{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-1123-kvm", "linux-image-5.4.0-1123-kvm", "linux-kvm-headers-5.4.0-1123", "linux-modules-5.4.0-1123-kvm", "python3-packaging", "python3-pyparsing" ], "removed": [ "linux-headers-5.4.0-1122-kvm", "linux-image-5.4.0-1122-kvm", "linux-kvm-headers-5.4.0-1122", "linux-modules-5.4.0-1122-kvm" ], "diff": [ "distro-info-data", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "python3-urllib3", "sosreport" ] } }, "diff": { "deb": [ { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.43ubuntu1.16", "version": "0.43ubuntu1.16" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.43ubuntu1.17", "version": "0.43ubuntu1.17" }, "cves": [], "launchpad_bugs_fixed": [ 2084572 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 25.04 Plucky Puffin (LP: #2084572)", "" ], "package": "distro-info-data", "version": "0.43ubuntu1.17", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2084572 ], "author": "Benjamin Drung ", "date": "Thu, 17 Oct 2024 12:48:27 +0200" } ], "notes": null }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1123.119", "version": "5.4.0.1123.119" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1123", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1123.119", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 22:08:46 +0900" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1123.119", "version": "5.4.0.1123.119" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1123", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1123.119", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 22:08:46 +0900" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1123.119", "version": "5.4.0.1123.119" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1123", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1123.119", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 22:08:46 +0900" } ], "notes": null }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.25.8-2ubuntu0.3", "version": "1.25.8-2ubuntu0.3" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.25.8-2ubuntu0.4", "version": "1.25.8-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped", " when redirecting to a different host.", " - debian/patches/CVE-2024-37891.patch: Add \"Proxy-Authorization\" to", " DEFAULT_REDIRECT_HEADERS_BLACKLIST in src/urllib3/util/retry.py. Add", " header to tests.", " - CVE-2024-37891", "" ], "package": "python-urllib3", "version": "1.25.8-2ubuntu0.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 16 Oct 2024 17:58:58 -0230" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.5.6-0ubuntu1~20.04.2", "version": "4.5.6-0ubuntu1~20.04.2" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~20.04.1", "version": "4.7.2-0ubuntu1~20.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2054395 ], "changes": [ { "cves": [], "log": [ "", " * New 4.7.2 upstream release. (LP: #2054395)", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.7.2", "", " * d/control:", " - Add 'python3-packaging' as part of the runtime depends.", " - Add 'python3-packaging' as part of the build depends:", " Use packaging for version comparison instead of pkg_resources from", " setuptools.", " - Add 'python3-yaml' as part of the build depends:", " The new saltstack collect plugin now imports the yaml module, this is", " now required to build and run the sos package", "", " * Former patches, now fixed:", " - d/p/0002-obfuscate-netplan-ssid-password.patch", "", " * Remaining patches:", " - d/p/0001-debian-change-tmp-dir-location.patch", " - d/p/0002-debian-remove-magic-stderr.patch", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~20.04.1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2054395 ], "author": "Arif Ali ", "date": "Fri, 21 Jun 2024 10:02:02 +0100" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-1123-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1123.131", "version": "5.4.0-1123.131" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1123.131 -proposed tracker (LP: #2082926)", "", " [ Ubuntu: 5.4.0-200.220 ]", "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " * CVE-2024-41073", " - nvme: avoid double free special payload", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1123.131", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 21:41:51 +0900" } ], "notes": "linux-headers-5.4.0-1123-kvm version '5.4.0-1123.131' (source package linux-kvm version '5.4.0-1123.131') was added. linux-headers-5.4.0-1123-kvm version '5.4.0-1123.131' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1122-kvm. As such we can use the source package version of the removed package, '5.4.0-1122.130', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-1123-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1122.130", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1123.131", "version": "5.4.0-1123.131" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-1123.131", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.4.0-1123.131", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 22:09:22 +0900" } ], "notes": "linux-image-5.4.0-1123-kvm version '5.4.0-1123.131' (source package linux-signed-kvm version '5.4.0-1123.131') was added. linux-image-5.4.0-1123-kvm version '5.4.0-1123.131' has the same source package name, linux-signed-kvm, as removed package linux-image-5.4.0-1122-kvm. As such we can use the source package version of the removed package, '5.4.0-1122.130', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.4.0-1123", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1123.131", "version": "5.4.0-1123.131" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1123.131 -proposed tracker (LP: #2082926)", "", " [ Ubuntu: 5.4.0-200.220 ]", "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " * CVE-2024-41073", " - nvme: avoid double free special payload", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1123.131", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 21:41:51 +0900" } ], "notes": "linux-kvm-headers-5.4.0-1123 version '5.4.0-1123.131' (source package linux-kvm version '5.4.0-1123.131') was added. linux-kvm-headers-5.4.0-1123 version '5.4.0-1123.131' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1122-kvm. As such we can use the source package version of the removed package, '5.4.0-1122.130', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-1123-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1123.131", "version": "5.4.0-1123.131" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1123.131 -proposed tracker (LP: #2082926)", "", " [ Ubuntu: 5.4.0-200.220 ]", "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " * CVE-2024-41073", " - nvme: avoid double free special payload", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1123.131", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082926, 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Koichiro Den ", "date": "Fri, 11 Oct 2024 21:41:51 +0900" } ], "notes": "linux-modules-5.4.0-1123-kvm version '5.4.0-1123.131' (source package linux-kvm version '5.4.0-1123.131') was added. linux-modules-5.4.0-1123-kvm version '5.4.0-1123.131' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1122-kvm. As such we can use the source package version of the removed package, '5.4.0-1122.130', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "python3-packaging", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python-packaging", "source_package_version": "20.3-1", "version": "20.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "20.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 23 Mar 2020 09:44:10 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * Bump standards version.", "" ], "package": "python-packaging", "version": "20.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 18 Feb 2020 17:29:16 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "20.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 07 Jan 2020 15:20:18 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." }, { "name": "python3-pyparsing", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "pyparsing", "source_package_version": "2.4.6-1", "version": "2.4.6-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", "", " [ Drew Parsons ]", " * add unitTests to debian/tests", "", " [ Debian Janitor ]", " * Set upstream metadata fields: Repository, Repository-Browse.", "", " [ Håvard Flaget Aasen ]", " * New upstream version 2.4.6", " * Set upstream metadata fields: Bug-Database, Bug-Submit", " and append .git to Repository", " * Update Standards-Version to 4.5.0", " * Add sphinxdoc:Depends to doc package", " * Remove obsolete files d/README.source, d/new-upstream and", " cleaned d/watch since source no longer gets repacked", " * Add Rules-Requires-Root: no", "" ], "package": "pyparsing", "version": "2.4.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Håvard Flaget Aasen ", "date": "Fri, 24 Jan 2020 23:07:06 +0100" }, { "cves": [], "log": [ "", " * Team upload.", "", " [ Ondřej Nový ]", " * Convert git repository from git-dpm to gbp layout", " * Use debhelper-compat instead of debian/compat.", "", " [ Drew Parsons ]", " * New upstream release.", " * Standards-Version: 4.4.0", " * Build-Depends: debhelper-compat (= 12)", " - doc-base: places docs under python-pyparsing doc dir", " * update Homepage to https://github.com/pyparsing/pyparsing/", " * mark python-pyparsing-doc as Multi-Arch: foreign", " * exclude bytecode (pyc,__pycache__) from examples", " * add debian/tests (autopkgtest)", " * remove Kevin Coyner from Uploaders. Thanks", " for your great work in the past! Closes: #929551.", "" ], "package": "pyparsing", "version": "2.4.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Drew Parsons ", "date": "Tue, 03 Sep 2019 05:08:36 +0800" }, { "cves": [], "log": [ "", " * Uploading to unstable.", "" ], "package": "pyparsing", "version": "2.2.0+dfsg1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Thomas Goirand ", "date": "Sun, 25 Feb 2018 20:32:31 +0000" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.4.0-1122", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from release image serial 20241016 to 20241106", "from_series": "focal", "to_series": "focal", "from_serial": "20241016", "to_serial": "20241106", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }