{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1070-kvm", "linux-image-5.15.0-1070-kvm", "linux-kvm-headers-5.15.0-1070", "linux-modules-5.15.0-1070-kvm" ], "removed": [ "linux-headers-5.15.0-1069-kvm", "linux-image-5.15.0-1069-kvm", "linux-kvm-headers-5.15.0-1069", "linux-modules-5.15.0-1069-kvm" ], "diff": [ "curl", "dmidecode", "gir1.2-packagekitglib-1.0", "libcurl4", "libexpat1", "libpackagekit-glib2-18", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "sosreport" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.20", "version": "7.81.0-1ubuntu1.20" }, "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: netrc and redirect credential leak", " - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on", " redirect in lib/transfer.c, lib/url.c, lib/urldata.h,", " tests/data/Makefile.inc, tests/data/test998, tests/data/test999.", " - debian/patches/CVE-2024-11053.patch: address several netrc parser", " flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,", " tests/data/test478, tests/data/test479, tests/data/test480,", " tests/unit/unit1304.c, tests/data/DISABLED.", " - CVE-2024-11053", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.20", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Dec 2024 12:26:37 -0500" } ], "notes": null }, { "name": "dmidecode", "from_version": { "source_package_name": "dmidecode", "source_package_version": "3.3-3ubuntu0.1", "version": "3.3-3ubuntu0.1" }, "to_version": { "source_package_name": "dmidecode", "source_package_version": "3.3-3ubuntu0.2", "version": "3.3-3ubuntu0.2" }, "cves": [], "launchpad_bugs_fixed": [ 2081611 ], "changes": [ { "cves": [], "log": [ "", " * Add processor support from SMBIOS 3.6.0 (LP: #2081611)", " - debian/patches/lp-2081611-add-processor-support-from-smbios-3.6.0.patch", "" ], "package": "dmidecode", "version": "3.3-3ubuntu0.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2081611 ], "author": "Joao Andre Simioni ", "date": "Mon, 14 Oct 2024 17:28:46 -0300" } ], "notes": null }, { "name": "gir1.2-packagekitglib-1.0", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.5-2ubuntu2", "version": "1.2.5-2ubuntu2" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.5-2ubuntu3", "version": "1.2.5-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2086773 ], "changes": [ { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.5-2ubuntu3", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:52:43 +0100" } ], "notes": null }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.20", "version": "7.81.0-1ubuntu1.20" }, "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: netrc and redirect credential leak", " - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on", " redirect in lib/transfer.c, lib/url.c, lib/urldata.h,", " tests/data/Makefile.inc, tests/data/test998, tests/data/test999.", " - debian/patches/CVE-2024-11053.patch: address several netrc parser", " flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,", " tests/data/test478, tests/data/test479, tests/data/test480,", " tests/unit/unit1304.c, tests/data/DISABLED.", " - CVE-2024-11053", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.20", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Dec 2024 12:26:37 -0500" } ], "notes": null }, { "name": "libexpat1", "from_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.4", "version": "2.4.7-1ubuntu0.4" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.5", "version": "2.4.7-1ubuntu0.5" }, "cves": [ { "cve": "CVE-2024-50602", "url": "https://ubuntu.com/security/CVE-2024-50602", "cve_description": "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "cve_priority": "medium", "cve_public_date": "2024-10-27 05:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-50602", "url": "https://ubuntu.com/security/CVE-2024-50602", "cve_description": "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "cve_priority": "medium", "cve_public_date": "2024-10-27 05:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: denial-of-service via XML_ResumeParser ", " - debian/patches/CVE-2024-50602-1.patch: Make function XML_StopParser of ", " expat/lib/xmlparse.c refuse to stop/suspend an unstarted parser ", " - debian/patches/CVE-2024-50602-2.patch: Add XML_PARSING case to parser ", " state in function XML_StopParser of expat/lib/xmlparse.c ", " - debian/patches/CVE-2024-50602-3.patch: Add tests for CVE-2024-50602 to ", " expat/tests/runtests.c ", " - CVE-2024-50602 ", "" ], "package": "expat", "version": "2.4.7-1ubuntu0.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Nicolas Campuzano Jimenez ", "date": "Sun, 01 Dec 2024 15:51:42 -0500" } ], "notes": null }, { "name": "libpackagekit-glib2-18", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.5-2ubuntu2", "version": "1.2.5-2ubuntu2" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.5-2ubuntu3", "version": "1.2.5-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2086773 ], "changes": [ { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.5-2ubuntu3", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:52:43 +0100" } ], "notes": null }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1069.65", "version": "5.15.0.1069.65" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1070.66", "version": "5.15.0.1070.66" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1070", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1070.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:43:20 +0900" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1069.65", "version": "5.15.0.1069.65" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1070.66", "version": "5.15.0.1070.66" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1070", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1070.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:43:20 +0900" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1069.65", "version": "5.15.0.1069.65" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1070.66", "version": "5.15.0.1070.66" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1070", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1070.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:43:20 +0900" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~22.04.1", "version": "4.7.2-0ubuntu1~22.04.1" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~22.04.2", "version": "4.7.2-0ubuntu1~22.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2085607, 2089713 ], "changes": [ { "cves": [], "log": [ "", " * Resolve obfuscation issues (LP: #2085607)", " - d/p/0003-sunbeam_hypervisor-Fix-obfuscation-for-ceilometer-an.patch:", " The sunbeam plugin was added recently, but ceilometer wasn't there.", " - d/p/0004-heat-Obfuscate-Add-auth_encryption_key-in-config.patch:", " The configuration option auth_encryption_key was not being", " obfuscated by default.", " - d/p/0005-placement-Obfuscate-passwords-that-have-been-missed.patch", " The NOVA_API_PASS and PLACEMENT_PASS were not being obfuscated", " in one of the config files.", " - d/p/0006-mysql-Add-obfuscation-for-password-in-conf-files.patch:", " The password field in one of the config files was not being obfuscated.", "", " * d/p/0007-processor-check-msr-module.patch: Check for and do not load the", " 'msr' module by default in the processor plugin in jammy. (LP: #2089713)", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2085607, 2089713 ], "author": "Arif Ali ", "date": "Thu, 24 Oct 2024 06:45:01 +0000" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1070-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1070.75", "version": "5.15.0-1070.75" }, "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "changes": [ { "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1070.75 -proposed tracker (LP: #2086343)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "", " [ Ubuntu: 5.15.0-127.137 ]", "", " * jammy/linux: 5.15.0-127.137 -proposed tracker (LP: #2086357)", " * Jammy update: v5.15.168 upstream stable release (LP: #2086242)", " - parisc: Fix 64-bit userspace syscall path", " - parisc: Fix stack start for ADDR_NO_RANDOMIZE personality", " - of/irq: Support #msi-cells=<0> in of_msi_get_domain", " - drm: omapdrm: Add missing check for alloc_ordered_workqueue", " - jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error", " - jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit", " - mm: krealloc: consider spare memory for __GFP_ZERO", " - ocfs2: fix the la space leak when unmounting an ocfs2 volume", " - ocfs2: fix uninit-value in ocfs2_get_block()", " - ocfs2: reserve space for inline xattr before attaching reflink tree", " - ocfs2: cancel dqi_sync_work before freeing oinfo", " - ocfs2: remove unreasonable unlock in ocfs2_read_blocks", " - ocfs2: fix null-ptr-deref when journal load failed.", " - ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - mm: avoid leaving partial pfn mappings around in error case", " - fs/ntfs3: Use kvfree to free memory allocated by kvmalloc", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Introduce and use write_byte_data callback", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: fix accounting for filters shared by multiple VSIs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add support to create match definer", " - net/mlx5: Add IFC bits and enums for flow meter", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - fou: fix initialization of grc", " - octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dpaa: Pad packets to ETH_ZLEN", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - ASoC: meson: axg-card: fix 'use-after-free'", " - ASoC: allow module autoloading for table db1200_pids", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " - scsi: lpfc: Fix overflow build issue", " - pinctrl: at91: make it work with current gpiolib", " - microblaze: don't treat zero reserved memory regions as error", " - net: ftgmac100: Ensure tx descriptor updates are visible", " - wifi: iwlwifi: lower message level for FW buffer destination", " - wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation", " - wifi: iwlwifi: mvm: pause TCM when the firmware is stopped", " - wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead", " - wifi: iwlwifi: clear trans->state earlier upon error", " - ASoC: intel: fix module autoloading", " - ASoC: tda7419: fix module autoloading", " - spi: spidev: Add an entry for elgin,jg10309-01", " - drm: komeda: Fix an issue related to normalized zpos", " - spi: bcm63xx: Enable module autoloading", " - x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency", " - spi: spidev: Add missing spi_device_id for jg10309-01", " - ocfs2: add bounds checking to ocfs2_xattr_find_entry()", " - ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()", " - cgroup: Make operations on the cgroup root_list RCU safe", " - Revert \"wifi: cfg80211: check wiphy mutex is held for wdev mutex\"", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - gpiolib: cdev: Ignore reconfiguration without direction", " - cgroup: Move rcu_head up near the top of cgroup_root", " - USB: serial: pl2303: add device id for Macrosilicon MS3020", " - USB: usbtmc: prevent kernel-usb-infoleak", " - EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR", " - EDAC/synopsys: Use the correct register to disable the error interrupt on v3", " hw", " - EDAC/synopsys: Re-enable the error interrupts on v3 hw", " - EDAC/synopsys: Fix ECC status and IRQ control race condition", " - EDAC/synopsys: Fix error injection on Zynq UltraScale+", " - wifi: rtw88: always wait for both firmware loading attempts", " - crypto: xor - fix template benchmarking", " - ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()", " - wifi: ath9k: fix parameter check in ath9k_init_debug()", " - wifi: ath9k: Remove error checks when creating debugfs entries", " - net: stmmac: dwmac-loongson: Init ref and PTP clocks rate", " - wifi: rtw88: remove CPT execution branch never used", " - fs: explicitly unregister per-superblock BDIs", " - mount: warn only once about timestamp range expiration", " - fs/namespace: fnic: Switch to use %ptTd", " - mount: handle OOM on mnt_warn_timestamp_expiry", " - wifi: iwlwifi: mvm: increase the time between ranging measurements", " - padata: Honor the caller's alignment in case of chunk_size 0", " - can: j1939: use correct function name in comment", " - ACPI: CPPC: Fix MASK_VAL() usage", " - netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire", " - netfilter: nf_tables: reject element expiration with no timeout", " - netfilter: nf_tables: reject expiration higher than timeout", " - netfilter: nf_tables: remove annotation to access set timeout while holding", " lock", " - cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately", " - x86/sgx: Fix deadlock in SGX NUMA node search", " - wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()", " - wifi: mt76: mt7915: fix rx filter setting for bfee functionality", " - wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors", " - wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()", " - wifi: wilc1000: fix potential RCU dereference issue in", " wilc_parse_join_bss_param", " - sock_map: Add a cond_resched() in sock_hash_free()", " - can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().", " - can: m_can: m_can_close(): stop clocks after device has been shut down", " - Bluetooth: btusb: Fix not handling ZPL/short-transfer", " - bareudp: Pull inner IP header in bareudp_udp_encap_recv().", " - net: geneve: support IPv4/IPv6 as inner protocol", " - geneve: Fix incorrect inner network header offset when innerprotoinherit is", " set", " - bareudp: Pull inner IP header on xmit.", " - net: enetc: Use IRQF_NO_AUTOEN flag in request_irq()", " - r8169: disable ALDPS per default for RTL8125", " - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input", " - net: tipc: avoid possible garbage value", " - block, bfq: fix possible UAF for bfqq->bic with merge chain", " - block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()", " - block, bfq: don't break merge chain in bfq_split_bfqq()", " - block: print symbolic error name instead of error code", " - block: fix potential invalid pointer dereference in blk_add_partition", " - spi: ppc4xx: handle irq_of_parse_and_map() errors", " - spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ", " - arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes", " - ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks", " - ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property", " - ARM: versatile: fix OF node leak in CPUs prepare", " - reset: berlin: fix OF node leak in probe() error path", " - reset: k210: fix OF node leak in probe() error path", " - clocksource/drivers/qcom: Add missing iounmap() on errors in", " msm_dt_timer_init()", " - m68k: Fix kernel_clone_args.flags in m68k_clone()", " - hwmon: (max16065) Fix overflows seen when writing limits", " - i2c: Add i2c_get_match_data()", " - hwmon: (max16065) Remove use of i2c_match_id()", " - hwmon: (max16065) Fix alarm attributes", " - mtd: slram: insert break after errors in parsing the map", " - hwmon: (ntc_thermistor) fix module autoloading", " - power: supply: axp20x_battery: Remove design from min and max voltage", " - power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense", " - fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()", " - mtd: powernv: Add check devm_kasprintf() returned value", " - pmdomain: core: Harden inter-column space in debug summary", " - drm/stm: Fix an error handling path in stm_drm_platform_probe()", " - drm/amd/display: Add null check for set_output_gamma in", " dcn30_set_output_transfer_func", " - drm/amdgpu: Replace one-element array with flexible-array member", " - drm/amdgpu: properly handle vbios fake edid sizing", " - drm/radeon: Replace one-element array with flexible-array member", " - drm/radeon: properly handle vbios fake edid sizing", " - scsi: NCR5380: Add SCp members to struct NCR5380_cmd", " - scsi: NCR5380: Check for phase match during PDMA fixup", " - drm/rockchip: vop: Allow 4096px width scaling", " - drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode", " - drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets", " - drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid()", " - scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()", " - jfs: fix out-of-bounds in dbNextAG() and diAlloc()", " - drm/mediatek: Use spin_lock_irqsave() for CRTC event lock", " - powerpc/32: Remove the 'nobats' kernel parameter", " - powerpc/32: Remove 'noltlbs' kernel parameter", " - powerpc/8xx: Fix initial memory mapping", " - powerpc/8xx: Fix kernel vs user address comparison", " - drm/msm: Fix incorrect file name output in adreno_request_fw()", " - drm/msm/a5xx: disable preemption in submits by default", " - drm/msm/a5xx: properly clear preemption records on resume", " - drm/msm/a5xx: fix races in preemption evaluation stage", " - drm/msm: Drop priv->lastctx", " - drm/msm/a5xx: workaround early ring-buffer emptiness check", " - ipmi: docs: don't advertise deprecated sysfs entries", " - drm/msm: fix %s null argument error", " - drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()", " - xen: use correct end address of kernel for conflict checking", " - xen/swiotlb: add alignment check for dma buffers", " - tpm: Clean up TPM space after command failure", " - selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c", " - selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc", " - selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c", " - selftests/bpf: Fix compiling kfree_skb.c with musl-libc", " - selftests/bpf: Fix compiling flow_dissector.c with musl-libc", " - selftests/bpf: Fix compiling tcp_rtt.c with musl-libc", " - selftests/bpf: Fix compiling core_reloc.c with musl-libc", " - selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc", " - selftests/bpf: Fix error compiling test_lru_map.c", " - selftests/bpf: Fix C++ compile error from missing _Bool type", " - xz: cleanup CRC32 edits from 2018", " - kthread: fix task state in kthread worker if being frozen", " - ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard", " - smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso", " - ext4: avoid buffer_head leak in ext4_mark_inode_used()", " - ext4: avoid potential buffer_head leak in __ext4_new_inode()", " - ext4: avoid negative min_clusters in find_group_orlov()", " - ext4: return error on ext4_find_inline_entry", " - ext4: avoid OOB when system.data xattr changes underneath the filesystem", " - nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()", " - nilfs2: determine empty node blocks as corrupted", " - nilfs2: fix potential oob read in nilfs_btree_check_delete()", " - bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit", " - perf mem: Free the allocated sort string, fixing a leak", " - perf sched timehist: Fix missing free of session in perf_sched__timehist()", " - perf sched timehist: Fixed timestamp error when unable to confirm event", " sched_in time", " - perf time-utils: Fix 32-bit nsec parsing", " - clk: imx: imx8mp: fix clock tree update of TF-A managed clocks", " - clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk", " - clk: imx: imx8qxp: Parent should be initialized earlier than the clock", " - remoteproc: imx_rproc: Correct ddr alias for i.MX8M", " - remoteproc: imx_rproc: Initialize workqueue earlier", " - clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228", " - Input: ilitek_ts_i2c - avoid wrong input subsystem sync", " - Input: ilitek_ts_i2c - add report id message validation", " - drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error", " - drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error", " - PCI: keystone: Fix if-statement expression in ks_pcie_quirk()", " - PCI: xilinx-nwl: Fix register misspelling", " - PCI: xilinx-nwl: Clean up clock on probe failure/removal", " - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency", " - pinctrl: single: fix missing error code in pcs_probe()", " - RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer", " - RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds", " - clk: ti: dra7-atl: Fix leak of of_nodes", " - nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire", " - nfsd: fix refcount leak when file is unhashed after being found", " - pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource()", " - pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function", " - IB/core: Fix ib_cache_setup_one error flow cleanup", " - watchdog: imx_sc_wdt: Don't disable WDT in suspend", " - RDMA/hns: Don't modify rq next block addr in HIP09 QPC", " - RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range()", " - RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled", " - RDMA/hns: Remove unused abnormal interrupt of type RAS", " - RDMA/hns: Fix the wrong type of return value of the interrupt handler", " - RDMA/hns: Refactor the abnormal interrupt handler function", " - RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler", " - RDMA/hns: Optimize hem allocation performance", " - riscv: Fix fp alignment bug in perf_callchain_user()", " - RDMA/cxgb4: Added NULL check for lookup_atid", " - RDMA/irdma: fix error message in irdma_modify_qp_roce()", " - ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()", " - ntb_perf: Fix printk format", " - nfsd: call cache_put if xdr_reserve_space returns NULL", " - nfsd: return -EINVAL when namelen is 0", " - f2fs: fix typo", " - f2fs: fix to update i_ctime in __f2fs_setxattr()", " - f2fs: remove unneeded check condition in __f2fs_setxattr()", " - f2fs: reduce expensive checkpoint trigger frequency", " - f2fs: optimize error handling in redirty_blocks", " - f2fs: fix to wait page writeback before setting gcing flag", " - f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy", " - f2fs: clean up w/ dotdot_name", " - f2fs: get rid of online repaire on corrupted directory", " - spi: lpspi: Silence error message upon deferred probe", " - spi: lpspi: release requested DMA channels", " - spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time", " - iio: adc: ad7606: fix oversampling gpio array", " - iio: adc: ad7606: fix standby gpio state to match the documentation", " - coresight: tmc: sg: Do not leak sg_table", " - interconnect: qcom: sm8250: Enable sync_state", " - vdpa: Add eventfd for the vdpa callback", " - vhost_vdpa: assign irq bypass producer token correctly", " - Revert \"dm: requeue IO if mapping table not yet available\"", " - net: axienet: Clean up device used for DMA calls", " - net: axienet: Clean up DMA start/stop and error handling", " - net: axienet: don't set IRQ timer when IRQ delay not used", " - net: axienet: implement NAPI and GRO receive", " - net: axienet: reduce default RX interrupt threshold to 1", " - net: axienet: add coalesce timer ethtool configuration", " - net: axienet: Be more careful about updating tx_bd_tail", " - net: axienet: Use NAPI for TX completion path", " - net: axienet: Switch to 64-bit RX/TX statistics", " - net: xilinx: axienet: Fix packet counting", " - netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()", " - net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race", " Condition", " - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL", " - tcp: check skb is non-NULL in tcp_rto_delta_us()", " - net: qrtr: Update packets cloning when broadcasting", " - bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()", " - netfilter: nf_tables: Keep deleted flowtable hooks until after RCU", " - netfilter: ctnetlink: compile ctnetlink_label_size with", " CONFIG_NF_CONNTRACK_EVENTS", " - drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination", " - Input: goodix - use the new soc_intel_is_byt() helper", " - powercap: RAPL: fix invalid initialization for pl4_supported field", " - x86/mm: Switch to new Intel CPU model defines", " - vfio/pci: fix potential memory leak in vfio_intx_enable()", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - Remove *.orig pattern from .gitignore", " - PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler", " - ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error", " - soc: versatile: integrator: fix OF node leak in probe() error path", " - Revert \"media: tuners: fix error return code of", " hybrid_tuner_request_state()\"", " - Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table", " - Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table", " - Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line", " - drm/amd/display: Round calculated vtotal", " - drm/amd/display: Validate backlight caps are sane", " - scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages", " - scsi: mac_scsi: Refactor polling loop", " - scsi: mac_scsi: Disallow bus errors during PDMA send", " - usbnet: fix cyclical race on disconnect with work queue", " - USB: appledisplay: close race between probe and completion handler", " - USB: misc: cypress_cy7c63: check for short transfer", " - USB: class: CDC-ACM: fix race between get_serial and set_serial", " - usb: cdnsp: Fix incorrect usb_request status", " - usb: dwc2: drd: fix clock gating on USB role switch", " - bus: integrator-lm: fix OF node leak in probe()", " - firmware_loader: Block path traversal", " - tty: rp2: Fix reset with non forgiving PCIe host bridges", " - xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them.", " - crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure", " - drbd: Fix atomicity violation in drbd_uuid_set_bm()", " - drbd: Add NULL check for net_conf to prevent dereference in state validation", " - ACPI: sysfs: validate return type of _STR method", " - ACPI: resource: Add another DMI match for the TongFang GMxXGxx", " - efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption", " - perf/x86/intel/pt: Fix sampling synchronization", " - wifi: rtw88: 8822c: Fix reported RX band width", " - wifi: mt76: mt7615: check devm_kasprintf() returned value", " - debugobjects: Fix conditions in fill_pool()", " - f2fs: prevent possible int overflow in dir_block_index()", " - f2fs: avoid potential int overflow in sanity_check_area_boundary()", " - hwrng: mtk - Use devm_pm_runtime_enable", " - hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init", " - hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume", " - arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency", " - arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity", " - vfs: fix race between evice_inodes() and find_inode()&iput()", " - fs: Fix file_set_fowner LSM hook inconsistencies", " - nfs: fix memory leak in error path of nfs4_do_reclaim", " - EDAC/igen6: Fix conversion of system address to physical memory address", " - padata: use integer wrap around to prevent deadlock on seq_nr overflow", " - soc: versatile: realview: fix memory leak during device remove", " - soc: versatile: realview: fix soc_dev leak during device remove", " - usb: yurex: Replace snprintf() with the safer scnprintf() variant", " - USB: misc: yurex: fix race between read and write", " - xhci: fix event ring segment table related masks and variables in header", " - xhci: remove xhci_test_trb_in_td_math early development check", " - xhci: Refactor interrupter code for initial multi interrupter support.", " - xhci: Preserve RsvdP bits in ERSTBA register correctly", " - xhci: Add a quirk for writing ERST in high-low order", " - usb: xhci: fix loss of data on Cadence xHC", " - pps: remove usage of the deprecated ida_simple_xx() API", " - pps: add an error check in parport_attach", " - x86/idtentry: Incorporate definitions/declarations of the FRED entries", " - x86/entry: Remove unwanted instrumentation in common_interrupt()", " - bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0", " - lockdep: fix deadlock issue between lockdep and rcu", " - mm: only enforce minimum stack gap size if it's sensible", " - i2c: aspeed: Update the stop sw state when the bus recovery occurs", " - i2c: isch: Add missed 'else'", " - usb: yurex: Fix inconsistent locking bug in yurex_read()", " - spi: lpspi: Simplify some error message", " - static_call: Handle module init failure correctly in", " static_call_del_module()", " - static_call: Replace pointless WARN_ON() in static_call_module_notify()", " - mailbox: rockchip: fix a typo in module autoloading", " - mailbox: bcm2835: Fix timeout during suspend mode", " - ceph: remove the incorrect Fw reference check when dirtying pages", " - ieee802154: Fix build error", " - net/mlx5: Fix error path in multi-packet WQE transmit", " - net/mlx5: Added cond_resched() to crdump collection", " - net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()", " - netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED", " - net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()", " - netfilter: nf_tables: prevent nf_skb_duplicated corruption", " - Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()", " - net: ethernet: lantiq_etop: fix memory disclosure", " - net: avoid potential underflow in qdisc_pkt_len_init() with UFO", " - net: add more sanity checks to qdisc_pkt_len_init()", " - stmmac_pci: Fix underflow size in stmmac_rx", " - net: stmmac: Disable automatic FCS/Pad stripping", " - net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check", " - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit", " - ppp: do not assume bh is held in ppp_channel_bridge_input()", " - sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start", " - i2c: xiic: Fix broken locking on tx_msg", " - i2c: xiic: Switch from waitqueue to completion", " - i2c: xiic: Fix RX IRQ busy check", " - i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path", " - i2c: xiic: improve error message when transfer fails to start", " - i2c: xiic: Try re-initialization on bus busy timeout", " - media: usbtv: Remove useless locks in usbtv_video_free()", " - ALSA: mixer_oss: Remove some incorrect kfree_const() usages", " - ALSA: hda/realtek: Fix the push button function for the ALC257", " - ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs", " - ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m", " - ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin", " - f2fs: Require FMODE_WRITE for atomic write ioctls", " - wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()", " - wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit", " - ice: Adjust over allocation of memory in ice_sched_add_root_node() and", " ice_sched_add_node()", " - net/xen-netback: prevent UAF in xenvif_flush_hash()", " - net: hisilicon: hip04: fix OF node leak in probe()", " - net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()", " - net: hisilicon: hns_mdio: fix OF node leak in probe()", " - ACPI: PAD: fix crash in exit_round_robin()", " - ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails", " - ACPICA: Fix memory leak if acpi_ps_get_next_field() fails", " - net: sched: consistently use rcu_replace_pointer() in taprio_change()", " - blk_iocost: fix more out of bound shifts", " - nvme-pci: qdepth 1 quirk", " - wifi: ath11k: fix array out-of-bound access in SoC stats", " - wifi: rtw88: select WANT_DEV_COREDUMP", " - ACPI: EC: Do not release locks during operation region accesses", " - ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in", " acpi_db_convert_to_package()", " - tipc: guard against string buffer overrun", " - net: mvpp2: Increase size of queue_name buffer", " - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).", " - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family", " - net: atlantic: Avoid warning about potential string truncation", " - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process", " - ACPICA: iasl: handle empty connection_node", " - proc: add config & param to block forcing mem writes", " - [Config] updateconfigs to select PROC_MEM_ALWAYS_FORCE", " - wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker", " - wifi: mwifiex: Fix memcpy() field-spanning write warning in", " mwifiex_cmd_802_11_scan_ext()", " - nfp: Use IRQF_NO_AUTOEN flag in request_irq()", " - signal: Replace BUG_ON()s", " - ALSA: usb-audio: Add input value sanity checks for standard types", " - x86/ioapic: Handle allocation failures gracefully", " - ALSA: usb-audio: Define macros for quirk table entries", " - ALSA: usb-audio: Add logitech Audio profile quirk", " - tools/x86/kcpuid: Protect against faulty \"max subleaf\" values", " - ALSA: asihpi: Fix potential OOB array access", " - ALSA: hdsp: Break infinite MIDI input flush loop", " - x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments()", " - fbdev: pxafb: Fix possible use after free in pxafb_task()", " - rcuscale: Provide clear error when async specified without primitives", " - iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux", " - power: reset: brcmstb: Do not go into infinite loop if reset fails", " - iommu/vt-d: Always reserve a domain ID for identity setup", " - iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count", " - drm/amd/display: Add null check for top_pipe_to_program in", " commit_planes_for_stream", " - ata: sata_sil: Rename sil_blacklist to sil_quirks", " - drm/amd/display: Check null pointers before using dc->clk_mgr", " - jfs: UBSAN: shift-out-of-bounds in dbFindBits", " - jfs: Fix uaf in dbFreeBits", " - jfs: check if leafidx greater than num leaves per dmap tree", " - scsi: smartpqi: correct stream detection", " - jfs: Fix uninit-value access of new_ea in ea_buffer", " - drm/amdgpu: add raven1 gfxoff quirk", " - drm/amdgpu: enable gfxoff quirk on HP 705G4", " - HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio", " - platform/x86: touchscreen_dmi: add nanote-next quirk", " - drm/amd/display: Check stream before comparing them", " - drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in DCN30 color transformation", " - drm/amd/display: Initialize get_bytes_per_element's default to 1", " - drm/printer: Allow NULL data in devcoredump printer", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()", " - drm/amd/pm: ensure the fw_info is not null before using it", " - of/irq: Refer to actual buffer size in of_irq_parse_one()", " - ext4: ext4_search_dir should return a proper error", " - ext4: avoid use-after-free in ext4_ext_show_leaf()", " - ext4: fix i_data_sem unlock order in ext4_ind_migrate()", " - blk-integrity: use sysfs_emit", " - blk-integrity: convert to struct device_attribute", " - blk-integrity: register sysfs attributes on struct device", " - usb: typec: tcpm: Check for port partner validity before consuming it", " - spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: s3c64xx: fix timeout counters in flush_fifo", " - selftests: breakpoints: use remaining time to check if suspend succeed", " - selftests: vDSO: fix vDSO name for powerpc", " - selftests: vDSO: fix vdso_config for powerpc", " - selftests: vDSO: fix vDSO symbols lookup for powerpc64", " - selftests/mm: fix charge_reserved_hugetlb.sh test", " - selftests: vDSO: fix ELF hash table entry size for s390x", " - selftests: vDSO: fix vdso_config for s390", " - platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug", " - i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume", " - i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq()", " - i2c: xiic: Wait for TX empty to avoid missed TX NAKs", " - firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp()", " - spi: bcm63xx: Fix module autoloading", " - power: supply: hwmon: Fix missing temp1_max_alarm attribute", " - perf/core: Fix small negative period being ignored", " - parisc: Fix itlb miss handler for 64-bit programs", " - drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS", " - ALSA: core: add isascii() check to card ID generator", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET", " - ALSA: usb-audio: Add native DSD support for Luxman D-08u", " - ALSA: line6: add hw monitor volume control to POD HD500X", " - ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9", " - ext4: no need to continue when the number of entries is 1", " - ext4: correct encrypted dentry name hash when not casefolded", " - ext4: fix slab-use-after-free in ext4_split_extent_at()", " - ext4: propagate errors from ext4_find_extent() in ext4_insert_range()", " - ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()", " - ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free", " - ext4: aovid use-after-free in ext4_ext_insert_extent()", " - ext4: fix double brelse() the buffer of the extents path", " - ext4: update orig_path in ext4_find_extent()", " - ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()", " - ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list()", " - ext4: fix fast commit inode enqueueing during a full journal commit", " - ext4: use handle to mark fc as ineligible in __track_dentry_update()", " - ext4: mark fc as ineligible using an handle in ext4_xattr_set()", " - riscv: define ILLEGAL_POINTER_VALUE for 64bit", " - exfat: fix memory leak in exfat_load_bitmap()", " - perf hist: Update hist symbol when updating maps", " - nfsd: fix delegation_blocked() to block correctly for at least 30 seconds", " - nfsd: map the EBADMSG to nfserr_io to avoid warning", " - NFSD: Fix NFSv4's PUTPUBFH operation", " - aoe: fix the potential use-after-free problem in more places", " - clk: rockchip: fix error for unknown clocks", " - clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks", " - media: sun4i_csi: Implement link validate for sun4i_csi subdev", " - media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags", " - clk: qcom: clk-rpmh: Fix overflow in BCM vote", " - clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src", " - media: venus: fix use after free bug in venus_remove due to race condition", " - clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable()", " - clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table", " - iio: magnetometer: ak8975: Fix reading for ak099xx sensors", " - tomoyo: fallback to realpath if symlink's pathname does not exist", " - net: stmmac: Fix zero-division error when disabling tc cbs", " - rtc: at91sam9: fix OF node leak in probe() error path", " - Input: adp5589-keys - fix NULL pointer dereference", " - Input: adp5589-keys - fix adp5589_gpio_get_value()", " - ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[]", " - ACPI: resource: Add Asus ExpertBook B2502CVA to", " irq1_level_low_skip_override[]", " - btrfs: fix a NULL pointer dereference when failed to start a new trasacntion", " - btrfs: wait for fixup workers before stopping cleaner kthread during umount", " - gpio: davinci: fix lazy disable", " - tracing/hwlat: Fix a race during cpuhp processing", " - tracing/timerlat: Fix a race during cpuhp processing", " - close_range(): fix the logics in descriptor table trimming", " - drm/sched: Add locking to drm_sched_entity_modify_sched", " - drm/amd/display: Fix system hang while resume with TBT monitor", " - kconfig: qconf: fix buffer overflow in debug links", " - device property: Add fwnode_iomap()", " - device property: Add fwnode_irq_get_byname", " - i2c: smbus: Use device_*() functions instead of of_*()", " - i2c: create debugfs entry per adapter", " - i2c: core: Lock address during client device instantiation", " - i2c: xiic: Use devm_clk_get_enabled()", " - i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: bcm63xx: Fix missing pm_runtime_disable()", " - ext4: properly sync file size update after O_SYNC direct IO", " - ext4: dax: fix overflowing extents beyond inode size when partially writing", " - arm64: Add Cortex-715 CPU part definition", " - arm64: cputype: Add Neoverse-N3 definitions", " - arm64: errata: Expand speculative SSBS workaround once more", " - uprobes: fix kernel info leak via \"[uprobes]\" vma", " - drm/amd/display: Allow backlight to go below", " `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`", " - build-id: require program headers to be right after ELF header", " - lib/buildid: harden build ID parsing logic", " - drm/rockchip: define gamma registers for RK3399", " - drm/rockchip: support gamma control on RK3399", " - drm/rockchip: vop: clear DMA stop bit on RK3066", " - media: i2c: imx335: Enable regulator supplies", " - media: imx335: Fix reset-gpio handling", " - dt-bindings: clock: qcom: Add missing UFS QREF clocks", " - dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x", " - r8169: Fix spelling mistake: \"tx_underun\" -> \"tx_underrun\"", " - r8169: add tally counter fields added with RTL8125", " - clk: qcom: gcc-sc8180x: Add GPLL9 support", " - ACPI: battery: Simplify battery hook locking", " - ACPI: battery: Fix possible crash when unregistering a battery hook", " - Revert \"arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of", " bindings\"", " - ext4: fix inode tree inconsistency caused by ENOMEM", " - 9p: add missing locking around taking dentry fid list", " - vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()", " - perf report: Fix segfault when 'sym' sort key is not used", " - ALSA: usb-audio: Fix possible NULL pointer dereference in", " snd_usb_pcm_has_fixed_rate()", " - unicode: Don't special case ignorable code points", " - net: ethernet: cortina: Drop TSO support", " - tracing: Remove precision vsnprintf() check from print event", " - drm/crtc: fix uninitialized variable use even harder", " - tracing: Have saved_cmdlines arrays all in one allocation", " - selftests/net: give more time to udpgro bg processes to complete startup", " - selftests/net: synchronize udpgro tests' tx and rx connection", " - selftests: net: Remove executable bits from library scripts", " - fs/ntfs3: Refactor enum_rstbl to suppress static checker", " - virtio_console: fix misc probe bugs", " - Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal", " - bpf: Check percpu map value size first", " - s390/facility: Disable compile time optimization for decompressor code", " - s390/mm: Add cond_resched() to cmm_alloc/free_pages()", " - bpf, x64: Fix a jit convergence issue", " - ext4: don't set SB_RDONLY after filesystem errors", " - ext4: nested locking for xattr inode", " - s390/cpum_sf: Remove WARN_ON_ONCE statements", " - ktest.pl: Avoid false positives with grub2 skip regex", " - RDMA/mad: Improve handling of timed out WRs of mad agent", " - PCI: Add function 0 DMA alias quirk for Glenfly Arise chip", " - RDMA/rtrs-srv: Avoid null pointer deref during path establishment", " - clk: bcm: bcm53573: fix OF node leak in init", " - PCI: Add ACS quirk for Qualcomm SA8775P", " - i2c: i801: Use a different adapter-name for IDF adapters", " - PCI: Mark Creative Labs EMU20k2 INTx masking as broken", " - ntb: ntb_hw_switchtec: Fix use after free vulnerability in", " switchtec_ntb_remove due to race condition", " - media: videobuf2-core: clear memory related fields in", " __vb2_plane_dmabuf_put()", " - remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table", " - clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D", " - usb: chipidea: udc: enable suspend interrupt after usb reset", " - usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the", " Crashkernel Scenario", " - comedi: ni_routing: tools: Check when the file could not be opened", " - virtio_pmem: Check device status before requesting flush", " - tools/iio: Add memory allocation failure check for trigger_name", " - driver core: bus: Return -EIO instead of 0 when show/store invalid bus", " attribute", " - drm/amd/display: Check null pointer before dereferencing se", " - fbdev: sisfb: Fix strbuf array overflow", " - RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt", " - NFSD: Mark filecache \"down\" if init fails", " - ice: fix VLAN replay after reset", " - SUNRPC: Fix integer overflow in decode_rc_list()", " - NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()", " - net: phy: dp83869: fix memory corruption when enabling fiber", " - tcp: fix to allow timestamp undo if no retransmits were sent", " - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe", " - netfilter: br_netfilter: fix panic with metadata_dst skb", " - Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change", " - net: phy: bcm84881: Fix some error handling paths", " - thermal: int340x: processor_thermal: Set feature mask before", " proc_thermal_add", " - thermal: intel: int340x: processor: Fix warning during module unload", " - net: dsa: b53: fix jumbo frame mtu check", " - net: dsa: b53: fix max MTU for 1g switches", " - net: dsa: b53: fix max MTU for BCM5325/BCM5365", " - net: dsa: b53: allow lower MTUs on BCM5325/5365", " - net: dsa: b53: fix jumbo frames on 10/100 ports", " - gpio: aspeed: Add the flush write to ensure the write complete.", " - gpio: aspeed: Use devm_clk api to manage clock source", " - ice: Fix netif_is_ice() in Safe Mode", " - i40e: Fix macvlan leak by synchronizing access to mac_filter_hash", " - igb: Do not bring the device up after non-fatal error", " - net/sched: accept TCA_STAB only for root qdisc", " - net: ibm: emac: mal: fix wrong goto", " - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start", " - netfilter: xtables: avoid NFPROTO_UNSPEC where needed", " - net: Add l3mdev index to flow struct and avoid oif reset for port devices", " - netfilter: rpfilter/fib: Populate flowic_l3mdev field", " - netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.", " - netfilter: fib: check correct rtable in vrf setups", " - net: rtnetlink: add msg kind names", " - rtnetlink: Add bulk registration helpers for rtnetlink message handlers.", " - mctp: Handle error of rtnl_register_module().", " - ppp: fix ppp_async_encode() illegal access", " - slip: make slhc_remember() more robust against malicious packets", " - RDMA/hns: Fix UAF for cq async event", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - hwmon: (tmp513) Add missing dependency on REGMAP_I2C", " - hwmon: (adm9240) Add missing dependency on REGMAP_I2C", " - hwmon: (adt7470) Add missing dependency on REGMAP_I2C", " - HID: amd_sfh: Switch to device-managed dmam_alloc_coherent()", " - resource: fix region_intersects() vs add_memory_driver_managed()", " - HID: plantronics: Workaround for an unexcepted opposite volume key", " - Revert \"usb: yurex: Replace snprintf() with the safer scnprintf() variant\"", " - usb: dwc3: core: Stop processing of pending events if controller is halted", " - usb: xhci: Fix problem with xhci resume from suspend", " - usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip", " - hid: intel-ish-hid: Fix uninitialized variable 'rv' in", " ish_fw_xfer_direct_dma", " - drm/v3d: Stop the active perfmon before being destroyed", " - net: explicitly clear the sk pointer, when pf->create fails", " - net: Fix an unsafe loop on the list", " - net: dsa: lan9303: ensure chip reset and wait for READY status", " - mptcp: pm: do not remove closing subflows", " - nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error", " - kthread: unpark only parked kthread", " - block, bfq: fix uaf for accessing waker_bfqq after splitting", " - i2c: smbus: Check for parent device before dereference", " - net: geneve: add missing netlink policy and size for", " IFLA_GENEVE_INNER_PROTO_INHERIT", " - xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup", " - net: Handle l3mdev in ip_tunnel_init_flow", " - net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev", " - net: vrf: determine the dst using the original ifindex for multicast", " - netfilter: ip6t_rpfilter: Fix regression with VRF interfaces", " - ext4: fix warning in ext4_dio_write_end_io()", " - net: axienet: start napi before enabling Rx/Tx", " - selftests: net: more strict check in net_helper", " - net: xilinx: axienet: Schedule NAPI in two steps", " - Linux 5.15.168", " * CVE-2024-36968", " - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()", " * CVE-2024-35904", " - selinux: avoid dereference of garbage after mount failure", " * IOMMU warnings on AMD systems after booting into kdump kernel", " (LP: #2080378)", " - iommu/amd: Simplify and Consolidate Virtual APIC (AVIC) Enablement", " - iommu/amd: Fix compile warning in init code", " * CVE-2024-42156", " - s390/pkey: Wipe copies of clear-key structures on failure", " * CVE-2024-44942", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " * CVE-2024-38538", " - net: bridge: xmit: make sure we have at least eth header len bytes", " * CVE-2024-42158", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " * CVE-2024-38667", " - riscv: prevent pt_regs corruption for secondary idle threads", " * CVE-2024-44940", " - fou: remove warn in gue_gro_receive on unsupported protocol", " * CVE-2024-42079", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " * CVE-2024-35951", " - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " * CVE-2023-52532", " - net: mana: Fix TX CQE error handling", " * CVE-2023-52621", " - bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers", " * CVE-2024-26947", " - ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses", " * CVE-2023-52639", " - KVM: s390: vsie: fix race during shadow creation", "", " [ Ubuntu: 5.15.0-126.136 ]", "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux-kvm", "version": "5.15.0-1070.75", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:30:09 +0900" } ], "notes": "linux-headers-5.15.0-1070-kvm version '5.15.0-1070.75' (source package linux-kvm version '5.15.0-1070.75') was added. linux-headers-5.15.0-1070-kvm version '5.15.0-1070.75' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1069-kvm. As such we can use the source package version of the removed package, '5.15.0-1069.74', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-1070-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1069.74", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1070.75", "version": "5.15.0-1070.75" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1070.75", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1070.75", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:45:21 +0900" } ], "notes": "linux-image-5.15.0-1070-kvm version '5.15.0-1070.75' (source package linux-signed-kvm version '5.15.0-1070.75') was added. linux-image-5.15.0-1070-kvm version '5.15.0-1070.75' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1069-kvm. As such we can use the source package version of the removed package, '5.15.0-1069.74', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.15.0-1070", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1070.75", "version": "5.15.0-1070.75" }, "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "changes": [ { "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1070.75 -proposed tracker (LP: #2086343)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "", " [ Ubuntu: 5.15.0-127.137 ]", "", " * jammy/linux: 5.15.0-127.137 -proposed tracker (LP: #2086357)", " * Jammy update: v5.15.168 upstream stable release (LP: #2086242)", " - parisc: Fix 64-bit userspace syscall path", " - parisc: Fix stack start for ADDR_NO_RANDOMIZE personality", " - of/irq: Support #msi-cells=<0> in of_msi_get_domain", " - drm: omapdrm: Add missing check for alloc_ordered_workqueue", " - jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error", " - jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit", " - mm: krealloc: consider spare memory for __GFP_ZERO", " - ocfs2: fix the la space leak when unmounting an ocfs2 volume", " - ocfs2: fix uninit-value in ocfs2_get_block()", " - ocfs2: reserve space for inline xattr before attaching reflink tree", " - ocfs2: cancel dqi_sync_work before freeing oinfo", " - ocfs2: remove unreasonable unlock in ocfs2_read_blocks", " - ocfs2: fix null-ptr-deref when journal load failed.", " - ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - mm: avoid leaving partial pfn mappings around in error case", " - fs/ntfs3: Use kvfree to free memory allocated by kvmalloc", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Introduce and use write_byte_data callback", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: fix accounting for filters shared by multiple VSIs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add support to create match definer", " - net/mlx5: Add IFC bits and enums for flow meter", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - fou: fix initialization of grc", " - octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dpaa: Pad packets to ETH_ZLEN", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - ASoC: meson: axg-card: fix 'use-after-free'", " - ASoC: allow module autoloading for table db1200_pids", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " - scsi: lpfc: Fix overflow build issue", " - pinctrl: at91: make it work with current gpiolib", " - microblaze: don't treat zero reserved memory regions as error", " - net: ftgmac100: Ensure tx descriptor updates are visible", " - wifi: iwlwifi: lower message level for FW buffer destination", " - wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation", " - wifi: iwlwifi: mvm: pause TCM when the firmware is stopped", " - wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead", " - wifi: iwlwifi: clear trans->state earlier upon error", " - ASoC: intel: fix module autoloading", " - ASoC: tda7419: fix module autoloading", " - spi: spidev: Add an entry for elgin,jg10309-01", " - drm: komeda: Fix an issue related to normalized zpos", " - spi: bcm63xx: Enable module autoloading", " - x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency", " - spi: spidev: Add missing spi_device_id for jg10309-01", " - ocfs2: add bounds checking to ocfs2_xattr_find_entry()", " - ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()", " - cgroup: Make operations on the cgroup root_list RCU safe", " - Revert \"wifi: cfg80211: check wiphy mutex is held for wdev mutex\"", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - gpiolib: cdev: Ignore reconfiguration without direction", " - cgroup: Move rcu_head up near the top of cgroup_root", " - USB: serial: pl2303: add device id for Macrosilicon MS3020", " - USB: usbtmc: prevent kernel-usb-infoleak", " - EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR", " - EDAC/synopsys: Use the correct register to disable the error interrupt on v3", " hw", " - EDAC/synopsys: Re-enable the error interrupts on v3 hw", " - EDAC/synopsys: Fix ECC status and IRQ control race condition", " - EDAC/synopsys: Fix error injection on Zynq UltraScale+", " - wifi: rtw88: always wait for both firmware loading attempts", " - crypto: xor - fix template benchmarking", " - ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()", " - wifi: ath9k: fix parameter check in ath9k_init_debug()", " - wifi: ath9k: Remove error checks when creating debugfs entries", " - net: stmmac: dwmac-loongson: Init ref and PTP clocks rate", " - wifi: rtw88: remove CPT execution branch never used", " - fs: explicitly unregister per-superblock BDIs", " - mount: warn only once about timestamp range expiration", " - fs/namespace: fnic: Switch to use %ptTd", " - mount: handle OOM on mnt_warn_timestamp_expiry", " - wifi: iwlwifi: mvm: increase the time between ranging measurements", " - padata: Honor the caller's alignment in case of chunk_size 0", " - can: j1939: use correct function name in comment", " - ACPI: CPPC: Fix MASK_VAL() usage", " - netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire", " - netfilter: nf_tables: reject element expiration with no timeout", " - netfilter: nf_tables: reject expiration higher than timeout", " - netfilter: nf_tables: remove annotation to access set timeout while holding", " lock", " - cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately", " - x86/sgx: Fix deadlock in SGX NUMA node search", " - wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()", " - wifi: mt76: mt7915: fix rx filter setting for bfee functionality", " - wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors", " - wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()", " - wifi: wilc1000: fix potential RCU dereference issue in", " wilc_parse_join_bss_param", " - sock_map: Add a cond_resched() in sock_hash_free()", " - can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().", " - can: m_can: m_can_close(): stop clocks after device has been shut down", " - Bluetooth: btusb: Fix not handling ZPL/short-transfer", " - bareudp: Pull inner IP header in bareudp_udp_encap_recv().", " - net: geneve: support IPv4/IPv6 as inner protocol", " - geneve: Fix incorrect inner network header offset when innerprotoinherit is", " set", " - bareudp: Pull inner IP header on xmit.", " - net: enetc: Use IRQF_NO_AUTOEN flag in request_irq()", " - r8169: disable ALDPS per default for RTL8125", " - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input", " - net: tipc: avoid possible garbage value", " - block, bfq: fix possible UAF for bfqq->bic with merge chain", " - block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()", " - block, bfq: don't break merge chain in bfq_split_bfqq()", " - block: print symbolic error name instead of error code", " - block: fix potential invalid pointer dereference in blk_add_partition", " - spi: ppc4xx: handle irq_of_parse_and_map() errors", " - spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ", " - arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes", " - ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks", " - ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property", " - ARM: versatile: fix OF node leak in CPUs prepare", " - reset: berlin: fix OF node leak in probe() error path", " - reset: k210: fix OF node leak in probe() error path", " - clocksource/drivers/qcom: Add missing iounmap() on errors in", " msm_dt_timer_init()", " - m68k: Fix kernel_clone_args.flags in m68k_clone()", " - hwmon: (max16065) Fix overflows seen when writing limits", " - i2c: Add i2c_get_match_data()", " - hwmon: (max16065) Remove use of i2c_match_id()", " - hwmon: (max16065) Fix alarm attributes", " - mtd: slram: insert break after errors in parsing the map", " - hwmon: (ntc_thermistor) fix module autoloading", " - power: supply: axp20x_battery: Remove design from min and max voltage", " - power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense", " - fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()", " - mtd: powernv: Add check devm_kasprintf() returned value", " - pmdomain: core: Harden inter-column space in debug summary", " - drm/stm: Fix an error handling path in stm_drm_platform_probe()", " - drm/amd/display: Add null check for set_output_gamma in", " dcn30_set_output_transfer_func", " - drm/amdgpu: Replace one-element array with flexible-array member", " - drm/amdgpu: properly handle vbios fake edid sizing", " - drm/radeon: Replace one-element array with flexible-array member", " - drm/radeon: properly handle vbios fake edid sizing", " - scsi: NCR5380: Add SCp members to struct NCR5380_cmd", " - scsi: NCR5380: Check for phase match during PDMA fixup", " - drm/rockchip: vop: Allow 4096px width scaling", " - drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode", " - drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets", " - drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid()", " - scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()", " - jfs: fix out-of-bounds in dbNextAG() and diAlloc()", " - drm/mediatek: Use spin_lock_irqsave() for CRTC event lock", " - powerpc/32: Remove the 'nobats' kernel parameter", " - powerpc/32: Remove 'noltlbs' kernel parameter", " - powerpc/8xx: Fix initial memory mapping", " - powerpc/8xx: Fix kernel vs user address comparison", " - drm/msm: Fix incorrect file name output in adreno_request_fw()", " - drm/msm/a5xx: disable preemption in submits by default", " - drm/msm/a5xx: properly clear preemption records on resume", " - drm/msm/a5xx: fix races in preemption evaluation stage", " - drm/msm: Drop priv->lastctx", " - drm/msm/a5xx: workaround early ring-buffer emptiness check", " - ipmi: docs: don't advertise deprecated sysfs entries", " - drm/msm: fix %s null argument error", " - drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()", " - xen: use correct end address of kernel for conflict checking", " - xen/swiotlb: add alignment check for dma buffers", " - tpm: Clean up TPM space after command failure", " - selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c", " - selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc", " - selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c", " - selftests/bpf: Fix compiling kfree_skb.c with musl-libc", " - selftests/bpf: Fix compiling flow_dissector.c with musl-libc", " - selftests/bpf: Fix compiling tcp_rtt.c with musl-libc", " - selftests/bpf: Fix compiling core_reloc.c with musl-libc", " - selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc", " - selftests/bpf: Fix error compiling test_lru_map.c", " - selftests/bpf: Fix C++ compile error from missing _Bool type", " - xz: cleanup CRC32 edits from 2018", " - kthread: fix task state in kthread worker if being frozen", " - ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard", " - smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso", " - ext4: avoid buffer_head leak in ext4_mark_inode_used()", " - ext4: avoid potential buffer_head leak in __ext4_new_inode()", " - ext4: avoid negative min_clusters in find_group_orlov()", " - ext4: return error on ext4_find_inline_entry", " - ext4: avoid OOB when system.data xattr changes underneath the filesystem", " - nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()", " - nilfs2: determine empty node blocks as corrupted", " - nilfs2: fix potential oob read in nilfs_btree_check_delete()", " - bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit", " - perf mem: Free the allocated sort string, fixing a leak", " - perf sched timehist: Fix missing free of session in perf_sched__timehist()", " - perf sched timehist: Fixed timestamp error when unable to confirm event", " sched_in time", " - perf time-utils: Fix 32-bit nsec parsing", " - clk: imx: imx8mp: fix clock tree update of TF-A managed clocks", " - clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk", " - clk: imx: imx8qxp: Parent should be initialized earlier than the clock", " - remoteproc: imx_rproc: Correct ddr alias for i.MX8M", " - remoteproc: imx_rproc: Initialize workqueue earlier", " - clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228", " - Input: ilitek_ts_i2c - avoid wrong input subsystem sync", " - Input: ilitek_ts_i2c - add report id message validation", " - drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error", " - drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error", " - PCI: keystone: Fix if-statement expression in ks_pcie_quirk()", " - PCI: xilinx-nwl: Fix register misspelling", " - PCI: xilinx-nwl: Clean up clock on probe failure/removal", " - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency", " - pinctrl: single: fix missing error code in pcs_probe()", " - RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer", " - RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds", " - clk: ti: dra7-atl: Fix leak of of_nodes", " - nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire", " - nfsd: fix refcount leak when file is unhashed after being found", " - pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource()", " - pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function", " - IB/core: Fix ib_cache_setup_one error flow cleanup", " - watchdog: imx_sc_wdt: Don't disable WDT in suspend", " - RDMA/hns: Don't modify rq next block addr in HIP09 QPC", " - RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range()", " - RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled", " - RDMA/hns: Remove unused abnormal interrupt of type RAS", " - RDMA/hns: Fix the wrong type of return value of the interrupt handler", " - RDMA/hns: Refactor the abnormal interrupt handler function", " - RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler", " - RDMA/hns: Optimize hem allocation performance", " - riscv: Fix fp alignment bug in perf_callchain_user()", " - RDMA/cxgb4: Added NULL check for lookup_atid", " - RDMA/irdma: fix error message in irdma_modify_qp_roce()", " - ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()", " - ntb_perf: Fix printk format", " - nfsd: call cache_put if xdr_reserve_space returns NULL", " - nfsd: return -EINVAL when namelen is 0", " - f2fs: fix typo", " - f2fs: fix to update i_ctime in __f2fs_setxattr()", " - f2fs: remove unneeded check condition in __f2fs_setxattr()", " - f2fs: reduce expensive checkpoint trigger frequency", " - f2fs: optimize error handling in redirty_blocks", " - f2fs: fix to wait page writeback before setting gcing flag", " - f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy", " - f2fs: clean up w/ dotdot_name", " - f2fs: get rid of online repaire on corrupted directory", " - spi: lpspi: Silence error message upon deferred probe", " - spi: lpspi: release requested DMA channels", " - spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time", " - iio: adc: ad7606: fix oversampling gpio array", " - iio: adc: ad7606: fix standby gpio state to match the documentation", " - coresight: tmc: sg: Do not leak sg_table", " - interconnect: qcom: sm8250: Enable sync_state", " - vdpa: Add eventfd for the vdpa callback", " - vhost_vdpa: assign irq bypass producer token correctly", " - Revert \"dm: requeue IO if mapping table not yet available\"", " - net: axienet: Clean up device used for DMA calls", " - net: axienet: Clean up DMA start/stop and error handling", " - net: axienet: don't set IRQ timer when IRQ delay not used", " - net: axienet: implement NAPI and GRO receive", " - net: axienet: reduce default RX interrupt threshold to 1", " - net: axienet: add coalesce timer ethtool configuration", " - net: axienet: Be more careful about updating tx_bd_tail", " - net: axienet: Use NAPI for TX completion path", " - net: axienet: Switch to 64-bit RX/TX statistics", " - net: xilinx: axienet: Fix packet counting", " - netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()", " - net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race", " Condition", " - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL", " - tcp: check skb is non-NULL in tcp_rto_delta_us()", " - net: qrtr: Update packets cloning when broadcasting", " - bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()", " - netfilter: nf_tables: Keep deleted flowtable hooks until after RCU", " - netfilter: ctnetlink: compile ctnetlink_label_size with", " CONFIG_NF_CONNTRACK_EVENTS", " - drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination", " - Input: goodix - use the new soc_intel_is_byt() helper", " - powercap: RAPL: fix invalid initialization for pl4_supported field", " - x86/mm: Switch to new Intel CPU model defines", " - vfio/pci: fix potential memory leak in vfio_intx_enable()", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - Remove *.orig pattern from .gitignore", " - PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler", " - ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error", " - soc: versatile: integrator: fix OF node leak in probe() error path", " - Revert \"media: tuners: fix error return code of", " hybrid_tuner_request_state()\"", " - Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table", " - Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table", " - Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line", " - drm/amd/display: Round calculated vtotal", " - drm/amd/display: Validate backlight caps are sane", " - scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages", " - scsi: mac_scsi: Refactor polling loop", " - scsi: mac_scsi: Disallow bus errors during PDMA send", " - usbnet: fix cyclical race on disconnect with work queue", " - USB: appledisplay: close race between probe and completion handler", " - USB: misc: cypress_cy7c63: check for short transfer", " - USB: class: CDC-ACM: fix race between get_serial and set_serial", " - usb: cdnsp: Fix incorrect usb_request status", " - usb: dwc2: drd: fix clock gating on USB role switch", " - bus: integrator-lm: fix OF node leak in probe()", " - firmware_loader: Block path traversal", " - tty: rp2: Fix reset with non forgiving PCIe host bridges", " - xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them.", " - crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure", " - drbd: Fix atomicity violation in drbd_uuid_set_bm()", " - drbd: Add NULL check for net_conf to prevent dereference in state validation", " - ACPI: sysfs: validate return type of _STR method", " - ACPI: resource: Add another DMI match for the TongFang GMxXGxx", " - efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption", " - perf/x86/intel/pt: Fix sampling synchronization", " - wifi: rtw88: 8822c: Fix reported RX band width", " - wifi: mt76: mt7615: check devm_kasprintf() returned value", " - debugobjects: Fix conditions in fill_pool()", " - f2fs: prevent possible int overflow in dir_block_index()", " - f2fs: avoid potential int overflow in sanity_check_area_boundary()", " - hwrng: mtk - Use devm_pm_runtime_enable", " - hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init", " - hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume", " - arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency", " - arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity", " - vfs: fix race between evice_inodes() and find_inode()&iput()", " - fs: Fix file_set_fowner LSM hook inconsistencies", " - nfs: fix memory leak in error path of nfs4_do_reclaim", " - EDAC/igen6: Fix conversion of system address to physical memory address", " - padata: use integer wrap around to prevent deadlock on seq_nr overflow", " - soc: versatile: realview: fix memory leak during device remove", " - soc: versatile: realview: fix soc_dev leak during device remove", " - usb: yurex: Replace snprintf() with the safer scnprintf() variant", " - USB: misc: yurex: fix race between read and write", " - xhci: fix event ring segment table related masks and variables in header", " - xhci: remove xhci_test_trb_in_td_math early development check", " - xhci: Refactor interrupter code for initial multi interrupter support.", " - xhci: Preserve RsvdP bits in ERSTBA register correctly", " - xhci: Add a quirk for writing ERST in high-low order", " - usb: xhci: fix loss of data on Cadence xHC", " - pps: remove usage of the deprecated ida_simple_xx() API", " - pps: add an error check in parport_attach", " - x86/idtentry: Incorporate definitions/declarations of the FRED entries", " - x86/entry: Remove unwanted instrumentation in common_interrupt()", " - bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0", " - lockdep: fix deadlock issue between lockdep and rcu", " - mm: only enforce minimum stack gap size if it's sensible", " - i2c: aspeed: Update the stop sw state when the bus recovery occurs", " - i2c: isch: Add missed 'else'", " - usb: yurex: Fix inconsistent locking bug in yurex_read()", " - spi: lpspi: Simplify some error message", " - static_call: Handle module init failure correctly in", " static_call_del_module()", " - static_call: Replace pointless WARN_ON() in static_call_module_notify()", " - mailbox: rockchip: fix a typo in module autoloading", " - mailbox: bcm2835: Fix timeout during suspend mode", " - ceph: remove the incorrect Fw reference check when dirtying pages", " - ieee802154: Fix build error", " - net/mlx5: Fix error path in multi-packet WQE transmit", " - net/mlx5: Added cond_resched() to crdump collection", " - net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()", " - netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED", " - net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()", " - netfilter: nf_tables: prevent nf_skb_duplicated corruption", " - Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()", " - net: ethernet: lantiq_etop: fix memory disclosure", " - net: avoid potential underflow in qdisc_pkt_len_init() with UFO", " - net: add more sanity checks to qdisc_pkt_len_init()", " - stmmac_pci: Fix underflow size in stmmac_rx", " - net: stmmac: Disable automatic FCS/Pad stripping", " - net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check", " - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit", " - ppp: do not assume bh is held in ppp_channel_bridge_input()", " - sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start", " - i2c: xiic: Fix broken locking on tx_msg", " - i2c: xiic: Switch from waitqueue to completion", " - i2c: xiic: Fix RX IRQ busy check", " - i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path", " - i2c: xiic: improve error message when transfer fails to start", " - i2c: xiic: Try re-initialization on bus busy timeout", " - media: usbtv: Remove useless locks in usbtv_video_free()", " - ALSA: mixer_oss: Remove some incorrect kfree_const() usages", " - ALSA: hda/realtek: Fix the push button function for the ALC257", " - ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs", " - ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m", " - ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin", " - f2fs: Require FMODE_WRITE for atomic write ioctls", " - wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()", " - wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit", " - ice: Adjust over allocation of memory in ice_sched_add_root_node() and", " ice_sched_add_node()", " - net/xen-netback: prevent UAF in xenvif_flush_hash()", " - net: hisilicon: hip04: fix OF node leak in probe()", " - net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()", " - net: hisilicon: hns_mdio: fix OF node leak in probe()", " - ACPI: PAD: fix crash in exit_round_robin()", " - ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails", " - ACPICA: Fix memory leak if acpi_ps_get_next_field() fails", " - net: sched: consistently use rcu_replace_pointer() in taprio_change()", " - blk_iocost: fix more out of bound shifts", " - nvme-pci: qdepth 1 quirk", " - wifi: ath11k: fix array out-of-bound access in SoC stats", " - wifi: rtw88: select WANT_DEV_COREDUMP", " - ACPI: EC: Do not release locks during operation region accesses", " - ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in", " acpi_db_convert_to_package()", " - tipc: guard against string buffer overrun", " - net: mvpp2: Increase size of queue_name buffer", " - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).", " - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family", " - net: atlantic: Avoid warning about potential string truncation", " - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process", " - ACPICA: iasl: handle empty connection_node", " - proc: add config & param to block forcing mem writes", " - [Config] updateconfigs to select PROC_MEM_ALWAYS_FORCE", " - wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker", " - wifi: mwifiex: Fix memcpy() field-spanning write warning in", " mwifiex_cmd_802_11_scan_ext()", " - nfp: Use IRQF_NO_AUTOEN flag in request_irq()", " - signal: Replace BUG_ON()s", " - ALSA: usb-audio: Add input value sanity checks for standard types", " - x86/ioapic: Handle allocation failures gracefully", " - ALSA: usb-audio: Define macros for quirk table entries", " - ALSA: usb-audio: Add logitech Audio profile quirk", " - tools/x86/kcpuid: Protect against faulty \"max subleaf\" values", " - ALSA: asihpi: Fix potential OOB array access", " - ALSA: hdsp: Break infinite MIDI input flush loop", " - x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments()", " - fbdev: pxafb: Fix possible use after free in pxafb_task()", " - rcuscale: Provide clear error when async specified without primitives", " - iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux", " - power: reset: brcmstb: Do not go into infinite loop if reset fails", " - iommu/vt-d: Always reserve a domain ID for identity setup", " - iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count", " - drm/amd/display: Add null check for top_pipe_to_program in", " commit_planes_for_stream", " - ata: sata_sil: Rename sil_blacklist to sil_quirks", " - drm/amd/display: Check null pointers before using dc->clk_mgr", " - jfs: UBSAN: shift-out-of-bounds in dbFindBits", " - jfs: Fix uaf in dbFreeBits", " - jfs: check if leafidx greater than num leaves per dmap tree", " - scsi: smartpqi: correct stream detection", " - jfs: Fix uninit-value access of new_ea in ea_buffer", " - drm/amdgpu: add raven1 gfxoff quirk", " - drm/amdgpu: enable gfxoff quirk on HP 705G4", " - HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio", " - platform/x86: touchscreen_dmi: add nanote-next quirk", " - drm/amd/display: Check stream before comparing them", " - drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in DCN30 color transformation", " - drm/amd/display: Initialize get_bytes_per_element's default to 1", " - drm/printer: Allow NULL data in devcoredump printer", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()", " - drm/amd/pm: ensure the fw_info is not null before using it", " - of/irq: Refer to actual buffer size in of_irq_parse_one()", " - ext4: ext4_search_dir should return a proper error", " - ext4: avoid use-after-free in ext4_ext_show_leaf()", " - ext4: fix i_data_sem unlock order in ext4_ind_migrate()", " - blk-integrity: use sysfs_emit", " - blk-integrity: convert to struct device_attribute", " - blk-integrity: register sysfs attributes on struct device", " - usb: typec: tcpm: Check for port partner validity before consuming it", " - spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: s3c64xx: fix timeout counters in flush_fifo", " - selftests: breakpoints: use remaining time to check if suspend succeed", " - selftests: vDSO: fix vDSO name for powerpc", " - selftests: vDSO: fix vdso_config for powerpc", " - selftests: vDSO: fix vDSO symbols lookup for powerpc64", " - selftests/mm: fix charge_reserved_hugetlb.sh test", " - selftests: vDSO: fix ELF hash table entry size for s390x", " - selftests: vDSO: fix vdso_config for s390", " - platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug", " - i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume", " - i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq()", " - i2c: xiic: Wait for TX empty to avoid missed TX NAKs", " - firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp()", " - spi: bcm63xx: Fix module autoloading", " - power: supply: hwmon: Fix missing temp1_max_alarm attribute", " - perf/core: Fix small negative period being ignored", " - parisc: Fix itlb miss handler for 64-bit programs", " - drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS", " - ALSA: core: add isascii() check to card ID generator", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET", " - ALSA: usb-audio: Add native DSD support for Luxman D-08u", " - ALSA: line6: add hw monitor volume control to POD HD500X", " - ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9", " - ext4: no need to continue when the number of entries is 1", " - ext4: correct encrypted dentry name hash when not casefolded", " - ext4: fix slab-use-after-free in ext4_split_extent_at()", " - ext4: propagate errors from ext4_find_extent() in ext4_insert_range()", " - ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()", " - ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free", " - ext4: aovid use-after-free in ext4_ext_insert_extent()", " - ext4: fix double brelse() the buffer of the extents path", " - ext4: update orig_path in ext4_find_extent()", " - ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()", " - ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list()", " - ext4: fix fast commit inode enqueueing during a full journal commit", " - ext4: use handle to mark fc as ineligible in __track_dentry_update()", " - ext4: mark fc as ineligible using an handle in ext4_xattr_set()", " - riscv: define ILLEGAL_POINTER_VALUE for 64bit", " - exfat: fix memory leak in exfat_load_bitmap()", " - perf hist: Update hist symbol when updating maps", " - nfsd: fix delegation_blocked() to block correctly for at least 30 seconds", " - nfsd: map the EBADMSG to nfserr_io to avoid warning", " - NFSD: Fix NFSv4's PUTPUBFH operation", " - aoe: fix the potential use-after-free problem in more places", " - clk: rockchip: fix error for unknown clocks", " - clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks", " - media: sun4i_csi: Implement link validate for sun4i_csi subdev", " - media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags", " - clk: qcom: clk-rpmh: Fix overflow in BCM vote", " - clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src", " - media: venus: fix use after free bug in venus_remove due to race condition", " - clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable()", " - clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table", " - iio: magnetometer: ak8975: Fix reading for ak099xx sensors", " - tomoyo: fallback to realpath if symlink's pathname does not exist", " - net: stmmac: Fix zero-division error when disabling tc cbs", " - rtc: at91sam9: fix OF node leak in probe() error path", " - Input: adp5589-keys - fix NULL pointer dereference", " - Input: adp5589-keys - fix adp5589_gpio_get_value()", " - ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[]", " - ACPI: resource: Add Asus ExpertBook B2502CVA to", " irq1_level_low_skip_override[]", " - btrfs: fix a NULL pointer dereference when failed to start a new trasacntion", " - btrfs: wait for fixup workers before stopping cleaner kthread during umount", " - gpio: davinci: fix lazy disable", " - tracing/hwlat: Fix a race during cpuhp processing", " - tracing/timerlat: Fix a race during cpuhp processing", " - close_range(): fix the logics in descriptor table trimming", " - drm/sched: Add locking to drm_sched_entity_modify_sched", " - drm/amd/display: Fix system hang while resume with TBT monitor", " - kconfig: qconf: fix buffer overflow in debug links", " - device property: Add fwnode_iomap()", " - device property: Add fwnode_irq_get_byname", " - i2c: smbus: Use device_*() functions instead of of_*()", " - i2c: create debugfs entry per adapter", " - i2c: core: Lock address during client device instantiation", " - i2c: xiic: Use devm_clk_get_enabled()", " - i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: bcm63xx: Fix missing pm_runtime_disable()", " - ext4: properly sync file size update after O_SYNC direct IO", " - ext4: dax: fix overflowing extents beyond inode size when partially writing", " - arm64: Add Cortex-715 CPU part definition", " - arm64: cputype: Add Neoverse-N3 definitions", " - arm64: errata: Expand speculative SSBS workaround once more", " - uprobes: fix kernel info leak via \"[uprobes]\" vma", " - drm/amd/display: Allow backlight to go below", " `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`", " - build-id: require program headers to be right after ELF header", " - lib/buildid: harden build ID parsing logic", " - drm/rockchip: define gamma registers for RK3399", " - drm/rockchip: support gamma control on RK3399", " - drm/rockchip: vop: clear DMA stop bit on RK3066", " - media: i2c: imx335: Enable regulator supplies", " - media: imx335: Fix reset-gpio handling", " - dt-bindings: clock: qcom: Add missing UFS QREF clocks", " - dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x", " - r8169: Fix spelling mistake: \"tx_underun\" -> \"tx_underrun\"", " - r8169: add tally counter fields added with RTL8125", " - clk: qcom: gcc-sc8180x: Add GPLL9 support", " - ACPI: battery: Simplify battery hook locking", " - ACPI: battery: Fix possible crash when unregistering a battery hook", " - Revert \"arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of", " bindings\"", " - ext4: fix inode tree inconsistency caused by ENOMEM", " - 9p: add missing locking around taking dentry fid list", " - vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()", " - perf report: Fix segfault when 'sym' sort key is not used", " - ALSA: usb-audio: Fix possible NULL pointer dereference in", " snd_usb_pcm_has_fixed_rate()", " - unicode: Don't special case ignorable code points", " - net: ethernet: cortina: Drop TSO support", " - tracing: Remove precision vsnprintf() check from print event", " - drm/crtc: fix uninitialized variable use even harder", " - tracing: Have saved_cmdlines arrays all in one allocation", " - selftests/net: give more time to udpgro bg processes to complete startup", " - selftests/net: synchronize udpgro tests' tx and rx connection", " - selftests: net: Remove executable bits from library scripts", " - fs/ntfs3: Refactor enum_rstbl to suppress static checker", " - virtio_console: fix misc probe bugs", " - Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal", " - bpf: Check percpu map value size first", " - s390/facility: Disable compile time optimization for decompressor code", " - s390/mm: Add cond_resched() to cmm_alloc/free_pages()", " - bpf, x64: Fix a jit convergence issue", " - ext4: don't set SB_RDONLY after filesystem errors", " - ext4: nested locking for xattr inode", " - s390/cpum_sf: Remove WARN_ON_ONCE statements", " - ktest.pl: Avoid false positives with grub2 skip regex", " - RDMA/mad: Improve handling of timed out WRs of mad agent", " - PCI: Add function 0 DMA alias quirk for Glenfly Arise chip", " - RDMA/rtrs-srv: Avoid null pointer deref during path establishment", " - clk: bcm: bcm53573: fix OF node leak in init", " - PCI: Add ACS quirk for Qualcomm SA8775P", " - i2c: i801: Use a different adapter-name for IDF adapters", " - PCI: Mark Creative Labs EMU20k2 INTx masking as broken", " - ntb: ntb_hw_switchtec: Fix use after free vulnerability in", " switchtec_ntb_remove due to race condition", " - media: videobuf2-core: clear memory related fields in", " __vb2_plane_dmabuf_put()", " - remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table", " - clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D", " - usb: chipidea: udc: enable suspend interrupt after usb reset", " - usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the", " Crashkernel Scenario", " - comedi: ni_routing: tools: Check when the file could not be opened", " - virtio_pmem: Check device status before requesting flush", " - tools/iio: Add memory allocation failure check for trigger_name", " - driver core: bus: Return -EIO instead of 0 when show/store invalid bus", " attribute", " - drm/amd/display: Check null pointer before dereferencing se", " - fbdev: sisfb: Fix strbuf array overflow", " - RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt", " - NFSD: Mark filecache \"down\" if init fails", " - ice: fix VLAN replay after reset", " - SUNRPC: Fix integer overflow in decode_rc_list()", " - NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()", " - net: phy: dp83869: fix memory corruption when enabling fiber", " - tcp: fix to allow timestamp undo if no retransmits were sent", " - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe", " - netfilter: br_netfilter: fix panic with metadata_dst skb", " - Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change", " - net: phy: bcm84881: Fix some error handling paths", " - thermal: int340x: processor_thermal: Set feature mask before", " proc_thermal_add", " - thermal: intel: int340x: processor: Fix warning during module unload", " - net: dsa: b53: fix jumbo frame mtu check", " - net: dsa: b53: fix max MTU for 1g switches", " - net: dsa: b53: fix max MTU for BCM5325/BCM5365", " - net: dsa: b53: allow lower MTUs on BCM5325/5365", " - net: dsa: b53: fix jumbo frames on 10/100 ports", " - gpio: aspeed: Add the flush write to ensure the write complete.", " - gpio: aspeed: Use devm_clk api to manage clock source", " - ice: Fix netif_is_ice() in Safe Mode", " - i40e: Fix macvlan leak by synchronizing access to mac_filter_hash", " - igb: Do not bring the device up after non-fatal error", " - net/sched: accept TCA_STAB only for root qdisc", " - net: ibm: emac: mal: fix wrong goto", " - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start", " - netfilter: xtables: avoid NFPROTO_UNSPEC where needed", " - net: Add l3mdev index to flow struct and avoid oif reset for port devices", " - netfilter: rpfilter/fib: Populate flowic_l3mdev field", " - netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.", " - netfilter: fib: check correct rtable in vrf setups", " - net: rtnetlink: add msg kind names", " - rtnetlink: Add bulk registration helpers for rtnetlink message handlers.", " - mctp: Handle error of rtnl_register_module().", " - ppp: fix ppp_async_encode() illegal access", " - slip: make slhc_remember() more robust against malicious packets", " - RDMA/hns: Fix UAF for cq async event", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - hwmon: (tmp513) Add missing dependency on REGMAP_I2C", " - hwmon: (adm9240) Add missing dependency on REGMAP_I2C", " - hwmon: (adt7470) Add missing dependency on REGMAP_I2C", " - HID: amd_sfh: Switch to device-managed dmam_alloc_coherent()", " - resource: fix region_intersects() vs add_memory_driver_managed()", " - HID: plantronics: Workaround for an unexcepted opposite volume key", " - Revert \"usb: yurex: Replace snprintf() with the safer scnprintf() variant\"", " - usb: dwc3: core: Stop processing of pending events if controller is halted", " - usb: xhci: Fix problem with xhci resume from suspend", " - usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip", " - hid: intel-ish-hid: Fix uninitialized variable 'rv' in", " ish_fw_xfer_direct_dma", " - drm/v3d: Stop the active perfmon before being destroyed", " - net: explicitly clear the sk pointer, when pf->create fails", " - net: Fix an unsafe loop on the list", " - net: dsa: lan9303: ensure chip reset and wait for READY status", " - mptcp: pm: do not remove closing subflows", " - nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error", " - kthread: unpark only parked kthread", " - block, bfq: fix uaf for accessing waker_bfqq after splitting", " - i2c: smbus: Check for parent device before dereference", " - net: geneve: add missing netlink policy and size for", " IFLA_GENEVE_INNER_PROTO_INHERIT", " - xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup", " - net: Handle l3mdev in ip_tunnel_init_flow", " - net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev", " - net: vrf: determine the dst using the original ifindex for multicast", " - netfilter: ip6t_rpfilter: Fix regression with VRF interfaces", " - ext4: fix warning in ext4_dio_write_end_io()", " - net: axienet: start napi before enabling Rx/Tx", " - selftests: net: more strict check in net_helper", " - net: xilinx: axienet: Schedule NAPI in two steps", " - Linux 5.15.168", " * CVE-2024-36968", " - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()", " * CVE-2024-35904", " - selinux: avoid dereference of garbage after mount failure", " * IOMMU warnings on AMD systems after booting into kdump kernel", " (LP: #2080378)", " - iommu/amd: Simplify and Consolidate Virtual APIC (AVIC) Enablement", " - iommu/amd: Fix compile warning in init code", " * CVE-2024-42156", " - s390/pkey: Wipe copies of clear-key structures on failure", " * CVE-2024-44942", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " * CVE-2024-38538", " - net: bridge: xmit: make sure we have at least eth header len bytes", " * CVE-2024-42158", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " * CVE-2024-38667", " - riscv: prevent pt_regs corruption for secondary idle threads", " * CVE-2024-44940", " - fou: remove warn in gue_gro_receive on unsupported protocol", " * CVE-2024-42079", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " * CVE-2024-35951", " - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " * CVE-2023-52532", " - net: mana: Fix TX CQE error handling", " * CVE-2023-52621", " - bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers", " * CVE-2024-26947", " - ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses", " * CVE-2023-52639", " - KVM: s390: vsie: fix race during shadow creation", "", " [ Ubuntu: 5.15.0-126.136 ]", "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux-kvm", "version": "5.15.0-1070.75", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:30:09 +0900" } ], "notes": "linux-kvm-headers-5.15.0-1070 version '5.15.0-1070.75' (source package linux-kvm version '5.15.0-1070.75') was added. linux-kvm-headers-5.15.0-1070 version '5.15.0-1070.75' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1069-kvm. As such we can use the source package version of the removed package, '5.15.0-1069.74', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-1070-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1070.75", "version": "5.15.0-1070.75" }, "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "changes": [ { "cves": [ { "cve": "CVE-2024-36968", "url": "https://ubuntu.com/security/CVE-2024-36968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-06-08 13:15:00 UTC" }, { "cve": "CVE-2024-35904", "url": "https://ubuntu.com/security/CVE-2024-35904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-42156", "url": "https://ubuntu.com/security/CVE-2024-42156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-44942", "url": "https://ubuntu.com/security/CVE-2024-44942", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-38538", "url": "https://ubuntu.com/security/CVE-2024-38538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42158", "url": "https://ubuntu.com/security/CVE-2024-42158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38667", "url": "https://ubuntu.com/security/CVE-2024-38667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96eca28 (\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-44940", "url": "https://ubuntu.com/security/CVE-2024-44940", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: remove warn in gue_gro_receive on unsupported protocol Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is not known or does not have a GRO handler. Such a packet is easily constructed. Syzbot generates them and sets off this warning. Remove the warning as it is expected and not actionable. The warning was previously reduced from WARN_ON to WARN_ON_ONCE in commit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad proto callbacks\").", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-42079", "url": "https://ubuntu.com/security/CVE-2024-42079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" }, { "cve": "CVE-2024-35951", "url": "https://ubuntu.com/security/CVE-2024-35951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2023-52532", "url": "https://ubuntu.com/security/CVE-2023-52532", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52621", "url": "https://ubuntu.com/security/CVE-2023-52621", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ", "cve_priority": "medium", "cve_public_date": "2024-03-26 18:15:00 UTC" }, { "cve": "CVE-2024-26947", "url": "https://ubuntu.com/security/CVE-2024-26947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account freed memory map alignment\") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2023-52639", "url": "https://ubuntu.com/security/CVE-2023-52639", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1070.75 -proposed tracker (LP: #2086343)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "", " [ Ubuntu: 5.15.0-127.137 ]", "", " * jammy/linux: 5.15.0-127.137 -proposed tracker (LP: #2086357)", " * Jammy update: v5.15.168 upstream stable release (LP: #2086242)", " - parisc: Fix 64-bit userspace syscall path", " - parisc: Fix stack start for ADDR_NO_RANDOMIZE personality", " - of/irq: Support #msi-cells=<0> in of_msi_get_domain", " - drm: omapdrm: Add missing check for alloc_ordered_workqueue", " - jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error", " - jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit", " - mm: krealloc: consider spare memory for __GFP_ZERO", " - ocfs2: fix the la space leak when unmounting an ocfs2 volume", " - ocfs2: fix uninit-value in ocfs2_get_block()", " - ocfs2: reserve space for inline xattr before attaching reflink tree", " - ocfs2: cancel dqi_sync_work before freeing oinfo", " - ocfs2: remove unreasonable unlock in ocfs2_read_blocks", " - ocfs2: fix null-ptr-deref when journal load failed.", " - ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - mm: avoid leaving partial pfn mappings around in error case", " - fs/ntfs3: Use kvfree to free memory allocated by kvmalloc", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Introduce and use write_byte_data callback", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: fix accounting for filters shared by multiple VSIs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add support to create match definer", " - net/mlx5: Add IFC bits and enums for flow meter", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - fou: fix initialization of grc", " - octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dpaa: Pad packets to ETH_ZLEN", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - ASoC: meson: axg-card: fix 'use-after-free'", " - ASoC: allow module autoloading for table db1200_pids", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " - scsi: lpfc: Fix overflow build issue", " - pinctrl: at91: make it work with current gpiolib", " - microblaze: don't treat zero reserved memory regions as error", " - net: ftgmac100: Ensure tx descriptor updates are visible", " - wifi: iwlwifi: lower message level for FW buffer destination", " - wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation", " - wifi: iwlwifi: mvm: pause TCM when the firmware is stopped", " - wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead", " - wifi: iwlwifi: clear trans->state earlier upon error", " - ASoC: intel: fix module autoloading", " - ASoC: tda7419: fix module autoloading", " - spi: spidev: Add an entry for elgin,jg10309-01", " - drm: komeda: Fix an issue related to normalized zpos", " - spi: bcm63xx: Enable module autoloading", " - x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency", " - spi: spidev: Add missing spi_device_id for jg10309-01", " - ocfs2: add bounds checking to ocfs2_xattr_find_entry()", " - ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()", " - cgroup: Make operations on the cgroup root_list RCU safe", " - Revert \"wifi: cfg80211: check wiphy mutex is held for wdev mutex\"", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - gpiolib: cdev: Ignore reconfiguration without direction", " - cgroup: Move rcu_head up near the top of cgroup_root", " - USB: serial: pl2303: add device id for Macrosilicon MS3020", " - USB: usbtmc: prevent kernel-usb-infoleak", " - EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR", " - EDAC/synopsys: Use the correct register to disable the error interrupt on v3", " hw", " - EDAC/synopsys: Re-enable the error interrupts on v3 hw", " - EDAC/synopsys: Fix ECC status and IRQ control race condition", " - EDAC/synopsys: Fix error injection on Zynq UltraScale+", " - wifi: rtw88: always wait for both firmware loading attempts", " - crypto: xor - fix template benchmarking", " - ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()", " - wifi: ath9k: fix parameter check in ath9k_init_debug()", " - wifi: ath9k: Remove error checks when creating debugfs entries", " - net: stmmac: dwmac-loongson: Init ref and PTP clocks rate", " - wifi: rtw88: remove CPT execution branch never used", " - fs: explicitly unregister per-superblock BDIs", " - mount: warn only once about timestamp range expiration", " - fs/namespace: fnic: Switch to use %ptTd", " - mount: handle OOM on mnt_warn_timestamp_expiry", " - wifi: iwlwifi: mvm: increase the time between ranging measurements", " - padata: Honor the caller's alignment in case of chunk_size 0", " - can: j1939: use correct function name in comment", " - ACPI: CPPC: Fix MASK_VAL() usage", " - netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire", " - netfilter: nf_tables: reject element expiration with no timeout", " - netfilter: nf_tables: reject expiration higher than timeout", " - netfilter: nf_tables: remove annotation to access set timeout while holding", " lock", " - cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately", " - x86/sgx: Fix deadlock in SGX NUMA node search", " - wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()", " - wifi: mt76: mt7915: fix rx filter setting for bfee functionality", " - wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors", " - wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()", " - wifi: wilc1000: fix potential RCU dereference issue in", " wilc_parse_join_bss_param", " - sock_map: Add a cond_resched() in sock_hash_free()", " - can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().", " - can: m_can: m_can_close(): stop clocks after device has been shut down", " - Bluetooth: btusb: Fix not handling ZPL/short-transfer", " - bareudp: Pull inner IP header in bareudp_udp_encap_recv().", " - net: geneve: support IPv4/IPv6 as inner protocol", " - geneve: Fix incorrect inner network header offset when innerprotoinherit is", " set", " - bareudp: Pull inner IP header on xmit.", " - net: enetc: Use IRQF_NO_AUTOEN flag in request_irq()", " - r8169: disable ALDPS per default for RTL8125", " - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input", " - net: tipc: avoid possible garbage value", " - block, bfq: fix possible UAF for bfqq->bic with merge chain", " - block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()", " - block, bfq: don't break merge chain in bfq_split_bfqq()", " - block: print symbolic error name instead of error code", " - block: fix potential invalid pointer dereference in blk_add_partition", " - spi: ppc4xx: handle irq_of_parse_and_map() errors", " - spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ", " - arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes", " - ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks", " - ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property", " - ARM: versatile: fix OF node leak in CPUs prepare", " - reset: berlin: fix OF node leak in probe() error path", " - reset: k210: fix OF node leak in probe() error path", " - clocksource/drivers/qcom: Add missing iounmap() on errors in", " msm_dt_timer_init()", " - m68k: Fix kernel_clone_args.flags in m68k_clone()", " - hwmon: (max16065) Fix overflows seen when writing limits", " - i2c: Add i2c_get_match_data()", " - hwmon: (max16065) Remove use of i2c_match_id()", " - hwmon: (max16065) Fix alarm attributes", " - mtd: slram: insert break after errors in parsing the map", " - hwmon: (ntc_thermistor) fix module autoloading", " - power: supply: axp20x_battery: Remove design from min and max voltage", " - power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense", " - fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()", " - mtd: powernv: Add check devm_kasprintf() returned value", " - pmdomain: core: Harden inter-column space in debug summary", " - drm/stm: Fix an error handling path in stm_drm_platform_probe()", " - drm/amd/display: Add null check for set_output_gamma in", " dcn30_set_output_transfer_func", " - drm/amdgpu: Replace one-element array with flexible-array member", " - drm/amdgpu: properly handle vbios fake edid sizing", " - drm/radeon: Replace one-element array with flexible-array member", " - drm/radeon: properly handle vbios fake edid sizing", " - scsi: NCR5380: Add SCp members to struct NCR5380_cmd", " - scsi: NCR5380: Check for phase match during PDMA fixup", " - drm/rockchip: vop: Allow 4096px width scaling", " - drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode", " - drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets", " - drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid()", " - scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()", " - jfs: fix out-of-bounds in dbNextAG() and diAlloc()", " - drm/mediatek: Use spin_lock_irqsave() for CRTC event lock", " - powerpc/32: Remove the 'nobats' kernel parameter", " - powerpc/32: Remove 'noltlbs' kernel parameter", " - powerpc/8xx: Fix initial memory mapping", " - powerpc/8xx: Fix kernel vs user address comparison", " - drm/msm: Fix incorrect file name output in adreno_request_fw()", " - drm/msm/a5xx: disable preemption in submits by default", " - drm/msm/a5xx: properly clear preemption records on resume", " - drm/msm/a5xx: fix races in preemption evaluation stage", " - drm/msm: Drop priv->lastctx", " - drm/msm/a5xx: workaround early ring-buffer emptiness check", " - ipmi: docs: don't advertise deprecated sysfs entries", " - drm/msm: fix %s null argument error", " - drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()", " - xen: use correct end address of kernel for conflict checking", " - xen/swiotlb: add alignment check for dma buffers", " - tpm: Clean up TPM space after command failure", " - selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c", " - selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc", " - selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c", " - selftests/bpf: Fix compiling kfree_skb.c with musl-libc", " - selftests/bpf: Fix compiling flow_dissector.c with musl-libc", " - selftests/bpf: Fix compiling tcp_rtt.c with musl-libc", " - selftests/bpf: Fix compiling core_reloc.c with musl-libc", " - selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc", " - selftests/bpf: Fix error compiling test_lru_map.c", " - selftests/bpf: Fix C++ compile error from missing _Bool type", " - xz: cleanup CRC32 edits from 2018", " - kthread: fix task state in kthread worker if being frozen", " - ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard", " - smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso", " - ext4: avoid buffer_head leak in ext4_mark_inode_used()", " - ext4: avoid potential buffer_head leak in __ext4_new_inode()", " - ext4: avoid negative min_clusters in find_group_orlov()", " - ext4: return error on ext4_find_inline_entry", " - ext4: avoid OOB when system.data xattr changes underneath the filesystem", " - nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()", " - nilfs2: determine empty node blocks as corrupted", " - nilfs2: fix potential oob read in nilfs_btree_check_delete()", " - bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit", " - perf mem: Free the allocated sort string, fixing a leak", " - perf sched timehist: Fix missing free of session in perf_sched__timehist()", " - perf sched timehist: Fixed timestamp error when unable to confirm event", " sched_in time", " - perf time-utils: Fix 32-bit nsec parsing", " - clk: imx: imx8mp: fix clock tree update of TF-A managed clocks", " - clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk", " - clk: imx: imx8qxp: Parent should be initialized earlier than the clock", " - remoteproc: imx_rproc: Correct ddr alias for i.MX8M", " - remoteproc: imx_rproc: Initialize workqueue earlier", " - clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228", " - Input: ilitek_ts_i2c - avoid wrong input subsystem sync", " - Input: ilitek_ts_i2c - add report id message validation", " - drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error", " - drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error", " - PCI: keystone: Fix if-statement expression in ks_pcie_quirk()", " - PCI: xilinx-nwl: Fix register misspelling", " - PCI: xilinx-nwl: Clean up clock on probe failure/removal", " - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency", " - pinctrl: single: fix missing error code in pcs_probe()", " - RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer", " - RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds", " - clk: ti: dra7-atl: Fix leak of of_nodes", " - nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire", " - nfsd: fix refcount leak when file is unhashed after being found", " - pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource()", " - pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function", " - IB/core: Fix ib_cache_setup_one error flow cleanup", " - watchdog: imx_sc_wdt: Don't disable WDT in suspend", " - RDMA/hns: Don't modify rq next block addr in HIP09 QPC", " - RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range()", " - RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled", " - RDMA/hns: Remove unused abnormal interrupt of type RAS", " - RDMA/hns: Fix the wrong type of return value of the interrupt handler", " - RDMA/hns: Refactor the abnormal interrupt handler function", " - RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler", " - RDMA/hns: Optimize hem allocation performance", " - riscv: Fix fp alignment bug in perf_callchain_user()", " - RDMA/cxgb4: Added NULL check for lookup_atid", " - RDMA/irdma: fix error message in irdma_modify_qp_roce()", " - ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()", " - ntb_perf: Fix printk format", " - nfsd: call cache_put if xdr_reserve_space returns NULL", " - nfsd: return -EINVAL when namelen is 0", " - f2fs: fix typo", " - f2fs: fix to update i_ctime in __f2fs_setxattr()", " - f2fs: remove unneeded check condition in __f2fs_setxattr()", " - f2fs: reduce expensive checkpoint trigger frequency", " - f2fs: optimize error handling in redirty_blocks", " - f2fs: fix to wait page writeback before setting gcing flag", " - f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy", " - f2fs: clean up w/ dotdot_name", " - f2fs: get rid of online repaire on corrupted directory", " - spi: lpspi: Silence error message upon deferred probe", " - spi: lpspi: release requested DMA channels", " - spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time", " - iio: adc: ad7606: fix oversampling gpio array", " - iio: adc: ad7606: fix standby gpio state to match the documentation", " - coresight: tmc: sg: Do not leak sg_table", " - interconnect: qcom: sm8250: Enable sync_state", " - vdpa: Add eventfd for the vdpa callback", " - vhost_vdpa: assign irq bypass producer token correctly", " - Revert \"dm: requeue IO if mapping table not yet available\"", " - net: axienet: Clean up device used for DMA calls", " - net: axienet: Clean up DMA start/stop and error handling", " - net: axienet: don't set IRQ timer when IRQ delay not used", " - net: axienet: implement NAPI and GRO receive", " - net: axienet: reduce default RX interrupt threshold to 1", " - net: axienet: add coalesce timer ethtool configuration", " - net: axienet: Be more careful about updating tx_bd_tail", " - net: axienet: Use NAPI for TX completion path", " - net: axienet: Switch to 64-bit RX/TX statistics", " - net: xilinx: axienet: Fix packet counting", " - netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()", " - net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race", " Condition", " - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL", " - tcp: check skb is non-NULL in tcp_rto_delta_us()", " - net: qrtr: Update packets cloning when broadcasting", " - bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()", " - netfilter: nf_tables: Keep deleted flowtable hooks until after RCU", " - netfilter: ctnetlink: compile ctnetlink_label_size with", " CONFIG_NF_CONNTRACK_EVENTS", " - drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination", " - Input: goodix - use the new soc_intel_is_byt() helper", " - powercap: RAPL: fix invalid initialization for pl4_supported field", " - x86/mm: Switch to new Intel CPU model defines", " - vfio/pci: fix potential memory leak in vfio_intx_enable()", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - Remove *.orig pattern from .gitignore", " - PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler", " - ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error", " - soc: versatile: integrator: fix OF node leak in probe() error path", " - Revert \"media: tuners: fix error return code of", " hybrid_tuner_request_state()\"", " - Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table", " - Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table", " - Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line", " - drm/amd/display: Round calculated vtotal", " - drm/amd/display: Validate backlight caps are sane", " - scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages", " - scsi: mac_scsi: Refactor polling loop", " - scsi: mac_scsi: Disallow bus errors during PDMA send", " - usbnet: fix cyclical race on disconnect with work queue", " - USB: appledisplay: close race between probe and completion handler", " - USB: misc: cypress_cy7c63: check for short transfer", " - USB: class: CDC-ACM: fix race between get_serial and set_serial", " - usb: cdnsp: Fix incorrect usb_request status", " - usb: dwc2: drd: fix clock gating on USB role switch", " - bus: integrator-lm: fix OF node leak in probe()", " - firmware_loader: Block path traversal", " - tty: rp2: Fix reset with non forgiving PCIe host bridges", " - xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them.", " - crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure", " - drbd: Fix atomicity violation in drbd_uuid_set_bm()", " - drbd: Add NULL check for net_conf to prevent dereference in state validation", " - ACPI: sysfs: validate return type of _STR method", " - ACPI: resource: Add another DMI match for the TongFang GMxXGxx", " - efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption", " - perf/x86/intel/pt: Fix sampling synchronization", " - wifi: rtw88: 8822c: Fix reported RX band width", " - wifi: mt76: mt7615: check devm_kasprintf() returned value", " - debugobjects: Fix conditions in fill_pool()", " - f2fs: prevent possible int overflow in dir_block_index()", " - f2fs: avoid potential int overflow in sanity_check_area_boundary()", " - hwrng: mtk - Use devm_pm_runtime_enable", " - hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init", " - hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume", " - arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency", " - arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity", " - vfs: fix race between evice_inodes() and find_inode()&iput()", " - fs: Fix file_set_fowner LSM hook inconsistencies", " - nfs: fix memory leak in error path of nfs4_do_reclaim", " - EDAC/igen6: Fix conversion of system address to physical memory address", " - padata: use integer wrap around to prevent deadlock on seq_nr overflow", " - soc: versatile: realview: fix memory leak during device remove", " - soc: versatile: realview: fix soc_dev leak during device remove", " - usb: yurex: Replace snprintf() with the safer scnprintf() variant", " - USB: misc: yurex: fix race between read and write", " - xhci: fix event ring segment table related masks and variables in header", " - xhci: remove xhci_test_trb_in_td_math early development check", " - xhci: Refactor interrupter code for initial multi interrupter support.", " - xhci: Preserve RsvdP bits in ERSTBA register correctly", " - xhci: Add a quirk for writing ERST in high-low order", " - usb: xhci: fix loss of data on Cadence xHC", " - pps: remove usage of the deprecated ida_simple_xx() API", " - pps: add an error check in parport_attach", " - x86/idtentry: Incorporate definitions/declarations of the FRED entries", " - x86/entry: Remove unwanted instrumentation in common_interrupt()", " - bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0", " - lockdep: fix deadlock issue between lockdep and rcu", " - mm: only enforce minimum stack gap size if it's sensible", " - i2c: aspeed: Update the stop sw state when the bus recovery occurs", " - i2c: isch: Add missed 'else'", " - usb: yurex: Fix inconsistent locking bug in yurex_read()", " - spi: lpspi: Simplify some error message", " - static_call: Handle module init failure correctly in", " static_call_del_module()", " - static_call: Replace pointless WARN_ON() in static_call_module_notify()", " - mailbox: rockchip: fix a typo in module autoloading", " - mailbox: bcm2835: Fix timeout during suspend mode", " - ceph: remove the incorrect Fw reference check when dirtying pages", " - ieee802154: Fix build error", " - net/mlx5: Fix error path in multi-packet WQE transmit", " - net/mlx5: Added cond_resched() to crdump collection", " - net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()", " - netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED", " - net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()", " - netfilter: nf_tables: prevent nf_skb_duplicated corruption", " - Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()", " - net: ethernet: lantiq_etop: fix memory disclosure", " - net: avoid potential underflow in qdisc_pkt_len_init() with UFO", " - net: add more sanity checks to qdisc_pkt_len_init()", " - stmmac_pci: Fix underflow size in stmmac_rx", " - net: stmmac: Disable automatic FCS/Pad stripping", " - net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check", " - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit", " - ppp: do not assume bh is held in ppp_channel_bridge_input()", " - sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start", " - i2c: xiic: Fix broken locking on tx_msg", " - i2c: xiic: Switch from waitqueue to completion", " - i2c: xiic: Fix RX IRQ busy check", " - i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path", " - i2c: xiic: improve error message when transfer fails to start", " - i2c: xiic: Try re-initialization on bus busy timeout", " - media: usbtv: Remove useless locks in usbtv_video_free()", " - ALSA: mixer_oss: Remove some incorrect kfree_const() usages", " - ALSA: hda/realtek: Fix the push button function for the ALC257", " - ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs", " - ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m", " - ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin", " - f2fs: Require FMODE_WRITE for atomic write ioctls", " - wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()", " - wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit", " - ice: Adjust over allocation of memory in ice_sched_add_root_node() and", " ice_sched_add_node()", " - net/xen-netback: prevent UAF in xenvif_flush_hash()", " - net: hisilicon: hip04: fix OF node leak in probe()", " - net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()", " - net: hisilicon: hns_mdio: fix OF node leak in probe()", " - ACPI: PAD: fix crash in exit_round_robin()", " - ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails", " - ACPICA: Fix memory leak if acpi_ps_get_next_field() fails", " - net: sched: consistently use rcu_replace_pointer() in taprio_change()", " - blk_iocost: fix more out of bound shifts", " - nvme-pci: qdepth 1 quirk", " - wifi: ath11k: fix array out-of-bound access in SoC stats", " - wifi: rtw88: select WANT_DEV_COREDUMP", " - ACPI: EC: Do not release locks during operation region accesses", " - ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in", " acpi_db_convert_to_package()", " - tipc: guard against string buffer overrun", " - net: mvpp2: Increase size of queue_name buffer", " - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).", " - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family", " - net: atlantic: Avoid warning about potential string truncation", " - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process", " - ACPICA: iasl: handle empty connection_node", " - proc: add config & param to block forcing mem writes", " - [Config] updateconfigs to select PROC_MEM_ALWAYS_FORCE", " - wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker", " - wifi: mwifiex: Fix memcpy() field-spanning write warning in", " mwifiex_cmd_802_11_scan_ext()", " - nfp: Use IRQF_NO_AUTOEN flag in request_irq()", " - signal: Replace BUG_ON()s", " - ALSA: usb-audio: Add input value sanity checks for standard types", " - x86/ioapic: Handle allocation failures gracefully", " - ALSA: usb-audio: Define macros for quirk table entries", " - ALSA: usb-audio: Add logitech Audio profile quirk", " - tools/x86/kcpuid: Protect against faulty \"max subleaf\" values", " - ALSA: asihpi: Fix potential OOB array access", " - ALSA: hdsp: Break infinite MIDI input flush loop", " - x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments()", " - fbdev: pxafb: Fix possible use after free in pxafb_task()", " - rcuscale: Provide clear error when async specified without primitives", " - iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux", " - power: reset: brcmstb: Do not go into infinite loop if reset fails", " - iommu/vt-d: Always reserve a domain ID for identity setup", " - iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count", " - drm/amd/display: Add null check for top_pipe_to_program in", " commit_planes_for_stream", " - ata: sata_sil: Rename sil_blacklist to sil_quirks", " - drm/amd/display: Check null pointers before using dc->clk_mgr", " - jfs: UBSAN: shift-out-of-bounds in dbFindBits", " - jfs: Fix uaf in dbFreeBits", " - jfs: check if leafidx greater than