Daeho Jeong) - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (Saurav Kashyap) - binder: fix hang of unregistered readers (Carlos Llamas) - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN (Wei Liu) - hwrng: amd - Convert PCIBIOS_* return codes to errnos (Ilpo Järvinen) - leds: ss4200: Convert PCIBIOS_* return codes to errnos (Ilpo Järvinen) - wifi: mwifiex: Fix interface type change (Rafael Beims) - ext4: make sure the first directory block is not a hole (Baokun Li) [Orabug: 36964233] {CVE-2024-42304} - ext4: check dot and dotdot of dx_root before making dir indexed (Baokun Li) [Orabug: 36964238] {CVE-2024-42305} - m68k: amiga: Turn off Warp1260 interrupts during boot (Paolo Pisati) - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (Ma Ke) [Orabug: 36964254] {CVE-2024-42309} - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (Ma Ke) [Orabug: 36964261] {CVE-2024-42310} - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() (Chao Yu) [Orabug: 36964266] {CVE-2024-42311} - media: venus: fix use after free in vdec_close (Dikshita Agarwal) [Orabug: 36964276] {CVE-2024-42313} - ipv6: take care of scope when choosing the src addr (Nicolas Dichtel) - af_packet: Handle outgoing VLAN packets without hardware offloading (Chengen Du) - net: netconsole: Disable target before netpoll cleanup (Breno Leitao) - tick/broadcast: Make takeover of broadcast hrtimer reliable (Yu Liao) - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro (Ryusuke Konishi) - fs/nilfs2: remove some unused macros to tame gcc (Alex Shi) - pinctrl: freescale: mxs: Fix refcount of child (Peng Fan) - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails (Yang Yingliang) - pinctrl: ti: ti-iodelay: Drop if block with always false condition (Uwe Kleine-König) - pinctrl: single: fix possible memory leak when pinctrl_enable() fails (Yang Yingliang) - pinctrl: core: fix possible memory leak when pinctrl_enable() fails (Yang Yingliang) - netfilter: ctnetlink: use helper function to calculate expect ID (Pablo Neira Ayuso) [Orabug: 37013756] {CVE-2024-44944} - bnxt_re: Fix imm_data endianness (Jack Wang) - macintosh/therm_windtunnel: fix module unload. (Nick Bowler) - powerpc/xmon: Fix disassembly CPU feature checks (Michael Ellerman) - Input: elan_i2c - do not leave interrupt disabled on suspend failure (Dmitry Torokhov) - mtd: make mtd_test.c a separate module (Arnd Bergmann) - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs (Honggang LI) - RDMA/mlx4: Fix truncated output warning in alias_GUID.c (Leon Romanovsky) - RDMA/mlx4: Fix truncated output warning in mad.c (Leon Romanovsky) - PCI: Fix resource double counting on remove & rescan (Ilpo Järvinen) - PCI: Equalize hotplug memory and io for occupied and empty slots (Jon Derrick) - sparc64: Fix incorrect function signature and add prototype for prom_cif_init (Andreas Larsson) - ext4: avoid writing unitialized memory to disk in EA inodes (Jan Kara) - drm/etnaviv: fix DMA direction handling for cached RW buffers (Lucas Stach) - perf report: Fix condition in sort__sym_cmp() (Namhyung Kim) - media: renesas: vsp1: Store RPF partition configuration per RPF instance (Laurent Pinchart) - media: renesas: vsp1: Fix _irqsave and _irq mix (Laurent Pinchart) - media: v4l: vsp1: Store pipeline pointer in vsp1_entity (Laurent Pinchart) - saa7134: Unchecked i2c_transfer function result fixed (Aleksandr Burakov) - media: imon: Fix race getting ictx->lock (Ricardo Ribalda) - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures (Alexey Kodanev) [Orabug: 36964481] {CVE-2024-43839} - perf: Prevent passing zero nr_pages to rb_alloc_aux() (Adrian Hunter) - perf: Fix perf_aux_size() for greater-than 32-bit size (Adrian Hunter) - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down (Csókás, Bence) - net: fec: Refactor: #define magic constants (Csókás Bence) - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device (Samasth Norway Ananda) - m68k: cmpxchg: Fix return value for default case in __arch_xchg() (Thorsten Blum) - x86/xen: Convert comma to semicolon (Chen Ni) - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages (Eero Tamminen) - arm64: dts: rockchip: Increase VOP clk rate on RK3328 (Jonas Karlman) - hwmon: (max6697) Fix swapped temp{1,8} critical alarms (Guenter Roeck) - hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO} (Guenter Roeck) - hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants (Guenter Roeck) - hwmon: (max6697) Fix underflow when writing limit attributes (Guenter Roeck) - pwm: stm32: Always do lazy disabling (Uwe Kleine-König) - hwmon: (adt7475) Fix default duty on fan is disabled (Wayne Tung) - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos (Ilpo Järvinen) - x86/pci/xen: Fix PCIBIOS_* return code handling (Ilpo Järvinen) - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling (Ilpo Järvinen) - x86/of: Return consistent error type from x86_of_pci_irq_enable() (Ilpo Järvinen) - platform/chrome: cros_ec_debugfs: fix wrong EC message version (Tzung-Bi Shih) [4.14.35-2047.543.1.el7uek] - A/A Bonding: check port count during RDMA device addition (Arumugam Kolappan) [Orabug: 37202761] - net/mlx5: E-Switch, Increase supported number of forward destinations to 32 (Maor Dickman) [Orabug: 36817112] - net/mlx5e: Parse mirroring action for offloaded TC eswitch flows (Chris Mi) [Orabug: 36817112] _______________________________________________ El-errata mailing list El-errata@oss.oracle.com https://oss.oracle.com/mailman/listinfo/el-errata