Debian dsa-5680 : affs-modules-6.1.0-21-4kc-malta-di - security update

high Nessus Plugin ID 195024

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5680 advisory.

- In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock when enabling ASPM during probe of Qualcomm PCIe controllers as reported by lockdep: ============================================ WARNING:
possible recursive locking detected 6.7.0 #40 Not tainted -------------------------------------------- kworker/u16:5/90 is trying to acquire lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at:
pcie_aspm_pm_state_change+0x58/0xdc but task is already holding lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(pci_bus_sem); lock(pci_bus_sem); *** DEADLOCK *** Call trace:
print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] The deadlock can easily be reproduced on machines like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. Add a new pci_set_power_state_locked() and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice.
(CVE-2024-26605)

- In the Linux kernel, the following vulnerability has been resolved: amdkfd: use calloc instead of kzalloc to avoid integer overflow This uses calloc instead of doing the multiplication which might overflow.
(CVE-2024-26817)

- In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place. (CVE-2024-26922)

- In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged
__skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. (CVE-2024-26923)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern.
Quoting Pablo: add_elem(00000000) timeout 100 ms ... add_elem(0000000X) timeout 100 ms del_elem(0000000X) <---------------- delete one that was just added ... add_elem(00005000) timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The
_remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano) (CVE-2024-26924)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. (CVE-2024-26925)

- In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (binder: avoid potential data leakage when copying txn) introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (binder: add function to copy binder object from buffer), likely removed due to redundancy at the time. (CVE-2024-26926)

- In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate request buffer size in smb2_allocate_rsp_buf() The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. (CVE-2024-26936)

- In the Linux kernel, the following vulnerability has been resolved: drm/i915/vma: Fix UAF on destroy against retire race Object debugging tools were sporadically reporting illegal attempts to free a still active i915 VMA object when parking a GT believed to be idle. [161.359441] ODEBUG: free active (active state 0) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+0x0/0x50 [i915] [161.360082] WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+0x80/0xb0 ...
[161.360304] CPU: 5 PID: 276 Comm: kworker/5:2 Not tainted 6.5.0-rc1-CI_DRM_13375-g003f860e5577+ #1 [161.360314] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 [161.360322] Workqueue: i915-unordered
__intel_wakeref_put_work [i915] [161.360592] RIP: 0010:debug_print_object+0x80/0xb0 ... [161.361347] debug_object_free+0xeb/0x110 [161.361362] i915_active_fini+0x14/0x130 [i915] [161.361866] release_references+0xfe/0x1f0 [i915] [161.362543] i915_vma_parked+0x1db/0x380 [i915] [161.363129]
__gt_park+0x121/0x230 [i915] [161.363515] ____intel_wakeref_put_last+0x1f/0x70 [i915] That has been tracked down to be happening when another thread is deactivating the VMA inside __active_retire() helper, after the VMA's active counter has been already decremented to 0, but before deactivation of the VMA's object is reported to the object debugging tool. We could prevent from that race by serializing i915_active_fini() with __active_retire() via ref->tree_lock, but that wouldn't stop the VMA from being used, e.g. from __i915_vma_retire() called at the end of __active_retire(), after that VMA has been already freed by a concurrent i915_vma_destroy() on return from the i915_active_fini(). Then, we should rather fix the issue at the VMA level, not in i915_active. Since __i915_vma_parked() is called from
__gt_park() on last put of the GT's wakeref, the issue could be addressed by holding the GT wakeref long enough for __active_retire() to complete before that wakeref is released and the GT parked. I believe the issue was introduced by commit d93939730347 (drm/i915: Remove the vma refcount) which moved a call to i915_active_fini() from a dropped i915_vma_release(), called on last put of the removed VMA kref, to i915_vma_parked() processing path called on last put of a GT wakeref. However, its visibility to the object debugging tool was suppressed by a bug in i915_active that was fixed two weeks later with commit e92eb246feb9 (drm/i915/active: Fix missing debug object activation). A VMA associated with a request doesn't acquire a GT wakeref by itself. Instead, it depends on a wakeref held directly by the request's active intel_context for a GT associated with its VM, and indirectly on that intel_context's engine wakeref if the engine belongs to the same GT as the VMA's VM. Those wakerefs are released asynchronously to VMA deactivation. Fix the issue by getting a wakeref for the VMA's GT when activating it, and putting that wakeref only after the VMA is deactivated. However, exclude global GTT from that processing path, otherwise the GPU never goes idle. Since __i915_vma_retire() may be called from atomic contexts, use async variant of wakeref put. Also, to avoid circular locking dependency, take care of acquiring the wakeref before VM mutex when both are needed. v7: Add inline comments with justifications for: - using untracked variants of intel_gt_pm_get/put() (Nirmoy), - using async variant of _put(), - not getting the wakeref in case of a global GTT, - always getting the first wakeref outside vm->mutex. v6: Since
__i915_vma_active/retire() callbacks are not serialized, storing a wakeref tracking handle inside struct i915_vma is not safe, and there is no other good place for that. Use untracked variants of intel_gt_pm_get/put_async(). v5: Replace tile with GT across commit description (Rodrigo), -
---truncated--- (CVE-2024-26939)

- In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request.
smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf(). (CVE-2024-26980)

- In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix OOB in nilfs_set_de_type The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined as S_IFMT >> S_SHIFT, but the nilfs_set_de_type() function, which uses this array, specifies the index to read from the array in the same way as (mode & S_IFMT) >> S_SHIFT. static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode) { umode_t mode = inode->i_mode; de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob } However, when the index is determined this way, an out-of-bounds (OOB) error occurs by referring to an index that is 1 larger than the array size when the condition mode & S_IFMT == S_IFMT is satisfied. Therefore, a patch to resize the nilfs_type_by_mode array should be applied to prevent OOB errors. (CVE-2024-26981)

- In the Linux kernel, the following vulnerability has been resolved: bootconfig: use memblock_free_late to free xbc memory to buddy On the time to free xbc memory in xbc_exit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.
Following KASAN logs shows this case. This patch fixes the xbc memory free problem by calling memblock_free() in early xbc init error rewind path and calling memblock_free_late() in xbc exit path to free memory to buddy allocator. [ 9.410890] ================================================================== [ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 [ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1 [ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 [ 9.460789] Call Trace: [ 9.463518] <TASK> [ 9.465859] dump_stack_lvl+0x53/0x70 [ 9.469949] print_report+0xce/0x610 [ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 [ 9.478619] ? memblock_isolate_range+0x12d/0x260 [ 9.483877] kasan_report+0xc6/0x100 [ 9.487870] ? memblock_isolate_range+0x12d/0x260 [ 9.493125] memblock_isolate_range+0x12d/0x260 [ 9.498187] memblock_phys_free+0xb4/0x160 [ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 [ 9.508021] ? mutex_unlock+0x7e/0xd0 [ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 [ 9.516786] ? kernel_init_freeable+0x2d4/0x430 [ 9.521850] ? __pfx_kernel_init+0x10/0x10 [ 9.526426] xbc_exit+0x17/0x70 [ 9.529935] kernel_init+0x38/0x1e0 [ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 [ 9.538601] ret_from_fork+0x2c/0x50 [ 9.542596] ? __pfx_kernel_init+0x10/0x10 [ 9.547170] ret_from_fork_asm+0x1a/0x30 [ 9.551552] </TASK> [ 9.555649] The buggy address belongs to the physical page: [ 9.561875] page:
refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 [ 9.570821] flags:
0x200000000000000(node=0|zone=2) [ 9.576271] page_type: 0xffffffff() [ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 [ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 9.597476] page dumped because: kasan: bad access detected [ 9.605362] Memory state around the buggy address: [ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.634930] ^ [ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.654675] ================================================================== (CVE-2024-26983)

- In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you might see something like this crash. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID:
53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 RSP:
0000:ffffac20c5857838 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 RBP: 00000000000006d8 R08:
ffffac20c5857ad0 R09: 0000000000ffff10 R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2:
0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ... ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau] nvkm_vmm_iter+0x351/0xa20 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ?
__pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __lock_acquire+0x3ed/0x2170 ?
__pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau] ?
__pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_map_locked+0x224/0x3a0 [nouveau] Adding any sort of useful debug usually makes it go away, so I hand wrote the function in a line, and debugged the asm. Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in the nv50_instobj_acquire called from nvkm_kmap. If Thread A and Thread B both get to nv50_instobj_acquire around the same time, and Thread A hits the refcount_set line, and in lockstep thread B succeeds at refcount_inc_not_zero, there is a chance the ptrs value won't have been stored since refcount_set is unordered. Force a memory barrier here, I picked smp_mb, since we want it on all CPUs and it's write followed by a read. v2: use paired smp_rmb/smp_wmb. (CVE-2024-26984)

- In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled When I did hard offline test with hugetlb pages, below deadlock occurs: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-11409-gf6cef5f8c37f #1 Not tainted
------------------------------------------------------ bash/46904 is trying to acquire lock:
ffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60 but task is already holding lock: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (pcp_batch_high_lock){+.+.}-{3:3}: __mutex_lock+0x6c/0x770 page_alloc_cpu_online+0x3c/0x70 cpuhp_invoke_callback+0x397/0x5f0 __cpuhp_invoke_callback_range+0x71/0xe0 _cpu_up+0xeb/0x210 cpu_up+0x91/0xe0 cpuhp_bringup_mask+0x49/0xb0 bringup_nonboot_cpus+0xb7/0xe0 smp_init+0x25/0xa0 kernel_init_freeable+0x15f/0x3e0 kernel_init+0x15/0x1b0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 -> #0 (cpu_hotplug_lock){++++}-{0:0}: __lock_acquire+0x1298/0x1cd0 lock_acquire+0xc0/0x2b0 cpus_read_lock+0x2a/0xc0 static_key_slow_dec+0x16/0x60
__hugetlb_vmemmap_restore_folio+0x1b9/0x200 dissolve_free_huge_page+0x211/0x260
__page_handle_poison+0x45/0xc0 memory_failure+0x65e/0xc70 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xca/0x1e0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(pcp_batch_high_lock); lock(cpu_hotplug_lock);
lock(pcp_batch_high_lock); rlock(cpu_hotplug_lock); *** DEADLOCK *** 5 locks held by bash/46904: #0:
ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0 #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0 #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0 #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70 #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40 stack backtrace: CPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 check_noncircular+0x129/0x140 __lock_acquire+0x1298/0x1cd0 lock_acquire+0xc0/0x2b0 cpus_read_lock+0x2a/0xc0 static_key_slow_dec+0x16/0x60
__hugetlb_vmemmap_restore_folio+0x1b9/0x200 dissolve_free_huge_page+0x211/0x260
__page_handle_poison+0x45/0xc0 memory_failure+0x65e/0xc70 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xca/0x1e0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fc862314887 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887 RDX:
000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001 RBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13:
00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00 In short, below scene breaks the
---truncated--- (CVE-2024-26987)

- In the Linux kernel, the following vulnerability has been resolved: init/main.c: Fix potential static_command_line memory overflow We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_line) which was miss-consolidated with strlen(boot_command_line) in the commit f5c7310ac73e (init/main: add checks for the return value of memblock_alloc*()) (CVE-2024-26988)

- In the Linux kernel, the following vulnerability has been resolved: arm64: hibernate: Fix level3 translation fault in swsusp_save() On arm64 machines, swsusp_save() faults if it attempts to access MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops:
0000000096000007 [#1] SMP Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version:
4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc :
swsusp_save+0x280/0x538 lr : swsusp_save+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28:
ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19:
ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10:
00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 :
0000000000000000 x0 : 000000000000004e Call trace: swsusp_save+0x280/0x538 swsusp_arch_suspend+0x148/0x190 hibernation_snapshot+0x240/0x39c hibernate+0xc4/0x378 state_store+0xf0/0x10c kobj_attr_store+0x14/0x24 The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() -> kernel_page_present() assuming that a page is always present when can_set_direct_map() is false (all of rodata_full, debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions should not be saved during hibernation. This problem was introduced by changes to the pfn_valid() logic in commit a7d9f306ba70 (arm64: drop pfn_valid_within() and simplify pfn_valid()).
Similar to other architectures, drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. [[email protected]: rework commit message] (CVE-2024-26989)

- In the Linux kernel, the following vulnerability has been resolved: KVM: x86/pmu: Disable support for adaptive PEBS Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest. Bug #1 is that KVM doesn't account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() stores local variables as u8s and truncates the upper bits too, etc. Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value for PEBS events, perf will _always_ generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records. Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what KVM requests. Bug #4 is that adaptive PEBS *might* effectively bypass event filters set by the host, as Updated Memory Access Info Group records information that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER. Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records. Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels. Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity. (CVE-2024-26992)

- In the Linux kernel, the following vulnerability has been resolved: fs: sysfs: Fix reference leak in sysfs_break_active_protection() The sysfs_break_active_protection() routine has an obvious reference leak in its error path. If the call to kernfs_find_and_get() fails then kn will be NULL, so the companion sysfs_unbreak_active_protection() routine won't get called (and would only cause an access violation by trying to dereference kn->parent if it was called). As a result, the reference to kobj acquired at the start of the function will never be released. Fix the leak by adding an explicit kobject_put() call when kn is NULL. (CVE-2024-26993)

- In the Linux kernel, the following vulnerability has been resolved: speakup: Avoid crash on very long word In case a console is set up really large and contains a really long word (> 256 characters), we have to stop before the length of the word buffer. (CVE-2024-26994)

- In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL.
And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM:
ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM:
ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established. (CVE-2024-26996)

- In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: host: Fix dereference issue in DDMA completion flow. Fixed variable dereference issue in DDMA completion flow. (CVE-2024-26997)

- In the Linux kernel, the following vulnerability has been resolved: serial/pmac_zilog: Remove flawed mitigation for rx irq flood The mitigation was intended to stop the irq completely. That may be better than a hard lock-up but it turns out that you get a crash anyway if you're using pmac_zilog as a serial console: ttyPZ0: pmz: rx irq flood ! BUG: spinlock recursion on CPU#0, swapper/0 That's because the pr_err() call in pmz_receive_chars() results in pmz_console_write() attempting to lock a spinlock already locked in pmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal BUG splat. The spinlock in question is the one in struct uart_port. Even when it's not fatal, the serial port rx function ceases to work. Also, the iteration limit doesn't play nicely with QEMU, as can be seen in the bug report linked below. A web search for other reports of the error message pmz: rx irq flood didn't produce anything. So I don't think this code is needed any more. Remove it. (CVE-2024-26999)

- In the Linux kernel, the following vulnerability has been resolved: serial: mxs-auart: add spinlock around changing cts state The uart_handle_cts_change() function in serial_core expects the caller to hold uport->lock. For example, I have seen the below kernel splat, when the Bluetooth driver is loaded on an i.MX28 board. [ 85.119255] ------------[ cut here ]------------ [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec [ 85.134694] Modules linked in:
hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1 [ 85.151396] Hardware name: Freescale MXS (Device Tree) [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth] (...) [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 [ 85.198787] mxs_auart_irq_handle from
__handle_irq_event_percpu+0x88/0x210 (...) (CVE-2024-27000)

- In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things can fall through the cracks. Depending on the hardware model, URBs can have either bulk or interrupt type, and current version of vmk80xx_find_usb_endpoints() function does not take that fully into account. While this warning does not seem to be too harmful, at the very least it will crash systems with 'panic_on_warn' set on them. Fix the issue found by Syzkaller [1] by somewhat simplifying the endpoint checking process with usb_find_common_endpoints() and ensuring that only expected endpoint types are present. This patch has not been tested on real hardware. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING:
CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ...
Call Trace: <TASK> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... Similar issue also found by Syzkaller:
(CVE-2024-27001)

- In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Do a runtime PM get on controllers during probe mt8183-mfgcfg has a mutual dependency with genpd during the probing stage, which leads to a deadlock in the following call stack: CPU0: genpd_lock --> clk_prepare_lock genpd_power_off_work_fn() genpd_lock() generic_pm_domain::power_off() clk_unprepare() clk_prepare_lock() CPU1: clk_prepare_lock --> genpd_lock clk_register() __clk_core_init() clk_prepare_lock() clk_pm_runtime_get() genpd_lock() Do a runtime PM get at the probe function to make sure clk_register() won't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg, do this on all mediatek clock controller probings because we don't believe this would cause any regression. Verified on MT8183 and MT8192 Chromebooks. (CVE-2024-27002)

- In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree for clk_summary Similar to the previous commit, we should make sure that all devices are runtime resumed before printing the clk_summary through debugfs. Failure to do so would result in a deadlock if the thread is resuming a device to print clk state and that device is also runtime resuming in another thread, e.g the screen is turning on and the display driver is starting up. We remove the calls to clk_pm_runtime_{get,put}() in this path because they're superfluous now that we know the devices are runtime resumed. This also squashes a bug where the return value of clk_pm_runtime_get() wasn't checked, leading to an RPM count underflow on error paths. (CVE-2024-27003)

- In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disable_unused Doug reported [1] the following hung task: INFO: task swapper/0:1 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 echo 0 > /proc/sys/kernel/hung_task_timeout_secs disables this message. task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008 Call trace: __switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c rpm_resume+0xe0/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 clk_pm_runtime_get+0x30/0xb0 clk_disable_unused_subtree+0x58/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused_subtree+0x38/0x208 clk_disable_unused+0x4c/0xe4 do_one_initcall+0xcc/0x2d8 do_initcall_level+0xa4/0x148 do_initcalls+0x5c/0x9c do_basic_setup+0x24/0x30 kernel_init_freeable+0xec/0x164 kernel_init+0x28/0x120 ret_from_fork+0x10/0x20 INFO: task kworker/u16:0:9 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 echo 0 > /proc/sys/kernel/hung_task_timeout_secs disables this message. task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008 Workqueue: events_unbound deferred_probe_work_func Call trace:
__switch_to+0xf4/0x1f4 __schedule+0x418/0xb80 schedule+0x5c/0x10c schedule_preempt_disabled+0x2c/0x48
__mutex_lock+0x238/0x488 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x50/0x74 clk_prepare_lock+0x7c/0x9c clk_core_prepare_lock+0x20/0x44 clk_prepare+0x24/0x30 clk_bulk_prepare+0x40/0xb0 mdss_runtime_resume+0x54/0x1c8 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x108/0x1f4 __rpm_callback+0x84/0x144 rpm_callback+0x30/0x88 rpm_resume+0x1f4/0x52c rpm_resume+0x178/0x52c __pm_runtime_resume+0x58/0x98 __device_attach+0xe0/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c device_add+0x644/0x814 mipi_dsi_device_register_full+0xe4/0x170 devm_mipi_dsi_device_register_full+0x28/0x70 ti_sn_bridge_probe+0x1dc/0x2c0 auxiliary_bus_probe+0x4c/0x94 really_probe+0xcc/0x2c8
__driver_probe_device+0xa8/0x130 driver_probe_device+0x48/0x110 __device_attach_driver+0xa4/0xcc bus_for_each_drv+0x8c/0xd8 __device_attach+0xf8/0x170 device_initial_probe+0x1c/0x28 bus_probe_device+0x3c/0x9c deferred_probe_work_func+0x9c/0xd8 process_one_work+0x148/0x518 worker_thread+0x138/0x350 kthread+0x138/0x1e0 ret_from_fork+0x10/0x20 The first thread is walking the clk tree and calling clk_pm_runtime_get() to power on devices required to read the clk hardware via struct clk_ops::is_enabled(). This thread holds the clk prepare_lock, and is trying to runtime PM resume a device, when it finds that the device is in the process of resuming so the thread schedule()s away waiting for the device to finish resuming before continuing. The second thread is runtime PM resuming the same device, but the runtime resume callback is calling clk_prepare(), trying to grab the prepare_lock waiting on the first thread. This is a classic ABBA deadlock. To properly fix the deadlock, we must never runtime PM resume or suspend a device with the clk prepare_lock held. Actually doing that is near impossible today because the global prepare_lock would have to be dropped in the middle of the tree, the device runtime PM resumed/suspended, and then the prepare_lock grabbed again to ensure consistency of the clk tree topology.
If anything changes with the clk tree in the meantime, we've lost and will need to start the operation all over again. Luckily, most of the time we're simply incrementing or decrementing the runtime PM count on an active device, so we don't have the chance to schedule away with the prepare_lock held. Let's fix this immediate problem that can be ---truncated--- (CVE-2024-27004)

- In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE. (CVE-2024-27008)

- In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix race condition during online processing A race condition exists in ccw_device_set_online() that can cause the online process to fail, leaving the affected device in an inconsistent state. As a result, subsequent attempts to set that device online fail with return code ENODEV. The problem occurs when a path verification request arrives after a wait for final device state completed, but before the result state is evaluated. Fix this by ensuring that the CCW-device lock is held between determining final state and checking result state. Note that since: commit 2297791c92d0 (s390/cio: dont unregister subchannel from child-drivers) path verification requests are much more likely to occur during boot, resulting in an increased chance of this race condition occurring. (CVE-2024-27009)

- In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: vhost-32980 #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e #3 [fffffe00003fced0] do_nmi at ffffffff8922660d #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP:
0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX:
ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f (CVE-2024-27013)

- In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock while disabling aRFS When disabling aRFS under the `priv->state_lock`, any scheduled aRFS works are canceled using the `cancel_work_sync` function, which waits for the work to end if it has already started. However, while waiting for the work handler, the handler will try to acquire the `state_lock` which is already acquired. The worker acquires the lock to delete the rules if the state is down, which is not the worker's responsibility since disabling aRFS deletes the rules. Add an aRFS state variable, which indicates whether the aRFS is enabled and prevent adding rules when the aRFS is disabled. Kernel log:
====================================================== WARNING: possible circular locking dependency detected 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I
------------------------------------------------------ ethtool/386089 is trying to acquire lock:
ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0 but task is already holding lock: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at:
mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&priv->state_lock){+.+.}-{3:3}: __mutex_lock+0x80/0xc90 arfs_handle_work+0x4b/0x3b0 [mlx5_core] process_one_work+0x1dc/0x4a0 worker_thread+0x1bf/0x3c0 kthread+0xd7/0x100 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 -> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}: __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0
__flush_work+0x7a/0x4e0 __cancel_work_timer+0x131/0x1c0 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1a1/0x270 netlink_sendmsg+0x214/0x460 __sock_sendmsg+0x38/0x60 __sys_sendto+0x113/0x170 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x46/0x4e other info that might help us debug this:
Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&priv->state_lock);
lock((work_completion)(&rule->arfs_work)); lock(&priv->state_lock);
lock((work_completion)(&rule->arfs_work)); *** DEADLOCK *** 3 locks held by ethtool/386089: #0:
ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240 #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] stack backtrace:
CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace:
<TASK> dump_stack_lvl+0x60/0xa0 check_noncircular+0x144/0x160 __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0 ? __flush_work+0x74/0x4e0 ? save_trace+0x3e/0x360 ? __flush_work+0x74/0x4e0
__flush_work+0x7a/0x4e0 ? __flush_work+0x74/0x4e0 ? __lock_acquire+0xa78/0x2c80 ? lock_acquire+0xd0/0x2b0 ? mark_held_locks+0x49/0x70 __cancel_work_timer+0x131/0x1c0 ? mark_held_locks+0x49/0x70 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 ? ethn
---truncated--- (CVE-2024-27014)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entry because the pppoe header is expected to be at the network header offset. This bug causes a mismatch in the flow table lookup, so pppoe packets enter the classical forwarding path. (CVE-2024-27015)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate pppoe header Ensure there is sufficient room to access the protocol field of the PPPoe header. Validate it once before the flowtable lookup, then use a helper function to access protocol field. (CVE-2024-27016)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: skip conntrack input hook for promisc packets For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets. Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object. Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps. [ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core [ 57.575158] CPU: 1 PID:
0 Comm: swapper/1 Not tainted 6.8.0+ #19 [ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 57.576662] RIP:
0010:br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 [ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 [ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 [ 57.579830] RDX:
ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 [ 57.580454] RBP: ffff88885f845a60 R08:
0000000000000001 R09: 0000000000000003 [ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12:
0000000000000000 [ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 [ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 [ 57.583040] CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4:
0000000000370eb0 [ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 57.585440] Call Trace: [ 57.585721] <IRQ> [ 57.585976] ? __warn+0x7d/0x130 [ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.586811] ? report_bug+0xf1/0x1c0 [ 57.587177] ? handle_bug+0x3f/0x70 [ 57.587539] ? exc_invalid_op+0x13/0x60 [ 57.587929] ? asm_exc_invalid_op+0x16/0x20 [ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.588825] nf_hook_slow+0x3d/0xd0 [ 57.589188] ? br_handle_vlan+0x4b/0x110 [ 57.589579] br_pass_frame_up+0xfc/0x150 [ 57.589970] ? br_port_flags_change+0x40/0x40 [ 57.590396] br_handle_frame_finish+0x346/0x5e0 [ 57.590837] ? ipt_do_table+0x32e/0x430 [ 57.591221] ? br_handle_local_finish+0x20/0x20 [ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter] [ 57.592286] ? br_handle_local_finish+0x20/0x20 [ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter] [ 57.593348] ? br_handle_local_finish+0x20/0x20 [ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat] [ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter] [ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter] [ 57.595280] br_handle_frame+0x1f3/0x3d0 [ 57.595676] ? br_handle_local_finish+0x20/0x20 [ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0 [ 57.596566] __netif_receive_skb_core+0x25b/0xfc0 [ 57.597017] ?
__napi_build_skb+0x37/0x40 [ 57.597418] __netif_receive_skb_list_core+0xfb/0x220 (CVE-2024-27018)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. (CVE-2024-27019)

- In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get().
Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process. (CVE-2024-27020)

- In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping);
vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping);
hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping);
hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared.
tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.
(CVE-2024-27022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the affs-modules-6.1.0-21-4kc-malta-di packages.

See Also

https://security-tracker.debian.org/tracker/source-package/linux

https://security-tracker.debian.org/tracker/CVE-2024-26605

https://security-tracker.debian.org/tracker/CVE-2024-26817

https://security-tracker.debian.org/tracker/CVE-2024-26994

https://security-tracker.debian.org/tracker/CVE-2024-26996

https://security-tracker.debian.org/tracker/CVE-2024-26997

https://security-tracker.debian.org/tracker/CVE-2024-26999

https://security-tracker.debian.org/tracker/CVE-2024-27000

https://security-tracker.debian.org/tracker/CVE-2024-27001

https://security-tracker.debian.org/tracker/CVE-2024-27002

https://security-tracker.debian.org/tracker/CVE-2024-27003

https://security-tracker.debian.org/tracker/CVE-2024-27004

https://security-tracker.debian.org/tracker/CVE-2024-27008

https://security-tracker.debian.org/tracker/CVE-2024-27009

https://security-tracker.debian.org/tracker/CVE-2024-27013

https://security-tracker.debian.org/tracker/CVE-2024-27014

https://security-tracker.debian.org/tracker/CVE-2024-27015

https://security-tracker.debian.org/tracker/CVE-2024-27016

https://security-tracker.debian.org/tracker/CVE-2024-27018

https://security-tracker.debian.org/tracker/CVE-2024-27019

https://security-tracker.debian.org/tracker/CVE-2024-27020

https://security-tracker.debian.org/tracker/CVE-2024-27022

https://packages.debian.org/source/bookworm/linux

https://security-tracker.debian.org/tracker/CVE-2024-26922

https://security-tracker.debian.org/tracker/CVE-2024-26923

https://security-tracker.debian.org/tracker/CVE-2024-26924

https://security-tracker.debian.org/tracker/CVE-2024-26925

https://security-tracker.debian.org/tracker/CVE-2024-26926

https://security-tracker.debian.org/tracker/CVE-2024-26936

https://security-tracker.debian.org/tracker/CVE-2024-26939

https://security-tracker.debian.org/tracker/CVE-2024-26980

https://security-tracker.debian.org/tracker/CVE-2024-26981

https://security-tracker.debian.org/tracker/CVE-2024-26983

https://security-tracker.debian.org/tracker/CVE-2024-26984

https://security-tracker.debian.org/tracker/CVE-2024-26987

https://security-tracker.debian.org/tracker/CVE-2024-26988

https://security-tracker.debian.org/tracker/CVE-2024-26989

https://security-tracker.debian.org/tracker/CVE-2024-26992

https://security-tracker.debian.org/tracker/CVE-2024-26993

Plugin Details

Severity: High

ID: 195024

File Name: debian_DSA-5680.nasl

Version: 1.4

Type: local

Agent: unix

Published: 5/6/2024

Updated: 5/24/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-27022

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:leds-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-armmp-lpae-dbg, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rpi, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:uinput-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-armmp-lpae-dbg, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-5kc-malta, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-mips32r2el, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-octeon, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-5kc-malta, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:ipv6-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-image-cloud-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rt-686-pae-dbg, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-common-rt, p-cpe:/a:debian:debian_linux:i2c-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-5kc-malta-dbg, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-rpi, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-s390x, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:fancontrol-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-rt-armmp, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:i2c-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-octeon, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-rt-686-pae-dbg, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:mtd-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:efi-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:hypervisor-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-686-dbg, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-marvell, p-cpe:/a:debian:debian_linux:linux-source-6.1, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-arm64, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-headers-mips32r2el, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-mips32r2el-dbg, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-s390x-dbg, p-cpe:/a:debian:debian_linux:linux-image-marvell-dbg, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-support-6.1.0-21, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:mtd-core-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-image-armmp-dbg, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-cloud-arm64, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:leds-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-armmp, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-loongson-3-dbg, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-powerpc64le, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-powerpc64le, p-cpe:/a:debian:debian_linux:bpftool, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-armmp, p-cpe:/a:debian:debian_linux:linux-image-powerpc64le-dbg, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-686-dbg, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-cpupower, p-cpe:/a:debian:debian_linux:linux-image-rt-armmp-dbg, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-mips64r2el, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-headers-loongson-3, p-cpe:/a:debian:debian_linux:linux-source, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-armmp-lpae, p-cpe:/a:debian:debian_linux:dasd-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-arm64-dbg, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-compiler-gcc-12-arm, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-marvell, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-amd64-signed-template, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rt-armmp-dbg, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-686-pae-dbg, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rt-arm64-dbg, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rpi-dbg, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-s390x, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-octeon-dbg, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-arm64-signed-template, p-cpe:/a:debian:debian_linux:linux-image-rt-arm64-dbg, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:uinput-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-image-rt-amd64-dbg, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-4kc-malta, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-rt-armmp, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:rtla, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-rt-686-pae, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-loongson-3, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-marvell-dbg, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-686-pae, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-mips32r2el, p-cpe:/a:debian:debian_linux:linux-compiler-gcc-12-x86, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:hyperv-daemons, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-armmp-lpae, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-mips64r2el, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:mtd-core-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-headers-4kc-malta, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-mips32r2el, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rt-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-i386-signed-template, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-mips64r2el, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-cloud-arm64-dbg, p-cpe:/a:debian:debian_linux:serial-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-common, p-cpe:/a:debian:debian_linux:linux-image-armmp-lpae, p-cpe:/a:debian:debian_linux:linux-headers-rpi, p-cpe:/a:debian:debian_linux:linux-compiler-gcc-12-s390, p-cpe:/a:debian:debian_linux:linux-image-loongson-3, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-image-rpi-dbg, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:usbip, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-cloud-arm64-dbg, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-amd64, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:linux-image-s390x-dbg, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-686, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-s390x, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-cloud-amd64-dbg, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:md-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-rt-armmp, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:uinput-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-libc-dev, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-5kc-malta-dbg, p-cpe:/a:debian:debian_linux:linux-image-octeon-dbg, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:mtd-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:squashfs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-cloud-amd64, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:scsi-core-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:libcpupower1, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-marvell, p-cpe:/a:debian:debian_linux:linux-config-6.1, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-loongson-3, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-marvell, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:nic-wireless-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-armmp, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-4kc-malta-dbg, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-rt-amd64, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-loongson-3-di, cpe:/o:debian:debian_linux:12.0, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-mips64r2el-dbg, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-4kc-malta, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-headers-octeon, p-cpe:/a:debian:debian_linux:libcpupower-dev, p-cpe:/a:debian:debian_linux:linux-image-mips64r2el-dbg, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:crypto-dm-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-octeon, p-cpe:/a:debian:debian_linux:linux-perf, p-cpe:/a:debian:debian_linux:nfs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-4kc-malta-dbg, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:firewire-core-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:input-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:scsi-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:kernel-image-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-686-pae-dbg, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nbd-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:crc-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-image-5kc-malta, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:jffs2-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-rt-arm64, p-cpe:/a:debian:debian_linux:udf-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-4kc-malta, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:mmc-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:speakup-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:affs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-rpi, p-cpe:/a:debian:debian_linux:dasd-extra-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-doc-6.1, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-powerpc64le-dbg, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:linux-headers-powerpc64le, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:mouse-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:usb-storage-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:fuse-modules-6.1.0-21-octeon-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-powerpc64le, p-cpe:/a:debian:debian_linux:minix-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:linux-doc, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-loongson-3-dbg, p-cpe:/a:debian:debian_linux:nic-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-mips64r2el, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-mips32r2el-dbg, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-kbuild-6.1, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-5kc-malta, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:fb-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-arm64-dbg, p-cpe:/a:debian:debian_linux:sata-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:usb-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:pata-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-rt-armmp, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:ext4-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:ppp-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-mips64r2el-di, p-cpe:/a:debian:debian_linux:usb-serial-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:xfs-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:btrfs-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:sound-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:linux-image-6.1.0-21-armmp-dbg, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:f2fs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:jfs-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:ata-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:cdrom-core-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:fat-modules-6.1.0-21-marvell-di, p-cpe:/a:debian:debian_linux:mmc-core-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:event-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:linux-headers-s390x, p-cpe:/a:debian:debian_linux:linux-headers-armmp, p-cpe:/a:debian:debian_linux:isofs-modules-6.1.0-21-4kc-malta-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-armmp-di, p-cpe:/a:debian:debian_linux:nic-usb-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:mtd-core-modules-6.1.0-21-powerpc64le-di, p-cpe:/a:debian:debian_linux:scsi-nic-modules-6.1.0-21-loongson-3-di, p-cpe:/a:debian:debian_linux:loop-modules-6.1.0-21-s390x-di, p-cpe:/a:debian:debian_linux:linux-headers-6.1.0-21-armmp-lpae, p-cpe:/a:debian:debian_linux:multipath-modules-6.1.0-21-mips32r2el-di, p-cpe:/a:debian:debian_linux:nic-shared-modules-6.1.0-21-5kc-malta-di, p-cpe:/a:debian:debian_linux:crypto-modules-6.1.0-21-mips64r2el-di

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/6/2024

Vulnerability Publication Date: 2/26/2024

Reference Information

CVE: CVE-2024-26605, CVE-2024-26817, CVE-2024-26922, CVE-2024-26923, CVE-2024-26924, CVE-2024-26925, CVE-2024-26926, CVE-2024-26936, CVE-2024-26939, CVE-2024-26980, CVE-2024-26981, CVE-2024-26983, CVE-2024-26984, CVE-2024-26987, CVE-2024-26988, CVE-2024-26989, CVE-2024-26992, CVE-2024-26993, CVE-2024-26994, CVE-2024-26996, CVE-2024-26997, CVE-2024-26999, CVE-2024-27000, CVE-2024-27001, CVE-2024-27002, CVE-2024-27003, CVE-2024-27004, CVE-2024-27008, CVE-2024-27009, CVE-2024-27013, CVE-2024-27014, CVE-2024-27015, CVE-2024-27016, CVE-2024-27018, CVE-2024-27019, CVE-2024-27020, CVE-2024-27022