From f98a3e0f691d8798a919224d371878b2ba467de7 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <dvlasenk@redhat.com>
Date: Thu, 6 Jun 2024 19:05:48 +0200
Subject: [PATCH] kernel-4.18.0-553.7.1.el8_10

* Thu Jun 06 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.7.1.el8_10]
- net: qcom/emac: fix UAF in emac_remove (Ken Cox) [RHEL-37834] {CVE-2021-47311}
- perf/core: Bail out early if the request AUX area is out of bound (Michael Petlan) [RHEL-38268] {CVE-2023-52835}
- crypto: pcrypt - Fix hungtask for PADATA_RESET (Herbert Xu) [RHEL-38171] {CVE-2023-52813}
- drm/amdgpu: fix use-after-free bug (Jocelyn Falempe) [RHEL-31240] {CVE-2024-26656}
- mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash (Ivan Vecera) [RHEL-37008] {CVE-2024-35854}
- mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update (Ivan Vecera) [RHEL-37004] {CVE-2024-35855}
- mlxsw: spectrum_acl_tcam: Fix memory leak during rehash (Ivan Vecera) [RHEL-37012] {CVE-2024-35853}
- mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work (Ivan Vecera) [RHEL-37016] {CVE-2024-35852}
- mlxsw: spectrum_acl_tcam: Fix warning during rehash (Ivan Vecera) [RHEL-37480] {CVE-2024-36007}
- can: peak_pci: peak_pci_remove(): fix UAF (Jose Ignacio Tornos Martinez) [RHEL-38419] {CVE-2021-47456}
- usbnet: fix error return code in usbnet_probe() (Jose Ignacio Tornos Martinez) [RHEL-38440] {CVE-2021-47495}
- usbnet: sanity check for maxpacket (Jose Ignacio Tornos Martinez) [RHEL-38440] {CVE-2021-47495}
- net/mlx5e: fix a double-free in arfs_create_groups (Kamal Heib) [RHEL-36920] {CVE-2024-35835}
- can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds (Jose Ignacio Tornos Martinez) [RHEL-38220] {CVE-2023-52878}
- net: cdc_eem: fix tx fixup skb leak (Jose Ignacio Tornos Martinez) [RHEL-38080] {CVE-2021-47236}
- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path (Jose Ignacio Tornos Martinez) [RHEL-38113] {CVE-2023-52703}
- usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() (Desnes Nunes) [RHEL-38248] {CVE-2023-52877}
- usb: config: fix iteration issue in 'usb_get_bos_descriptor()' (Desnes Nunes) [RHEL-38240] {CVE-2023-52781}
- gro: fix ownership transfer (Xin Long) [RHEL-37226] {CVE-2024-35890}
- tipc: fix kernel warning when sending SYN message (Xin Long) [RHEL-38109] {CVE-2023-52700}
- erspan: make sure erspan_base_hdr is present in skb->head (Xin Long) [RHEL-37230] {CVE-2024-35888}
- scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() (Bryan Gurney) [RHEL-17366]
- scsi: mpi3mr: Sanitise num_phys (Bryan Gurney) [RHEL-17366]
- netfilter: nf_tables: use timestamp to check for set element timeout (Phil Sutter) [RHEL-38023] {CVE-2024-27397}
- net/ipv6: SKB symmetric hash should incorporate transport ports (Sabrina Dubroca) [RHEL-32061]
- crypto: s390/aes - Fix buffer overread in CTR mode (Herbert Xu) [RHEL-37089] {CVE-2023-52669}
- net: Save and restore msg_namelen in sock_sendmsg (Jamie Bainbridge) [RHEL-35893]
- net: prevent address rewrite in kernel_bind() (Jamie Bainbridge) [RHEL-35893]
- net: prevent rewrite of msg_name in sock_sendmsg() (Jamie Bainbridge) [RHEL-35893]
- net: replace calls to sock->ops->connect() with kernel_connect() (Jamie Bainbridge) [RHEL-35893]
- net: Avoid address overwrite in kernel_connect (Jamie Bainbridge) [RHEL-35893]
- wifi: iwlwifi: dbg-tlv: ensure NUL termination (Jose Ignacio Tornos Martinez) [RHEL-37026] {CVE-2024-35845}
- wifi: mac80211: fix potential sta-link leak (Jose Ignacio Tornos Martinez) [RHEL-36916] {CVE-2024-35838}
- wifi: nl80211: reject iftype change with mesh ID change (Jose Ignacio Tornos Martinez) [RHEL-36884] {CVE-2024-27410}
- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (Jose Ignacio Tornos Martinez) [RHEL-36807] {CVE-2024-35789}
- Bluetooth: Avoid potential use-after-free in hci_error_reset (David Marlin) [RHEL-31826] {CVE-2024-26801}
- tls: disable async encrypt/decrypt (Sabrina Dubroca) [RHEL-26362 RHEL-26409 RHEL-26420] {CVE-2024-26584 CVE-2024-26583 CVE-2024-26585}
- Squashfs: check the inode number is not the invalid value of zero (Phillip Lougher) [RHEL-35096] {CVE-2024-26982}
- ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
- ipc/msg.c: update and document memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
- ipc/sem.c: document and update memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
- ipc/mqueue.c: update/document memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
- ipc/mqueue.c: remove duplicated code (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
- net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context (Kamal Heib) [RHEL-30582] {CVE-2023-52626}
- Revert "ACPI: bus: Rework system-level device notification handling" (Prarit Bhargava) [RHEL-21486]
- hwrng: core - Fix page fault dead lock on mmap-ed hwrng (Prarit Bhargava) [RHEL-29485] {CVE-2023-52615}
Resolves: RHEL-17366, RHEL-21486, RHEL-26362, RHEL-26409, RHEL-26420, RHEL-27782, RHEL-29485, RHEL-30582, RHEL-31240, RHEL-31826, RHEL-32061, RHEL-35096, RHEL-35893, RHEL-36807, RHEL-36884, RHEL-36916, RHEL-36920, RHEL-37004, RHEL-37008, RHEL-37012, RHEL-37016, RHEL-37026, RHEL-37089, RHEL-37226, RHEL-37230, RHEL-37480, RHEL-37834, RHEL-38023, RHEL-38080, RHEL-38109, RHEL-38113, RHEL-38171, RHEL-38220, RHEL-38240, RHEL-38248, RHEL-38268, RHEL-38419, RHEL-38440

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 kernel.spec | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 sources     |  4 ++--
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index c79954d8a..413bc74a5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.6.1.el8_10
+%define pkgrelease 553.7.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.6.1%{?dist}
+%define specrelease 553.7.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -2696,6 +2696,54 @@ fi
 #
 #
 %changelog
+* Thu Jun 06 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.7.1.el8_10]
+- net: qcom/emac: fix UAF in emac_remove (Ken Cox) [RHEL-37834] {CVE-2021-47311}
+- perf/core: Bail out early if the request AUX area is out of bound (Michael Petlan) [RHEL-38268] {CVE-2023-52835}
+- crypto: pcrypt - Fix hungtask for PADATA_RESET (Herbert Xu) [RHEL-38171] {CVE-2023-52813}
+- drm/amdgpu: fix use-after-free bug (Jocelyn Falempe) [RHEL-31240] {CVE-2024-26656}
+- mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash (Ivan Vecera) [RHEL-37008] {CVE-2024-35854}
+- mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update (Ivan Vecera) [RHEL-37004] {CVE-2024-35855}
+- mlxsw: spectrum_acl_tcam: Fix memory leak during rehash (Ivan Vecera) [RHEL-37012] {CVE-2024-35853}
+- mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work (Ivan Vecera) [RHEL-37016] {CVE-2024-35852}
+- mlxsw: spectrum_acl_tcam: Fix warning during rehash (Ivan Vecera) [RHEL-37480] {CVE-2024-36007}
+- can: peak_pci: peak_pci_remove(): fix UAF (Jose Ignacio Tornos Martinez) [RHEL-38419] {CVE-2021-47456}
+- usbnet: fix error return code in usbnet_probe() (Jose Ignacio Tornos Martinez) [RHEL-38440] {CVE-2021-47495}
+- usbnet: sanity check for maxpacket (Jose Ignacio Tornos Martinez) [RHEL-38440] {CVE-2021-47495}
+- net/mlx5e: fix a double-free in arfs_create_groups (Kamal Heib) [RHEL-36920] {CVE-2024-35835}
+- can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds (Jose Ignacio Tornos Martinez) [RHEL-38220] {CVE-2023-52878}
+- net: cdc_eem: fix tx fixup skb leak (Jose Ignacio Tornos Martinez) [RHEL-38080] {CVE-2021-47236}
+- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path (Jose Ignacio Tornos Martinez) [RHEL-38113] {CVE-2023-52703}
+- usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() (Desnes Nunes) [RHEL-38248] {CVE-2023-52877}
+- usb: config: fix iteration issue in 'usb_get_bos_descriptor()' (Desnes Nunes) [RHEL-38240] {CVE-2023-52781}
+- gro: fix ownership transfer (Xin Long) [RHEL-37226] {CVE-2024-35890}
+- tipc: fix kernel warning when sending SYN message (Xin Long) [RHEL-38109] {CVE-2023-52700}
+- erspan: make sure erspan_base_hdr is present in skb->head (Xin Long) [RHEL-37230] {CVE-2024-35888}
+- scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() (Bryan Gurney) [RHEL-17366]
+- scsi: mpi3mr: Sanitise num_phys (Bryan Gurney) [RHEL-17366]
+- netfilter: nf_tables: use timestamp to check for set element timeout (Phil Sutter) [RHEL-38023] {CVE-2024-27397}
+- net/ipv6: SKB symmetric hash should incorporate transport ports (Sabrina Dubroca) [RHEL-32061]
+- crypto: s390/aes - Fix buffer overread in CTR mode (Herbert Xu) [RHEL-37089] {CVE-2023-52669}
+- net: Save and restore msg_namelen in sock_sendmsg (Jamie Bainbridge) [RHEL-35893]
+- net: prevent address rewrite in kernel_bind() (Jamie Bainbridge) [RHEL-35893]
+- net: prevent rewrite of msg_name in sock_sendmsg() (Jamie Bainbridge) [RHEL-35893]
+- net: replace calls to sock->ops->connect() with kernel_connect() (Jamie Bainbridge) [RHEL-35893]
+- net: Avoid address overwrite in kernel_connect (Jamie Bainbridge) [RHEL-35893]
+- wifi: iwlwifi: dbg-tlv: ensure NUL termination (Jose Ignacio Tornos Martinez) [RHEL-37026] {CVE-2024-35845}
+- wifi: mac80211: fix potential sta-link leak (Jose Ignacio Tornos Martinez) [RHEL-36916] {CVE-2024-35838}
+- wifi: nl80211: reject iftype change with mesh ID change (Jose Ignacio Tornos Martinez) [RHEL-36884] {CVE-2024-27410}
+- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (Jose Ignacio Tornos Martinez) [RHEL-36807] {CVE-2024-35789}
+- Bluetooth: Avoid potential use-after-free in hci_error_reset (David Marlin) [RHEL-31826] {CVE-2024-26801}
+- tls: disable async encrypt/decrypt (Sabrina Dubroca) [RHEL-26362 RHEL-26409 RHEL-26420] {CVE-2024-26584 CVE-2024-26583 CVE-2024-26585}
+- Squashfs: check the inode number is not the invalid value of zero (Phillip Lougher) [RHEL-35096] {CVE-2024-26982}
+- ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
+- ipc/msg.c: update and document memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
+- ipc/sem.c: document and update memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
+- ipc/mqueue.c: update/document memory barriers (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
+- ipc/mqueue.c: remove duplicated code (Rafael Aquini) [RHEL-27782] {CVE-2021-47069}
+- net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context (Kamal Heib) [RHEL-30582] {CVE-2023-52626}
+- Revert "ACPI: bus: Rework system-level device notification handling" (Prarit Bhargava) [RHEL-21486]
+- hwrng: core - Fix page fault dead lock on mmap-ed hwrng (Prarit Bhargava) [RHEL-29485] {CVE-2023-52615}
+
 * Wed May 29 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.6.1.el8_10]
 - powerpc/powernv: Add a null pointer check in opal_event_init() (Mamatha Inamdar) [RHEL-37058] {CVE-2023-52686}
 - crypto: rsa - add a check for allocation failure (Vladis Dronov) [RHEL-35361]
diff --git a/sources b/sources
index 1ec9c4a41..65e2fc12d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-553.6.1.el8_10.tar.xz) = e1d8fe9f7b91d7db41708bcc54a13232509e143798d1c036d26d69ae18f54ef5f49b7fb25fc0bece6fcaa09abb38b881e33a47c3834b4d34ef05b30b47dd3536
-SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = 5a764018932c1dacc5d5922de457ca5a1c50b5132caf5a863cd2562ab14086e57238191877377f2646f4044f65d6d3731f4d6b51436d386b4f8ebabd128f1dc9
+SHA512 (linux-4.18.0-553.7.1.el8_10.tar.xz) = b0b9670158ce258b1633b063adcd1ac3541c466be7884f8a222f8dee4ca2ae28b4e087599d1774e8244706662533d56305272af3e0f6def47d45023c5bed599d
+SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = 08a50ceff021aa0b66e06ea4e3fad07df00d327026a0243775c331aa130450cbf719494714d7d65827c69557c31ed26cbf23716e0ce16a09d6b8a41f2928fb7a
 SHA512 (kernel-kabi-dw-4.18.0-553.tar.bz2) = 8a671ed3c9b7f4b25fd4e594b62bc4a26474cb705d3ed22ca376618b3c7962fc72ace1ffd02c9c3a192d9d2c449d38228809542d7f16ebad16f8127020eb2faf