{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-1120-kvm", "linux-image-5.4.0-1120-kvm", "linux-kvm-headers-5.4.0-1120", "linux-modules-5.4.0-1120-kvm" ], "removed": [ "linux-headers-5.4.0-1119-kvm", "linux-image-5.4.0-1119-kvm", "linux-kvm-headers-5.4.0-1119", "linux-modules-5.4.0-1119-kvm" ], "diff": [ "linux-headers-kvm", "linux-image-kvm", "linux-kvm" ] } }, "diff": { "deb": [ { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1119.115", "version": "5.4.0.1119.115" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1120", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1120.116", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:58:29 +0200" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1119.115", "version": "5.4.0.1119.115" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1120", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1120.116", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:58:29 +0200" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1119.115", "version": "5.4.0.1119.115" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1120", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1120.116", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:58:29 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1120.128 -proposed tracker (LP: #2075944)", "", " [ Ubuntu: 5.4.0-195.215 ]", "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux-kvm", "version": "5.4.0-1120.128", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:21:24 +0200" } ], "notes": "linux-headers-5.4.0-1120-kvm version '5.4.0-1120.128' (source package linux-kvm version '5.4.0-1120.128') was added. linux-headers-5.4.0-1120-kvm version '5.4.0-1120.128' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1119-kvm. As such we can use the source package version of the removed package, '5.4.0-1119.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1119.127", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-1120.128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.4.0-1120.128", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:58:43 +0200" } ], "notes": "linux-image-5.4.0-1120-kvm version '5.4.0-1120.128' (source package linux-signed-kvm version '5.4.0-1120.128') was added. linux-image-5.4.0-1120-kvm version '5.4.0-1120.128' has the same source package name, linux-signed-kvm, as removed package linux-image-5.4.0-1119-kvm. As such we can use the source package version of the removed package, '5.4.0-1119.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.4.0-1120", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1120.128 -proposed tracker (LP: #2075944)", "", " [ Ubuntu: 5.4.0-195.215 ]", "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux-kvm", "version": "5.4.0-1120.128", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:21:24 +0200" } ], "notes": "linux-kvm-headers-5.4.0-1120 version '5.4.0-1120.128' (source package linux-kvm version '5.4.0-1120.128') was added. linux-kvm-headers-5.4.0-1120 version '5.4.0-1120.128' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1119-kvm. As such we can use the source package version of the removed package, '5.4.0-1119.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1120.128 -proposed tracker (LP: #2075944)", "", " [ Ubuntu: 5.4.0-195.215 ]", "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux-kvm", "version": "5.4.0-1120.128", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075944, 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Thibault Ferrante ", "date": "Fri, 16 Aug 2024 11:21:24 +0200" } ], "notes": "linux-modules-5.4.0-1120-kvm version '5.4.0-1120.128' (source package linux-kvm version '5.4.0-1120.128') was added. linux-modules-5.4.0-1120-kvm version '5.4.0-1120.128' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1119-kvm. As such we can use the source package version of the removed package, '5.4.0-1119.127', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-1119-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": "5.4.0-1119.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-1119-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1119.127", "version": "5.4.0-1119.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.4.0-1119", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": "5.4.0-1119.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-1119-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1119.127", "version": "5.4.0-1119.127" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240905 to 20240911", "from_series": "focal", "to_series": "focal", "from_serial": "20240905", "to_serial": "20240911", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }