(RHSA-2024:1404) Important: kernel security and bug fix update

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c (CVE-2021-43975)

• kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (CVE-2022-28388)

• kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (CVE-2022-41858)

• kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)

• kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

• kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

• kernel: denial of service in tipc_conn_close (CVE-2023-1382)

• kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (CVE-2023-28772)

• kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

• kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

• kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

• kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (CVE-2023-6606)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

• kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

• kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

• The kernel is still getting hung up even after converting kernfs_mutex to kernfs_rwsem with massive concurrent kernfs access (open & lookup) performed by kubelet/node_exporter threads. (JIRA:RHEL-17149)

• kernel: Rate limit overflow messages in r8152 in intr_callback (JIRA:RHEL-18810)

• kernel: tun: avoid double free in tun_free_netdev (JIRA:RHEL-18813)

• kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (JIRA:RHEL-18850)

• kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19461)

• ipoib mcast lockup fix (JIRA:RHEL-19698)

• kernel: denial of service in tipc_conn_close (JIRA:RHEL-18824)

• Rhel-8.6 crash at qed_get_current_link+0x11 during tx_timeout recovery (JIRA:RHEL-20923)

• kernel: use-after-free in sch_qfq network scheduler (JIRA:RHEL-14402)

• RHEL8.6 - s390/qeth: NET2016 - fix use-after-free in HSCI (JIRA:RHEL-15849)

• RHEL8.6 - s390/qeth: recovery and set offline lose routes and IPv6 addr (JIRA:RHEL-17883)

• kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (JIRA:RHEL-18582)

• kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c (JIRA:RHEL-18799)

• kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (JIRA:RHEL-18814)

• kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-18998)

• dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19110)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19327)

• kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19451)

• [RHEL8] I/O blocked during fio background with IO schedule switch, cpu offline/online, pci nvme rescan/reset (JIRA:RHEL-20231)

• kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20298)

• kernel: inactive elements in nft_pipapo_walk (JIRA:RHEL-20697)

• kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (JIRA:RHEL-21661)

• kernel NULL pointer at RIP: 0010:kyber_has_work+0x1c/0x60 (JIRA:RHEL-21784)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22090)

• backport timerlat user-space support (JIRA:RHEL-20361)