{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-189", "linux-headers-5.4.0-189-generic", "linux-image-5.4.0-189-generic", "linux-modules-5.4.0-189-generic" ], "removed": [ "linux-headers-5.4.0-187", "linux-headers-5.4.0-187-generic", "linux-image-5.4.0-187-generic", "linux-modules-5.4.0-187-generic" ], "diff": [ "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.189.187", "version": "5.4.0.189.187" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-189", "" ], "package": "linux-meta", "version": "5.4.0.189.187", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:46:40 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.189.187", "version": "5.4.0.189.187" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-189", "" ], "package": "linux-meta", "version": "5.4.0.189.187", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:46:40 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.189.187", "version": "5.4.0.189.187" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-189", "" ], "package": "linux-meta", "version": "5.4.0.189.187", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:46:40 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.189.187", "version": "5.4.0.189.187" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-189", "" ], "package": "linux-meta", "version": "5.4.0.189.187", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:46:40 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-189", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-189.209", "version": "5.4.0-189.209" }, "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-189.209 -proposed tracker (LP: #2068454)", "", " * Focal update: v5.4.275 upstream stable release (LP: #2067865)", " - batman-adv: Avoid infinite loop trying to resize local TT", " - Bluetooth: Fix memory leak in hci_req_sync_complete()", " - nouveau: fix function cast warning", " - net: openvswitch: fix unwanted error log on timeout policy probing", " - u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file", " - geneve: fix header validation in geneve[6]_xmit_skb", " - ipv6: fib: hide unused 'pn' variable", " - ipv4/route: avoid unused-but-set-variable warning", " - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr", " - net/mlx5: Properly link new fs rules into the tree", " - net: ena: Fix potential sign extension issue", " - btrfs: qgroup: correctly model root qgroup rsv in convert", " - drm/client: Fully protect modes[] with dev->mode_config.mutex", " - vhost: Add smp_rmb() in vhost_vq_avail_empty()", " - selftests: timers: Fix abs() warning in posix_timers test", " - x86/apic: Force native_apic_mem_read() to use the MOV instruction", " - btrfs: record delayed inode root in transaction", " - selftests/ftrace: Limit length in subsystem-enable tests", " - kprobes: Fix possible use-after-free issue on kprobe registration", " - Revert \"tracing/trigger: Fix to return error if failed to alloc snapshot\"", " - netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()", " - tun: limit printing rate when illegal packet received by tun dev", " - RDMA/rxe: Fix the problem \"mutex_destroy missing\"", " - RDMA/mlx5: Fix port number for counter query in multi-port configuration", " - drm: nv04: Fix out of bounds access", " - clk: Remove prepare_lock hold assertion in __clk_release()", " - clk: Mark 'all_lists' as const", " - clk: remove extra empty line", " - clk: Print an info line before disabling unused clocks", " - clk: Initialize struct clk_core kref earlier", " - clk: Get runtime PM before walking tree during disable_unused", " - x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ", " - comedi: vmk80xx: fix incomplete endpoint checking", " - serial/pmac_zilog: Remove flawed mitigation for rx irq flood", " - USB: serial: option: add Fibocom FM135-GL variants", " - USB: serial: option: add support for Fibocom FM650/FG650", " - USB: serial: option: add Lonsung U8300/U9300 product", " - USB: serial: option: support Quectel EM060K sub-models", " - USB: serial: option: add Rolling RW101-GL and RW135-GL support", " - USB: serial: option: add Telit FN920C04 rmnet compositions", " - usb: dwc2: host: Fix dereference issue in DDMA completion flow.", " - speakup: Avoid crash on very long word", " - fs: sysfs: Fix reference leak in sysfs_break_active_protection()", " - nouveau: fix instmem race condition around ptr stores", " - nilfs2: fix OOB in nilfs_set_de_type", " - KVM: async_pf: Cleanup kvm_setup_async_pf()", " - arm64: dts: rockchip: fix alphabetical ordering RK3399 puma", " - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma", " - arm64: dts: mediatek: mt7622: fix IR nodename", " - arm64: dts: mediatek: mt7622: fix ethernet controller \"compatible\"", " - arm64: dts: mediatek: mt7622: drop \"reset-names\" from thermal block", " - arm64: dts: mt2712: add ethernet device node", " - arm64: dts: mediatek: mt2712: fix validation errors", " - ARC: [plat-hsdk]: Remove misplaced interrupt-cells property", " - vxlan: drop packets from invalid src-address", " - mlxsw: core: Unregister EMAD trap using FORWARD action", " - NFC: trf7970a: disable all regulators on removal", " - net: usb: ax88179_178a: stop lying about skb->truesize", " - net: gtp: Fix Use-After-Free in gtp_dellink", " - ipvs: Fix checksumming on GSO of SCTP packets", " - net: openvswitch: Fix Use-After-Free in ovs_ct_exit", " - mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash", " - mlxsw: spectrum_acl_tcam: Rate limit error message", " - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash", " - mlxsw: spectrum_acl_tcam: Fix warning during rehash", " - mlxsw: spectrum_acl_tcam: Fix incorrect list API usage", " - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", " - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue", " - iavf: Fix TC config comparison with existing adapter TC config", " - af_unix: Suppress false-positive lockdep splat for spin_lock() in", " __unix_gc().", " - serial: core: Provide port lock wrappers", " - serial: mxs-auart: add spinlock around changing cts state", " - Revert \"crypto: api - Disallow identical driver names\"", " - net/mlx5e: Fix a race in command alloc flow", " - tracing: Show size of requested perf buffer", " - tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker", " together", " - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853", " - btrfs: fix information leak in btrfs_ioctl_logical_to_ino()", " - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma", " - drm/amdgpu: Fix leak when GPU memory allocation fails", " - irqchip/gic-v3-its: Prevent double free on error", " - ethernet: Add helper for assigning packet type when dest address does not", " match device address", " - net: b44: set pause params only when interface is up", " - stackdepot: respect __GFP_NOLOCKDEP allocation flag", " - mtd: diskonchip: work around ubsan link failure", " - tcp: Clean up kernel listener's reqsk in inet_twsk_purge()", " - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()", " - dmaengine: owl: fix register access functions", " - idma64: Don't try to serve interrupts when device is powered off", " - i2c: smbus: fix NULL function pointer dereference", " - HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up", " - bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS", " - udp: preserve the connected status if only UDP cmsg", " - serial: core: fix kernel-doc for uart_port_unlock_irqrestore()", " - Linux 5.4.275", "", " * Focal update: v5.4.274 upstream stable release (LP: #2067857)", " - amdkfd: use calloc instead of kzalloc to avoid integer overflow", " - Documentation/hw-vuln: Update spectre doc", " - x86/cpu: Support AMD Automatic IBRS", " - x86/bugs: Use sysfs_emit()", " - timers: Update kernel-doc for various functions", " - timers: Use del_timer_sync() even on UP", " - timers: Rename del_timer_sync() to timer_delete_sync()", " - media: staging: ipu3-imgu: Set fields before media_entity_pads_init()", " - clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd", " - smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()", " - smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()", " - ARM: dts: mmp2-brownstone: Don't redeclare phandle references", " - arm: dts: marvell: Fix maxium->maxim typo in brownstone dts", " - serial: max310x: fix NULL pointer dereference in I2C instantiation", " - KVM: Always flush async #PF workqueue when vCPU is being destroyed", " - sparc64: NMI watchdog: fix return value of __setup handler", " - sparc: vDSO: fix return value of __setup handler", " - crypto: qat - fix double free during reset", " - crypto: qat - resolve race condition during AER recovery", " - selftests/mqueue: Set timeout to 180 seconds", " - ext4: correct best extent lstart adjustment logic", " - fat: fix uninitialized field in nostale filehandles", " - ubifs: Set page uptodate in the correct place", " - ubi: Check for too small LEB size in VTBL code", " - ubi: correct the calculation of fastmap size", " - mtd: rawnand: meson: fix scrambling mode value in command macro", " - parisc: Do not hardcode registers in checksum functions", " - parisc: Fix ip_fast_csum", " - parisc: Fix csum_ipv6_magic on 32-bit systems", " - parisc: Fix csum_ipv6_magic on 64-bit systems", " - parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds", " - PM: suspend: Set mem_sleep_current during kernel command line setup", " - clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays", " - clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays", " - clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays", " - powerpc/fsl: Fix mfpmr build errors with newer binutils", " - USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB", " - USB: serial: add device ID for VeriFone adapter", " - USB: serial: cp210x: add ID for MGP Instruments PDS100", " - USB: serial: option: add MeiG Smart SLM320 product", " - USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M", " - PM: sleep: wakeirq: fix wake irq warning in system suspend", " - mmc: tmio: avoid concurrent runs of mmc_request_done()", " - fuse: don't unhash root", " - btrfs: fix off-by-one chunk length calculation at contains_pending_extent()", " - PCI: Drop pci_device_remove() test of pci_dev->driver", " - PCI/PM: Drain runtime-idle callbacks before driver removal", " - Revert \"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\"", " - dm-raid: fix lockdep waring in \"pers->hot_add_disk\"", " - mmc: core: Fix switch on gp3 partition", " - hwmon: (amc6821) add of_match table", " - ext4: fix corruption during on-line resize", " - firmware: meson_sm: Rework driver as a proper platform driver", " - nvmem: meson-efuse: fix function pointer type mismatch", " - slimbus: core: Remove usage of the deprecated ida_simple_xx() API", " - speakup: Fix 8bit characters from direct synth", " - kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1", " - vfio/platform: Disable virqfds on cleanup", " - ring-buffer: Fix resetting of shortest_full", " - ring-buffer: Fix full_waiters_pending in poll", " - soc: fsl: qbman: Always disable interrupts when taking cgr_lock", " - soc: fsl: qbman: Add helper for sanity checking cgr ops", " - soc: fsl: qbman: Add CGR update function", " - soc: fsl: qbman: Use raw spinlock for cgr_lock", " - s390/zcrypt: fix reference counting on zcrypt card objects", " - drm/exynos: do not return negative values from .get_modes()", " - drm/imx/ipuv3: do not return negative values from .get_modes()", " - drm/vc4: hdmi: do not return negative values from .get_modes()", " - memtest: use {READ,WRITE}_ONCE in memory scanning", " - nilfs2: fix failure to detect DAT corruption in btree and direct mappings", " - nilfs2: use a more common logging style", " - nilfs2: prevent kernel bug at submit_bh_wbc()", " - x86/CPU/AMD: Update the Zenbleed microcode revisions", " - ahci: asm1064: correct count of reported ports", " - ahci: asm1064: asm1166: don't limit reported ports", " - dm snapshot: fix lockup in dm_exception_table_exit", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - netfilter: nf_tables: reject constant set with timeout", " - xfrm: Avoid clang fortify warning in copy_to_user_tmpl()", " - ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897", " platform", " - USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command", " - usb: gadget: ncm: Fix handling of zero block length packets", " - usb: port: Don't try to peer unused USB ports based on location", " - tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled", " - vt: fix unicode buffer corruption when deleting characters", " - fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion", " - objtool: is_fentry_call() crashes if call has no destination", " - objtool: Add support for intra-function calls", " - x86/speculation: Support intra-function call validation", " - xen/events: close evtchn after mapping cleanup", " - printk: Update @console_may_schedule in console_trylock_spinning()", " - btrfs: allocate btrfs_ioctl_defrag_range_args on stack", " - Revert \"loop: Check for overflow while configuring loop\"", " - loop: Call loop_config_discard() only after new config is applied", " - loop: Remove sector_t truncation checks", " - loop: Factor out setting loop device size", " - loop: Refactor loop_set_status() size calculation", " - loop: Factor out configuring loop from status", " - loop: Check for overflow while configuring loop", " - loop: loop_set_status_from_info() check before assignment", " - perf/core: Fix reentry problem in perf_output_read_group()", " - efivarfs: Request at most 512 bytes for variable names", " - powerpc: xor_vmx: Add '-mhard-float' to CFLAGS", " - bounds: support non-power-of-two CONFIG_NR_CPUS", " - vt: fix memory overlapping when deleting chars in the buffer", " - mm/memory-failure: fix an incorrect use of tail pages", " - mm/migrate: set swap entry values of THP tail pages properly.", " - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", " - exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()", " - mmc: core: Initialize mmc_blk_ioc_data", " - mmc: core: Avoid negative index with array access", " - ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", " - scsi: core: Fix unremoved procfs host directory regression", " - usb: dwc2: host: Fix remote wakeup from hibernation", " - usb: dwc2: host: Fix hibernation flow", " - usb: dwc2: host: Fix ISOC flow in DDMA mode", " - usb: dwc2: gadget: LPM flow fix", " - usb: udc: remove warning when queue disabled ep", " - scsi: qla2xxx: Fix command flush on cable pull", " - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled", " - scsi: lpfc: Correct size for wqe for memset()", " - USB: core: Fix deadlock in usb_deauthorize_interface()", " - nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet", " - ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()", " - tcp: properly terminate timers for kernel sockets", " - dm integrity: fix out-of-range warning", " - r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d", " - Bluetooth: hci_event: set the conn encrypted before conn establishes", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - net/rds: fix possible cp null dereference", " - vfio/pci: Disable auto-enable of exclusive INTx IRQ", " - vfio/pci: Lock external INTx masking ops", " - vfio: Introduce interface to flush virqfd inject workqueue", " - vfio/pci: Create persistent INTx handler", " - vfio/platform: Create persistent IRQ handlers", " - Revert \"x86/mm/ident_map: Use gbpages only where full GB page should be", " mapped.\"", " - mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL", " allocations", " - netfilter: nf_tables: flush pending destroy work before exit_net release", " - netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()", " - bpf, sockmap: Prevent lock inversion deadlock in map delete elem", " - net/sched: act_skbmod: prevent kernel-infoleak", " - net: stmmac: fix rx queue priority assignment", " - selftests: reuseaddr_conflict: add missing new line at the end of the output", " - ipv6: Fix infinite recursion in fib6_dump_done().", " - i40e: fix vf may be used uninitialized in this function warning", " - staging: mmal-vchiq: Allocate and free components as required", " - staging: mmal-vchiq: Fix client_component for 64 bit kernel", " - staging: vc04_services: changen strncpy() to strscpy_pad()", " - staging: vc04_services: fix information leak in create_component()", " - fs: add a vfs_fchown helper", " - fs: add a vfs_fchmod helper", " - initramfs: switch initramfs unpacking to struct file based APIs", " - init: open /initrd.image with O_LARGEFILE", " - erspan: Add type I version 0 support.", " - erspan: make sure erspan_base_hdr is present in skb->head", " - net: ravb: Always process TX descriptor ring", " - ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw", " - ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit", " - scsi: mylex: Fix sysfs buffer lengths", " - ata: sata_mv: Fix PCI device ID table declaration compilation warning", " - ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with", " microphone", " - x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()", " - s390/entry: align system call table on 8 bytes", " - wifi: ath9k: fix LNA selection in ath_ant_try_scan()", " - VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()", " - panic: Flush kernel log buffer at the end", " - arm64: dts: rockchip: fix rk3328 hdmi ports node", " - arm64: dts: rockchip: fix rk3399 hdmi ports node", " - ionic: set adminq irq affinity", " - tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()", " - btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()", " - btrfs: export: handle invalid inode or root reference in btrfs_get_parent()", " - btrfs: send: handle path ref underflow in header iterate_inode_ref()", " - Bluetooth: btintel: Fix null ptr deref in btintel_read_version", " - Input: synaptics-rmi4 - fail probing if memory allocation for \"phys\" fails", " - sysv: don't call sb_bread() with pointers_lock held", " - scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()", " - isofs: handle CDs with bad root inode but good Joliet root directory", " - media: sta2x11: fix irq handler cast", " - drm/amd/display: Fix nanosec stat overflow", " - SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned", " int", " - Revert \"ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default\"", " - block: prevent division by zero in blk_rq_stat_sum()", " - Input: allocate keycode for Display refresh rate toggle", " - ktest: force $buildonly = 1 for 'make_warnings_file' test type", " - tools: iio: replace seekdir() in iio_generic_buffer", " - usb: typec: tcpci: add generic tcpci fallback compatible", " - usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined", " - fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2", " - fbmon: prevent division by zero in fb_videomode_from_videomode()", " - netfilter: nf_tables: reject new basechain after table flag update", " - netfilter: nf_tables: discard table flag update with pending basechain", " deletion", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " - drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()", " - virtio: reenable config if freezing device failed", " - x86/mm/pat: fix VM_PAT handling in COW mappings", " - drm/i915/gt: Reset queue_priority_hint on parking", " - x86/alternative: Don't call text_poke() in lazy TLB mode", " - Bluetooth: btintel: Fixe build regression", " - VMCI: Fix possible memcpy() run-time warning in", " vmci_datagram_invoke_guest_handler()", " - erspan: Check IFLA_GRE_ERSPAN_VER is set.", " - ip_gre: do not report erspan version on GRE interface", " - firmware: meson_sm: fix to avoid potential NULL pointer dereference", " - Linux 5.4.274", "", " * CVE-2024-26586", " - mlxsw: spectrum_acl_tcam: Fix stack corruption", "", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", "", " * Focal update: v5.4.273 upstream stable release (LP: #2064561)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - fs/select: rework stack allocation hack for clang", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - b43: dma: Fix use true/false for bool type variable", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - b43: main: Fix use true/false for bool type", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Add typecast to bpf helpers to help BTF generation", " - bpf: Factor out bpf_spin_lock into helpers.", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - arm64: dts: qcom: db820c: Move non-soc entries out of /soc", " - arm64: dts: qcom: msm8996: Use node references in db820c", " - arm64: dts: qcom: msm8996: Move regulator consumers to db820c", " - arm64: dts: qcom: msm8996: Pad addresses", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: Update tegra configs", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: hns3: fix port duplex configure error in IMP reset", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - gpu: host1x: mipi: Update tegra_mipi_request() to be node based", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/rockchip: lvds: do not overwrite error code", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - clk: qcom: reset: Allow specifying custom reset delay", " - clk: qcom: reset: support resetting multiple bits", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: v4l2-core: correctly validate video and metadata ioctls", " - media: rename VFL_TYPE_GRABBER to _VIDEO", " - media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO", " - media: ttpci: fix two memleaks in budget_av_attach", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - hsr: Fix uninit-value access in hsr_get_node()", " - packet: annotate data-races around ignore_outgoing", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and", " vcc1v2", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - bpf: report RCU QS in cpumap kthread", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - Linux 5.4.273", "", " * Focal update: v5.4.272 upstream stable release (LP: #2064555)", " - lan78xx: Fix white space and style issues", " - lan78xx: Add missing return code checks", " - lan78xx: Fix partial packet errors on suspend/resume", " - lan78xx: Fix race conditions in suspend/resume