num leaves per dmap tree", " - scsi: smartpqi: correct stream detection", " - jfs: Fix uninit-value access of new_ea in ea_buffer", " - drm/amdgpu: add raven1 gfxoff quirk", " - drm/amdgpu: enable gfxoff quirk on HP 705G4", " - HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio", " - platform/x86: touchscreen_dmi: add nanote-next quirk", " - drm/amd/display: Check stream before comparing them", " - drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in degamma hardware format", " translation", " - drm/amd/display: Fix index out of bounds in DCN30 color transformation", " - drm/amd/display: Initialize get_bytes_per_element's default to 1", " - drm/printer: Allow NULL data in devcoredump printer", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()", " - drm/amd/pm: ensure the fw_info is not null before using it", " - of/irq: Refer to actual buffer size in of_irq_parse_one()", " - ext4: ext4_search_dir should return a proper error", " - ext4: avoid use-after-free in ext4_ext_show_leaf()", " - ext4: fix i_data_sem unlock order in ext4_ind_migrate()", " - blk-integrity: use sysfs_emit", " - blk-integrity: convert to struct device_attribute", " - blk-integrity: register sysfs attributes on struct device", " - usb: typec: tcpm: Check for port partner validity before consuming it", " - spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: s3c64xx: fix timeout counters in flush_fifo", " - selftests: breakpoints: use remaining time to check if suspend succeed", " - selftests: vDSO: fix vDSO name for powerpc", " - selftests: vDSO: fix vdso_config for powerpc", " - selftests: vDSO: fix vDSO symbols lookup for powerpc64", " - selftests/mm: fix charge_reserved_hugetlb.sh test", " - selftests: vDSO: fix ELF hash table entry size for s390x", " - selftests: vDSO: fix vdso_config for s390", " - platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug", " - i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume", " - i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq()", " - i2c: xiic: Wait for TX empty to avoid missed TX NAKs", " - firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp()", " - spi: bcm63xx: Fix module autoloading", " - power: supply: hwmon: Fix missing temp1_max_alarm attribute", " - perf/core: Fix small negative period being ignored", " - parisc: Fix itlb miss handler for 64-bit programs", " - drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS", " - ALSA: core: add isascii() check to card ID generator", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET", " - ALSA: usb-audio: Add native DSD support for Luxman D-08u", " - ALSA: line6: add hw monitor volume control to POD HD500X", " - ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9", " - ext4: no need to continue when the number of entries is 1", " - ext4: correct encrypted dentry name hash when not casefolded", " - ext4: fix slab-use-after-free in ext4_split_extent_at()", " - ext4: propagate errors from ext4_find_extent() in ext4_insert_range()", " - ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()", " - ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free", " - ext4: aovid use-after-free in ext4_ext_insert_extent()", " - ext4: fix double brelse() the buffer of the extents path", " - ext4: update orig_path in ext4_find_extent()", " - ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()", " - ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list()", " - ext4: fix fast commit inode enqueueing during a full journal commit", " - ext4: use handle to mark fc as ineligible in __track_dentry_update()", " - ext4: mark fc as ineligible using an handle in ext4_xattr_set()", " - riscv: define ILLEGAL_POINTER_VALUE for 64bit", " - exfat: fix memory leak in exfat_load_bitmap()", " - perf hist: Update hist symbol when updating maps", " - nfsd: fix delegation_blocked() to block correctly for at least 30 seconds", " - nfsd: map the EBADMSG to nfserr_io to avoid warning", " - NFSD: Fix NFSv4's PUTPUBFH operation", " - aoe: fix the potential use-after-free problem in more places", " - clk: rockchip: fix error for unknown clocks", " - clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks", " - media: sun4i_csi: Implement link validate for sun4i_csi subdev", " - media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags", " - clk: qcom: clk-rpmh: Fix overflow in BCM vote", " - clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src", " - media: venus: fix use after free bug in venus_remove due to race condition", " - clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable()", " - clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table", " - iio: magnetometer: ak8975: Fix reading for ak099xx sensors", " - tomoyo: fallback to realpath if symlink's pathname does not exist", " - net: stmmac: Fix zero-division error when disabling tc cbs", " - rtc: at91sam9: fix OF node leak in probe() error path", " - Input: adp5589-keys - fix NULL pointer dereference", " - Input: adp5589-keys - fix adp5589_gpio_get_value()", " - ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[]", " - ACPI: resource: Add Asus ExpertBook B2502CVA to", " irq1_level_low_skip_override[]", " - btrfs: fix a NULL pointer dereference when failed to start a new trasacntion", " - btrfs: wait for fixup workers before stopping cleaner kthread during umount", " - gpio: davinci: fix lazy disable", " - tracing/hwlat: Fix a race during cpuhp processing", " - tracing/timerlat: Fix a race during cpuhp processing", " - close_range(): fix the logics in descriptor table trimming", " - drm/sched: Add locking to drm_sched_entity_modify_sched", " - drm/amd/display: Fix system hang while resume with TBT monitor", " - kconfig: qconf: fix buffer overflow in debug links", " - device property: Add fwnode_iomap()", " - device property: Add fwnode_irq_get_byname", " - i2c: smbus: Use device_*() functions instead of of_*()", " - i2c: create debugfs entry per adapter", " - i2c: core: Lock address during client device instantiation", " - i2c: xiic: Use devm_clk_get_enabled()", " - i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled", " - spi: bcm63xx: Fix missing pm_runtime_disable()", " - ext4: properly sync file size update after O_SYNC direct IO", " - ext4: dax: fix overflowing extents beyond inode size when partially writing", " - arm64: Add Cortex-715 CPU part definition", " - arm64: cputype: Add Neoverse-N3 definitions", " - arm64: errata: Expand speculative SSBS workaround once more", " - uprobes: fix kernel info leak via \"[uprobes]\" vma", " - drm/amd/display: Allow backlight to go below", " `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`", " - build-id: require program headers to be right after ELF header", " - lib/buildid: harden build ID parsing logic", " - drm/rockchip: define gamma registers for RK3399", " - drm/rockchip: support gamma control on RK3399", " - drm/rockchip: vop: clear DMA stop bit on RK3066", " - media: i2c: imx335: Enable regulator supplies", " - media: imx335: Fix reset-gpio handling", " - dt-bindings: clock: qcom: Add missing UFS QREF clocks", " - dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x", " - r8169: Fix spelling mistake: \"tx_underun\" -> \"tx_underrun\"", " - r8169: add tally counter fields added with RTL8125", " - clk: qcom: gcc-sc8180x: Add GPLL9 support", " - ACPI: battery: Simplify battery hook locking", " - ACPI: battery: Fix possible crash when unregistering a battery hook", " - Revert \"arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of", " bindings\"", " - ext4: fix inode tree inconsistency caused by ENOMEM", " - 9p: add missing locking around taking dentry fid list", " - vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()", " - perf report: Fix segfault when 'sym' sort key is not used", " - ALSA: usb-audio: Fix possible NULL pointer dereference in", " snd_usb_pcm_has_fixed_rate()", " - unicode: Don't special case ignorable code points", " - net: ethernet: cortina: Drop TSO support", " - tracing: Remove precision vsnprintf() check from print event", " - drm/crtc: fix uninitialized variable use even harder", " - tracing: Have saved_cmdlines arrays all in one allocation", " - selftests/net: give more time to udpgro bg processes to complete startup", " - selftests/net: synchronize udpgro tests' tx and rx connection", " - selftests: net: Remove executable bits from library scripts", " - fs/ntfs3: Refactor enum_rstbl to suppress static checker", " - virtio_console: fix misc probe bugs", " - Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal", " - bpf: Check percpu map value size first", " - s390/facility: Disable compile time optimization for decompressor code", " - s390/mm: Add cond_resched() to cmm_alloc/free_pages()", " - bpf, x64: Fix a jit convergence issue", " - ext4: don't set SB_RDONLY after filesystem errors", " - ext4: nested locking for xattr inode", " - s390/cpum_sf: Remove WARN_ON_ONCE statements", " - ktest.pl: Avoid false positives with grub2 skip regex", " - RDMA/mad: Improve handling of timed out WRs of mad agent", " - PCI: Add function 0 DMA alias quirk for Glenfly Arise chip", " - RDMA/rtrs-srv: Avoid null pointer deref during path establishment", " - clk: bcm: bcm53573: fix OF node leak in init", " - PCI: Add ACS quirk for Qualcomm SA8775P", " - i2c: i801: Use a different adapter-name for IDF adapters", " - PCI: Mark Creative Labs EMU20k2 INTx masking as broken", " - ntb: ntb_hw_switchtec: Fix use after free vulnerability in", " switchtec_ntb_remove due to race condition", " - media: videobuf2-core: clear memory related fields in", " __vb2_plane_dmabuf_put()", " - remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table", " - clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D", " - usb: chipidea: udc: enable suspend interrupt after usb reset", " - usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the", " Crashkernel Scenario", " - comedi: ni_routing: tools: Check when the file could not be opened", " - virtio_pmem: Check device status before requesting flush", " - tools/iio: Add memory allocation failure check for trigger_name", " - driver core: bus: Return -EIO instead of 0 when show/store invalid bus", " attribute", " - drm/amd/display: Check null pointer before dereferencing se", " - fbdev: sisfb: Fix strbuf array overflow", " - RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt", " - NFSD: Mark filecache \"down\" if init fails", " - ice: fix VLAN replay after reset", " - SUNRPC: Fix integer overflow in decode_rc_list()", " - NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()", " - net: phy: dp83869: fix memory corruption when enabling fiber", " - tcp: fix to allow timestamp undo if no retransmits were sent", " - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe", " - netfilter: br_netfilter: fix panic with metadata_dst skb", " - Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change", " - net: phy: bcm84881: Fix some error handling paths", " - thermal: int340x: processor_thermal: Set feature mask before", " proc_thermal_add", " - thermal: intel: int340x: processor: Fix warning during module unload", " - net: dsa: b53: fix jumbo frame mtu check", " - net: dsa: b53: fix max MTU for 1g switches", " - net: dsa: b53: fix max MTU for BCM5325/BCM5365", " - net: dsa: b53: allow lower MTUs on BCM5325/5365", " - net: dsa: b53: fix jumbo frames on 10/100 ports", " - gpio: aspeed: Add the flush write to ensure the write complete.", " - gpio: aspeed: Use devm_clk api to manage clock source", " - ice: Fix netif_is_ice() in Safe Mode", " - i40e: Fix macvlan leak by synchronizing access to mac_filter_hash", " - igb: Do not bring the device up after non-fatal error", " - net/sched: accept TCA_STAB only for root qdisc", " - net: ibm: emac: mal: fix wrong goto", " - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start", " - netfilter: xtables: avoid NFPROTO_UNSPEC where needed", " - net: Add l3mdev index to flow struct and avoid oif reset for port devices", " - netfilter: rpfilter/fib: Populate flowic_l3mdev field", " - netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.", " - netfilter: fib: check correct rtable in vrf setups", " - net: rtnetlink: add msg kind names", " - rtnetlink: Add bulk registration helpers for rtnetlink message handlers.", " - mctp: Handle error of rtnl_register_module().", " - ppp: fix ppp_async_encode() illegal access", " - slip: make slhc_remember() more robust against malicious packets", " - RDMA/hns: Fix UAF for cq async event", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - hwmon: (tmp513) Add missing dependency on REGMAP_I2C", " - hwmon: (adm9240) Add missing dependency on REGMAP_I2C", " - hwmon: (adt7470) Add missing dependency on REGMAP_I2C", " - HID: amd_sfh: Switch to device-managed dmam_alloc_coherent()", " - resource: fix region_intersects() vs add_memory_driver_managed()", " - HID: plantronics: Workaround for an unexcepted opposite volume key", " - Revert \"usb: yurex: Replace snprintf() with the safer scnprintf() variant\"", " - usb: dwc3: core: Stop processing of pending events if controller is halted", " - usb: xhci: Fix problem with xhci resume from suspend", " - usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip", " - hid: intel-ish-hid: Fix uninitialized variable 'rv' in", " ish_fw_xfer_direct_dma", " - drm/v3d: Stop the active perfmon before being destroyed", " - net: explicitly clear the sk pointer, when pf->create fails", " - net: Fix an unsafe loop on the list", " - net: dsa: lan9303: ensure chip reset and wait for READY status", " - mptcp: pm: do not remove closing subflows", " - nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error", " - kthread: unpark only parked kthread", " - block, bfq: fix uaf for accessing waker_bfqq after splitting", " - i2c: smbus: Check for parent device before dereference", " - net: geneve: add missing netlink policy and size for", " IFLA_GENEVE_INNER_PROTO_INHERIT", " - xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup", " - net: Handle l3mdev in ip_tunnel_init_flow", " - net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev", " - net: vrf: determine the dst using the original ifindex for multicast", " - netfilter: ip6t_rpfilter: Fix regression with VRF interfaces", " - ext4: fix warning in ext4_dio_write_end_io()", " - net: axienet: start napi before enabling Rx/Tx", " - selftests: net: more strict check in net_helper", " - net: xilinx: axienet: Schedule NAPI in two steps", " - Linux 5.15.168", " * CVE-2024-36968", " - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()", " * CVE-2024-35904", " - selinux: avoid dereference of garbage after mount failure", " * IOMMU warnings on AMD systems after booting into kdump kernel", " (LP: #2080378)", " - iommu/amd: Simplify and Consolidate Virtual APIC (AVIC) Enablement", " - iommu/amd: Fix compile warning in init code", " * CVE-2024-42156", " - s390/pkey: Wipe copies of clear-key structures on failure", " * CVE-2024-44942", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " * CVE-2024-38538", " - net: bridge: xmit: make sure we have at least eth header len bytes", " * CVE-2024-42158", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " * CVE-2024-38667", " - riscv: prevent pt_regs corruption for secondary idle threads", " * CVE-2024-44940", " - fou: remove warn in gue_gro_receive on unsupported protocol", " * CVE-2024-42079", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " * CVE-2024-35951", " - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " * CVE-2023-52532", " - net: mana: Fix TX CQE error handling", " * CVE-2023-52621", " - bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers", " * CVE-2024-26947", " - ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses", " * CVE-2023-52639", " - KVM: s390: vsie: fix race during shadow creation", "", " [ Ubuntu: 5.15.0-126.136 ]", "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux-kvm", "version": "5.15.0-1070.75", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086343, 1786013, 2086357, 2086242, 2080378, 2064176, 2086027, 2085082 ], "author": "Koichiro Den ", "date": "Wed, 13 Nov 2024 13:30:09 +0900" } ], "notes": "linux-modules-5.15.0-1070-kvm version '5.15.0-1070.75' (source package linux-kvm version '5.15.0-1070.75') was added. linux-modules-5.15.0-1070-kvm version '5.15.0-1070.75' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1069-kvm. As such we can use the source package version of the removed package, '5.15.0-1069.74', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1069-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": "5.15.0-1069.74" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-1069-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1069.74", "version": "5.15.0-1069.74" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.15.0-1069", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": "5.15.0-1069.74" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-1069-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1069.74", "version": "5.15.0-1069.74" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20241205 to 20241216", "from_series": "jammy", "to_series": "jammy", "from_serial": "20241205", "to_serial": "20241216", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }