Amazon Linux AMI 2: CVE-2024-56643: Security patch for kernel (Multiple Advisories)

In the Linux kernel, the following vulnerability has been resolved:

dccp: Fix memory leak in dccp_feat_change_recv

If dccp_feat_push_confirm() fails after new value for SP feature was accepted
without reconciliation ('entry == NULL' branch), memory allocated for that value
with dccp_feat_clone_sp_val() is never freed.

Here is the kmemleak stack for this:

unreferenced object 0xffff88801d4ab488 (size 8):
comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)
hex dump (first 8 bytes):
01 b4 4a 1d 80 88 ff ff ..J.....
backtrace:
[] kmemdup+0x23/0x50 mm/util.c:128
[] kmemdup include/linux/string.h:465 [inline]
[] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]
[] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]
[] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]
[] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416
[] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125
[] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650
[] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688
[] sk_backlog_rcv include/net/sock.h:1041 [inline]
[] __release_sock+0x139/0x3b0 net/core/sock.c:2570
[] release_sock+0x54/0x1b0 net/core/sock.c:3111
[] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]
[] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696
[] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735
[ [] __sys_connect+0x165/0x1a0 net/socket.c:1882
[] __do_sys_connect net/socket.c:1892 [inline]
[] __se_sys_connect net/socket.c:1889 [inline]
[] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889
[] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
[] entry_SYSCALL_64_after_hwframe+0x67/0xd1

Clean up the allocated memory in case of dccp_feat_push_confirm() failure
and bail out with an error reset code.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.