Oracle Linux Security Advisory ELSA-2025-20521 http://linux.oracle.com/errata/ELSA-2025-20521.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: kernel-uek-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-container-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-container-debug-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-debug-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-debug-devel-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-devel-5.4.17-2136.346.6.el8uek.x86_64.rpm kernel-uek-doc-5.4.17-2136.346.6.el8uek.noarch.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.4.17-2136.346.6.el8uek.src.rpm Related CVEs: CVE-2023-6931 CVE-2024-36350 CVE-2024-36357 CVE-2024-38541 CVE-2024-56655 CVE-2025-37819 CVE-2025-37890 CVE-2025-37909 CVE-2025-37913 CVE-2025-37915 CVE-2025-37923 CVE-2025-37927 CVE-2025-37932 CVE-2025-37949 CVE-2025-37953 CVE-2025-37969 CVE-2025-37970 CVE-2025-37990 CVE-2025-37991 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-37998 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38023 CVE-2025-38024 CVE-2025-38034 CVE-2025-38035 CVE-2025-38037 CVE-2025-38044 CVE-2025-38051 CVE-2025-38058 CVE-2025-38061 CVE-2025-38065 CVE-2025-38066 CVE-2025-38072 CVE-2025-38075 CVE-2025-38078 CVE-2025-38079 Description of changes: [5.4.17-2136.346.6.el8uek] - net/mlx5: Add poll-eq API to be used by ULP's (Praveen Kumar Kannoju) [Orabug: 38109070] - net/rds: poll eq during user-reset (Praveen Kumar Kannoju) [Orabug: 38189315] [5.4.17-2136.346.5.el8uek] - perf: Fix perf_event_validate_size() lockdep splat (Mark Rutland) [Orabug: 36261486] {CVE-2023-6931} - perf: Fix perf_event_validate_size() (Peter Zijlstra) [Orabug: 36261486] {CVE-2023-6931} - net/mlx5: set graceful_period to 0 to allow multiple transmission queue recovery (Praveen Kumar Kannoju) [Orabug: 38182891] [5.4.17-2136.346.4.el8uek] - pwm: mediatek: Ensure to disable clocks in error path (Uwe Kleine-König) - Revert "mmc: sdhci: Disable SD card clock before changing parameters" (Ulf Hansson) - net/sched: Always pass notifications when child class becomes empty (Lion Ackermann) [5.4.17-2136.346.3.el8uek] - x86/bpf: Classic BPF program can fail when BHB barrier is used (Alexandre Chartre) [Orabug: 38151403] - Add Zen34 clients (Borislav Petkov) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - x86/process: Move the buffer clearing before MONITOR (Kim Phillips) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - KVM: SVM: Advertize TSA CPUID bits to guests (Borislav Petkov) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - x86/bugs: Add a Transient Scheduler Attacks mitigation (Borislav Petkov) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - KVM: x86: add support for CPUID leaf 0x80000021 (Paolo Bonzini) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - x86/bugs: Rename MDS machinery to something more generic (Borislav Petkov) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - x86/CPU/AMD: Add ZenX generations flags (Borislav Petkov) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} - x86/bugs: Free X86_BUG_AMD_APIC_C1E and X86_BUG_AMD_E400 bits (Boris Ostrovsky) [Orabug: 38172250] {CVE-2024-36350,CVE-2024-36357} [5.4.17-2136.346.2.el8uek] - Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older (Breno Leitao) - tracing: Fix compilation warning on arm32 (Pan Taixi) - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (Rafael J. Wysocki) - LTS tag: v5.4.294 (Alok Tiwari) - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (Mark Pearson) - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (Valtteri Koskivuori) - spi: spi-sun4i: fix early activation (Alessandro Grassi) - um: let 'make clean' properly clean underlying SUBARCH as well (Masahiro Yamada) - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (John Chau) - nfs: don't share pNFS DS connections between net namespaces (Jeff Layton) - HID: quirks: Add ADATA XPG alpha wireless mouse support (Milton Barrera) - coredump: hand a pidfd to the usermode coredump helper (Christian Brauner) - fork: use pidfd_prepare() (Christian Brauner) - pid: add pidfd_prepare() (Christian Brauner) - pidfd: check pid has attached task in fdinfo (Christian Brauner) - coredump: fix error handling for replace_fd() (Christian Brauner) - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (Pedro Tammela) [Orabug: 38049365] {CVE-2025-38001} - smb: client: Reset all search buffer pointers when releasing buffer (Zhaolong Wang) - smb: client: Fix use-after-free in cifs_fill_dirent (Zhaolong Wang) [Orabug: 38094972] {CVE-2025-38051} - drm/i915/gvt: fix unterminated-string-initialization warning (Jani Nikula) - netfilter: nf_tables: do not defer rule destruction via call_rcu (Florian Westphal) [Orabug: 38186911] {CVE-2024-56655} - netfilter: nf_tables: wait for rcu grace period on net_device removal (Pablo Neira Ayuso) - netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx (Florian Westphal) - kbuild: Disable -Wdefault-const-init-unsafe (Nathan Chancellor) - spi: spi-fsl-dspi: restrict register range for regmap access (Larisa Grigore) - mm/page_alloc.c: avoid infinite retries caused by cpuset race (Tianyang Zhang) - drm/edid: fixed the bug that hdr metadata was not reset (Feijuan Li) - llc: fix data loss when reading from a socket in llc_ui_recvmsg() (Gavrilov Ilia) - ALSA: pcm: Fix race of buffer access at PCM OSS layer (Takashi Iwai) [Orabug: 38095147] {CVE-2025-38078} - can: bcm: add missing rcu read protection for procfs content (Oliver Hartkopp) [Orabug: 38049371] {CVE-2025-38003} - can: bcm: add locking for bcm_op runtime updates (Oliver Hartkopp) [Orabug: 38049376] {CVE-2025-38004} - crypto: algif_hash - fix double free in hash_accept (Ivan Pravdin) [Orabug: 38095156] {CVE-2025-38079} - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (Cong Wang) [Orabug: 38049359] {CVE-2025-38000} - net: dwmac-sun8i: Use parsed internal PHY address instead of 1 (Paul Kocialkowski) - bridge: netfilter: Fix forwarding of fragmented packets (Ido Schimmel) - xfrm: Sanitize marks before insert (Paul Chaignon) - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (Al Viro) [Orabug: 38095002] {CVE-2025-38058} - xenbus: Allow PVH dom0 a non-local xenstore (Jason Andryuk) - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (Goldwyn Rodrigues) [Orabug: 38094858] {CVE-2025-38034} - nvmet-tcp: don't restore null sk_state_change (Alistair Francis) [Orabug: 38094865] {CVE-2025-38035} - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (Takashi Iwai) - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (Martin Blumenstingl) - drm: Add valid clones check (Jessica Zhang) - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (Simona Vetter) - regulator: ad5398: Add device tree support (Isaac Scott) - wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate (Bitterblue Smith) - bpftool: Fix readlink usage in get_fd_type (Viktor Malik) - HID: usbkbd: Fix the bit shift number for LED_KANA (Junan) - scsi: st: Restore some drive settings after reset (Kai Mäkisara) - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Justin Tee) - rcu: fix header guard for rcu_all_qs() (Ankur Arora) - rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y (Ankur Arora) - vxlan: Annotate FDB data races (Ido Schimmel) [Orabug: 38094881] {CVE-2025-38037} - hwmon: (xgene-hwmon) use appropriate type for the latency value (Andrey Vatoropin) - ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). (Kuniyuki Iwashima) - net/mlx5e: reduce rep rxq depth to 256 for ECPF (William Tu) - net/mlx5e: set the tx_queue_len for pfifo_fast (William Tu) - net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB (Alexei Lazar) - phy: core: don't require set_mode() callback for phy_get_mode() to work (Dmitry Baryshkov) - net/mlx4_core: Avoid impossible mlx4_db_alloc() order value (Kees Cook) - smack: recognize ipv4 CIPSO w/o categories (Konstantin Andreev) - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (Valentin Caron) - ASoC: ops: Enforce platform maximum on initial value (Martin Povišer) - net/mlx5: Apply rate-limiting to high temperature warning (Shahar Shitrit) - net/mlx5: Modify LSB bitmask in temperature event to include only the first bit (Shahar Shitrit) - ACPI: HED: Always initialize before evged (Xiaofei Tan) - PCI: Fix old_size lower bound in calculate_iosize() too (Ilpo Järvinen) - EDAC/ie31200: work around false positive build warning (Arnd Bergmann) - net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (Peter Seiderer) [Orabug: 38095027] {CVE-2025-38061} - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (Bitterblue Smith) - scsi: mpt3sas: Send a diag reset if target reset fails (Shivasharan S) - MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core (Paul Burton) - MIPS: Use arch specific syscall name match function (Bibo Mao) - cpuidle: menu: Avoid discarding useful information (Rafael J. Wysocki) - x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() (Waiman Long) - bonding: report duplicate MAC address in all situations (Hangbin Liu) - net: xgene-v2: remove incorrect ACPI_PTR annotation (Arnd Bergmann) - drm/amdkfd: KFD release_work possible circular locking (Philip Yang) - net/mlx5: Avoid report two health errors on same syndrome (Moshe Shemesh) - fpga: altera-cvp: Increase credit timeout (Kuhanh Murugasen Krishnan) - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (AngeloGioacchino Del Regno) - hwmon: (gpio-fan) Add missing mutex locks (Alexander Stein) - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 (Breno Leitao) - net: pktgen: fix mpls maximum labels list parsing (Peter Seiderer) - pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" (Artur Weber) - media: cx231xx: set device_caps for 417 (Hans Verkuil) [Orabug: 38094937] {CVE-2025-38044} - orangefs: Do not truncate file size (Matthew Wilcox) [Orabug: 38095058] {CVE-2025-38065} - dm cache: prevent BUG_ON by blocking retries on failed device resumes (Ming-Hung Tsai) [Orabug: 38095065] {CVE-2025-38066} - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (Markus Elfring) - ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 (Svyatoslav Ryhel) - ieee802154: ca8210: Use proper setters and getters for bitwise types (Andy Shevchenko) - rtc: ds1307: stop disabling alarms on probe (Alexandre Belloni) - powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 (Andreas Schwab) - mmc: sdhci: Disable SD card clock before changing parameters (Erick Shepherd) - netfilter: conntrack: Bound nf_conntrack sysctl writes (Nicolas Bouchinet) - posix-timers: Add cond_resched() to posix_timer_add() search loop (Eric Dumazet) - xen: Add support for XenServer 6.1 platform device (Frediano Ziglio) - dm: restrict dm device size to 2^63-512 bytes (Mikulas Patocka) - kbuild: fix argument parsing in scripts/config (Seyediman Seyedarab) - scsi: st: ERASE does not change tape location (Kai Mäkisara) - scsi: st: Tighten the page format heuristics with MODE SELECT (Kai Mäkisara) - ext4: reorder capability check last (Christian Göttsche) - um: Update min_low_pfn to match changes in uml_reserved (Tiwei Bie) - um: Store full CSGSFS and SS register from mcontext (Benjamin Berg) - btrfs: send: return -ENAMETOOLONG when attempting a path that is too long (Filipe Manana) - btrfs: avoid linker error in btrfs_find_create_tree_block() (Mark Harmstone) - i2c: pxa: fix call balance of i2c->clk handling routines (Vitalii Mordan) - mmc: host: Wait for Vdd to settle on card power off (Erick Shepherd) - libnvdimm/labels: Fix divide error in nd_label_data_init() (Robert Richter) [Orabug: 38095111] {CVE-2025-38072} - pNFS/flexfiles: Report ENETDOWN as a connection error (Trond Myklebust) - tools/build: Don't pass test log files to linker (Ian Rogers) - dql: Fix dql->limit value when reset. (Jing Su) - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (Trond Myklebust) - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (Trond Myklebust) - fbdev: core: tileblit: Implement missing margin clearing for tileblit (Zsolt Kajtar) - fbdev: fsl-diu-fb: add missing device_remove_file() (Shixiong Ou) - mailbox: use error ret code of of_parse_phandle_with_args() (Tudor Ambarus) - kconfig: merge_config: use an empty file as initfile (Daniel Gomez) - cgroup: Fix compilation issue due to cgroup_mutex not being exported (Gao Xu) - dma-mapping: avoid potential unused data compilation warning (Marek Szyprowski) - scsi: target: iscsi: Fix timeout on deleted connection (Dmitry Bogdanov) [Orabug: 38095136] {CVE-2025-38075} - openvswitch: Fix unsafe attribute parsing in output_userspace() (Eelco Chaudron) [Orabug: 38015150] {CVE-2025-37998} - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (Aditya Garg) - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (Dmitry Torokhov) - clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() (Sebastian Andrzej Siewior) - phy: renesas: rcar-gen3-usb2: Set timing registers only once (Claudiu Beznea) - phy: Fix error handling in tegra_xusb_port_init (Ma Ke) - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (Xu Wang) - NFSv4/pnfs: Reset the layout state after a layoutreturn (Trond Myklebust) - NFSv4/pnfs: pnfs_set_layout_stateid() should update the layout cred (Trond Myklebust) - qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() (Abdun Nihaal) - ALSA: sh: SND_AICA should depend on SH_DMA_API (Geert Uytterhoeven) - net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING (Vladimir Oltean) - spi: loopback-test: Do not split 1024-byte hexdumps (Geert Uytterhoeven) - nfs: handle failure of nfs_get_lock_context in unlock path (Li Lingfeng) [Orabug: 38094820] {CVE-2025-38023} - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (Zhu Yanjun) [Orabug: 38094829] {CVE-2025-38024} - iio: chemical: sps30: use aligned_s64 for timestamp (David Lechner) - iio: adc: ad7768-1: Fix insufficient alignment of timestamp. (Jonathan Cameron) - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (Gabriel) - staging: axis-fifo: avoid parsing ignored device tree properties (Quentin Deslandes) - staging: axis-fifo: Remove hardware resets for user errors (Gabriel) - staging: axis-fifo: replace spinlock with mutex (Quentin Deslandes) - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (Hans de Goede) - do_umount(): add missing barrier before refcount checks in sync case (Al Viro) - MIPS: Fix MAX_REG_OFFSET (Thorsten Blum) - iio: adc: dln2: Use aligned_s64 for timestamp (Jonathan Cameron) - types: Complement the aligned types with signed 64-bit one (Andy Shevchenko) - usb: usbtmc: Fix erroneous generic_read ioctl return (Dave Penkler) - usb: usbtmc: Fix erroneous wait_srq ioctl return (Dave Penkler) - usb: usbtmc: Fix erroneous get_stb ioctl error returns (Dave Penkler) - USB: usbtmc: use interruptible sleep in usbtmc_read (Oliver Neukum) - usb: typec: ucsi: displayport: Fix NULL pointer access (Andrei Kuchynski) [Orabug: 38015128] {CVE-2025-37994} - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (Rd Babiera) - ocfs2: stop quota recovery before disabling quotas (Jan Kara) - ocfs2: implement handshaking with ocfs2 recovery thread (Jan Kara) - ocfs2: switch osb->disable_recovery to enum (Jan Kara) - module: ensure that kobject_put() is safe for module type kobjects (Dmitry Antipov) [Orabug: 38015133] {CVE-2025-37995} - xenbus: Use kref to track req lifetime (Jason Andryuk) [Orabug: 37976936] {CVE-2025-37949} - usb: uhci-platform: Make the clock really optional (Alexey Charkov) - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (Silvano Seva) [Orabug: 37977033] {CVE-2025-37969} - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (Silvano Seva) [Orabug: 37977039] {CVE-2025-37970} - iio: adis16201: Correct inclinometer channel resolution (Gabriel) - iio: adc: ad7606: fix serial register access (Angelo Dureghello) - staging: iio: adc: ad7816: Correct conditional logic for store mode (Gabriel) - Input: synaptics - enable InterTouch on Dell Precision M3800 (Aditya Garg) - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (Aditya Garg) - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (Manuel Fombuena) - net: dsa: b53: fix learning on VLAN unaware bridges (Jonas Gorski) - netfilter: ipset: fix region locking in hash types (Jozsef Kadlecsik) [Orabug: 38015143] {CVE-2025-37997} - sch_htb: make htb_deactivate() idempotent (Cong Wang) [Orabug: 38186817] {CVE-2025-37953} - dm: fix copying after src array boundaries (Tudor Ambarus) - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (Pavel Paklov) [Orabug: 37976839] {CVE-2025-37927} - arm64: dts: rockchip: fix iface clock-name on px30 iommus (Heiko Stuebner) - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (Fedor Pchelkin) - usb: chipidea: ci_hdrc_imx: use dev_err_probe() (Alexander Stein) - usb: chipidea: imx: refine the error handling for hsic (Peter Chen) - usb: chipidea: imx: change hsic power regulator as optional (Peter Chen) - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (Suzuki K Poulose) [Orabug: 37930014] {CVE-2025-37819} - irqchip/gic-v2m: Mark a few functions __init (Thomas Gleixner) - irqchip/gic-v2m: Add const to of_device_id (Xiang Wangx) - sch_htb: make htb_qlen_notify() idempotent (Cong Wang) [Orabug: 37976860] {CVE-2025-37932} - of: module: add buffer overflow check in of_modalias() (Sergey Shtylyov) [Orabug: 36753382] {CVE-2024-38541} - PCI: imx6: Skip controller_id generation logic for i.MX7D (Richard Zhu) - net: fec: ERR007885 Workaround for conventional TX (Mattias Barthel) - net: lan743x: Fix memleak issue when GSO enabled (Thangaraj Samynathan) [Orabug: 37976767] {CVE-2025-37909} - lan743x: fix endianness when accessing descriptors (Alexey Denisov) - lan743x: remove redundant initialization of variable current_head_index (Colin Ian King) - nvme-tcp: fix premature queue removal and I/O failover (Michael Liang) - net: dlink: Correct endianness handling of led_mode (Simon Horman) - net_sched: qfq: Fix double list add in class with netem as child qdisc (Victor Nogueira) [Orabug: 37976785] {CVE-2025-37913} - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (Victor Nogueira) [Orabug: 37967412] {CVE-2025-37890} - net_sched: drr: Fix double list add in class with netem as child qdisc (Victor Nogueira) [Orabug: 37976794] {CVE-2025-37915} - net/mlx5: E-Switch, Initialize MAC Address for Default GID (Maor Gottlieb) - tracing: Fix oob write in trace_seq_to_buffer() (Jeongjun Park) [Orabug: 37976823] {CVE-2025-37923} - dm: always update the array size in realloc_argv on success (Benjamin Marzinski) - dm-integrity: fix a warning on invalid table line (Mikulas Patocka) - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (Xu Wang) [Orabug: 37977121] {CVE-2025-37990} - amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload (Vishal Badole) - parisc: Fix double SIGFPE crash (Helge Deller) [Orabug: 37977129] {CVE-2025-37991} - i2c: imx-lpi2c: Fix clock count when probe defers (Clark Wang) - EDAC/altera: Set DDR and SDMMC interrupt mask before registration (Niravkumar L Rabara) - EDAC/altera: Test the correct error reg offset (Niravkumar L Rabara) [5.4.17-2136.346.1.el8uek] - scsi: qedf: Wait for stag work during unload (Saurav Kashyap) [Orabug: 37296386] - scsi: qedf: Don't process stag work during unload and recovery (Saurav Kashyap) [Orabug: 37296386] _______________________________________________ El-errata mailing list El-errata@oss.oracle.com https://oss.oracle.com/mailman/listinfo/el-errata