handling", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - geneve: make sure to pull inner header in geneve_rx()", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - um: allow not setting extra rpaths in the linux binary", " - serial: max310x: Use devm_clk_get_optional() to get the input clock", " - serial: max310x: Try to get crystal clock rate from property", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: Make use of device properties", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - hv_netvsc: Make netvsc/VF binding check both MAC and serial number", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - y2038: rusage: use __kernel_old_timeval", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - serial: max310x: Unprepare and disable clock in error path", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: implement I2C support", " - serial: max310x: fix IO data corruption in batched operations", " - arm64: dts: qcom: add PDC interrupt controller for SDM845", " - arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts", " - Linux 5.4.272", "", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", "", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", "", " * CVE-2024-26828", " - cifs: fix underflow in parse_server_interfaces()", "", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", "", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", "", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", "", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", "", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-189.209", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:07:46 +0200" } ], "notes": "linux-headers-5.4.0-189 version '5.4.0-189.209' (source package linux version '5.4.0-189.209') was added. linux-headers-5.4.0-189 version '5.4.0-189.209' has the same source package name, linux, as removed package linux-headers-5.4.0-187. As such we can use the source package version of the removed package, '5.4.0-187.207', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.4.0-189-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-189.209", "version": "5.4.0-189.209" }, "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-189.209 -proposed tracker (LP: #2068454)", "", " * Focal update: v5.4.275 upstream stable release (LP: #2067865)", " - batman-adv: Avoid infinite loop trying to resize local TT", " - Bluetooth: Fix memory leak in hci_req_sync_complete()", " - nouveau: fix function cast warning", " - net: openvswitch: fix unwanted error log on timeout policy probing", " - u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file", " - geneve: fix header validation in geneve[6]_xmit_skb", " - ipv6: fib: hide unused 'pn' variable", " - ipv4/route: avoid unused-but-set-variable warning", " - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr", " - net/mlx5: Properly link new fs rules into the tree", " - net: ena: Fix potential sign extension issue", " - btrfs: qgroup: correctly model root qgroup rsv in convert", " - drm/client: Fully protect modes[] with dev->mode_config.mutex", " - vhost: Add smp_rmb() in vhost_vq_avail_empty()", " - selftests: timers: Fix abs() warning in posix_timers test", " - x86/apic: Force native_apic_mem_read() to use the MOV instruction", " - btrfs: record delayed inode root in transaction", " - selftests/ftrace: Limit length in subsystem-enable tests", " - kprobes: Fix possible use-after-free issue on kprobe registration", " - Revert \"tracing/trigger: Fix to return error if failed to alloc snapshot\"", " - netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()", " - tun: limit printing rate when illegal packet received by tun dev", " - RDMA/rxe: Fix the problem \"mutex_destroy missing\"", " - RDMA/mlx5: Fix port number for counter query in multi-port configuration", " - drm: nv04: Fix out of bounds access", " - clk: Remove prepare_lock hold assertion in __clk_release()", " - clk: Mark 'all_lists' as const", " - clk: remove extra empty line", " - clk: Print an info line before disabling unused clocks", " - clk: Initialize struct clk_core kref earlier", " - clk: Get runtime PM before walking tree during disable_unused", " - x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ", " - comedi: vmk80xx: fix incomplete endpoint checking", " - serial/pmac_zilog: Remove flawed mitigation for rx irq flood", " - USB: serial: option: add Fibocom FM135-GL variants", " - USB: serial: option: add support for Fibocom FM650/FG650", " - USB: serial: option: add Lonsung U8300/U9300 product", " - USB: serial: option: support Quectel EM060K sub-models", " - USB: serial: option: add Rolling RW101-GL and RW135-GL support", " - USB: serial: option: add Telit FN920C04 rmnet compositions", " - usb: dwc2: host: Fix dereference issue in DDMA completion flow.", " - speakup: Avoid crash on very long word", " - fs: sysfs: Fix reference leak in sysfs_break_active_protection()", " - nouveau: fix instmem race condition around ptr stores", " - nilfs2: fix OOB in nilfs_set_de_type", " - KVM: async_pf: Cleanup kvm_setup_async_pf()", " - arm64: dts: rockchip: fix alphabetical ordering RK3399 puma", " - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma", " - arm64: dts: mediatek: mt7622: fix IR nodename", " - arm64: dts: mediatek: mt7622: fix ethernet controller \"compatible\"", " - arm64: dts: mediatek: mt7622: drop \"reset-names\" from thermal block", " - arm64: dts: mt2712: add ethernet device node", " - arm64: dts: mediatek: mt2712: fix validation errors", " - ARC: [plat-hsdk]: Remove misplaced interrupt-cells property", " - vxlan: drop packets from invalid src-address", " - mlxsw: core: Unregister EMAD trap using FORWARD action", " - NFC: trf7970a: disable all regulators on removal", " - net: usb: ax88179_178a: stop lying about skb->truesize", " - net: gtp: Fix Use-After-Free in gtp_dellink", " - ipvs: Fix checksumming on GSO of SCTP packets", " - net: openvswitch: Fix Use-After-Free in ovs_ct_exit", " - mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash", " - mlxsw: spectrum_acl_tcam: Rate limit error message", " - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash", " - mlxsw: spectrum_acl_tcam: Fix warning during rehash", " - mlxsw: spectrum_acl_tcam: Fix incorrect list API usage", " - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", " - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue", " - iavf: Fix TC config comparison with existing adapter TC config", " - af_unix: Suppress false-positive lockdep splat for spin_lock() in", " __unix_gc().", " - serial: core: Provide port lock wrappers", " - serial: mxs-auart: add spinlock around changing cts state", " - Revert \"crypto: api - Disallow identical driver names\"", " - net/mlx5e: Fix a race in command alloc flow", " - tracing: Show size of requested perf buffer", " - tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker", " together", " - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853", " - btrfs: fix information leak in btrfs_ioctl_logical_to_ino()", " - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma", " - drm/amdgpu: Fix leak when GPU memory allocation fails", " - irqchip/gic-v3-its: Prevent double free on error", " - ethernet: Add helper for assigning packet type when dest address does not", " match device address", " - net: b44: set pause params only when interface is up", " - stackdepot: respect __GFP_NOLOCKDEP allocation flag", " - mtd: diskonchip: work around ubsan link failure", " - tcp: Clean up kernel listener's reqsk in inet_twsk_purge()", " - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()", " - dmaengine: owl: fix register access functions", " - idma64: Don't try to serve interrupts when device is powered off", " - i2c: smbus: fix NULL function pointer dereference", " - HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up", " - bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS", " - udp: preserve the connected status if only UDP cmsg", " - serial: core: fix kernel-doc for uart_port_unlock_irqrestore()", " - Linux 5.4.275", "", " * Focal update: v5.4.274 upstream stable release (LP: #2067857)", " - amdkfd: use calloc instead of kzalloc to avoid integer overflow", " - Documentation/hw-vuln: Update spectre doc", " - x86/cpu: Support AMD Automatic IBRS", " - x86/bugs: Use sysfs_emit()", " - timers: Update kernel-doc for various functions", " - timers: Use del_timer_sync() even on UP", " - timers: Rename del_timer_sync() to timer_delete_sync()", " - media: staging: ipu3-imgu: Set fields before media_entity_pads_init()", " - clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd", " - smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()", " - smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()", " - ARM: dts: mmp2-brownstone: Don't redeclare phandle references", " - arm: dts: marvell: Fix maxium->maxim typo in brownstone dts", " - serial: max310x: fix NULL pointer dereference in I2C instantiation", " - KVM: Always flush async #PF workqueue when vCPU is being destroyed", " - sparc64: NMI watchdog: fix return value of __setup handler", " - sparc: vDSO: fix return value of __setup handler", " - crypto: qat - fix double free during reset", " - crypto: qat - resolve race condition during AER recovery", " - selftests/mqueue: Set timeout to 180 seconds", " - ext4: correct best extent lstart adjustment logic", " - fat: fix uninitialized field in nostale filehandles", " - ubifs: Set page uptodate in the correct place", " - ubi: Check for too small LEB size in VTBL code", " - ubi: correct the calculation of fastmap size", " - mtd: rawnand: meson: fix scrambling mode value in command macro", " - parisc: Do not hardcode registers in checksum functions", " - parisc: Fix ip_fast_csum", " - parisc: Fix csum_ipv6_magic on 32-bit systems", " - parisc: Fix csum_ipv6_magic on 64-bit systems", " - parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds", " - PM: suspend: Set mem_sleep_current during kernel command line setup", " - clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays", " - clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays", " - clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays", " - powerpc/fsl: Fix mfpmr build errors with newer binutils", " - USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB", " - USB: serial: add device ID for VeriFone adapter", " - USB: serial: cp210x: add ID for MGP Instruments PDS100", " - USB: serial: option: add MeiG Smart SLM320 product", " - USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M", " - PM: sleep: wakeirq: fix wake irq warning in system suspend", " - mmc: tmio: avoid concurrent runs of mmc_request_done()", " - fuse: don't unhash root", " - btrfs: fix off-by-one chunk length calculation at contains_pending_extent()", " - PCI: Drop pci_device_remove() test of pci_dev->driver", " - PCI/PM: Drain runtime-idle callbacks before driver removal", " - Revert \"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\"", " - dm-raid: fix lockdep waring in \"pers->hot_add_disk\"", " - mmc: core: Fix switch on gp3 partition", " - hwmon: (amc6821) add of_match table", " - ext4: fix corruption during on-line resize", " - firmware: meson_sm: Rework driver as a proper platform driver", " - nvmem: meson-efuse: fix function pointer type mismatch", " - slimbus: core: Remove usage of the deprecated ida_simple_xx() API", " - speakup: Fix 8bit characters from direct synth", " - kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1", " - vfio/platform: Disable virqfds on cleanup", " - ring-buffer: Fix resetting of shortest_full", " - ring-buffer: Fix full_waiters_pending in poll", " - soc: fsl: qbman: Always disable interrupts when taking cgr_lock", " - soc: fsl: qbman: Add helper for sanity checking cgr ops", " - soc: fsl: qbman: Add CGR update function", " - soc: fsl: qbman: Use raw spinlock for cgr_lock", " - s390/zcrypt: fix reference counting on zcrypt card objects", " - drm/exynos: do not return negative values from .get_modes()", " - drm/imx/ipuv3: do not return negative values from .get_modes()", " - drm/vc4: hdmi: do not return negative values from .get_modes()", " - memtest: use {READ,WRITE}_ONCE in memory scanning", " - nilfs2: fix failure to detect DAT corruption in btree and direct mappings", " - nilfs2: use a more common logging style", " - nilfs2: prevent kernel bug at submit_bh_wbc()", " - x86/CPU/AMD: Update the Zenbleed microcode revisions", " - ahci: asm1064: correct count of reported ports", " - ahci: asm1064: asm1166: don't limit reported ports", " - dm snapshot: fix lockup in dm_exception_table_exit", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - netfilter: nf_tables: reject constant set with timeout", " - xfrm: Avoid clang fortify warning in copy_to_user_tmpl()", " - ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897", " platform", " - USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command", " - usb: gadget: ncm: Fix handling of zero block length packets", " - usb: port: Don't try to peer unused USB ports based on location", " - tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled", " - vt: fix unicode buffer corruption when deleting characters", " - fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion", " - objtool: is_fentry_call() crashes if call has no destination", " - objtool: Add support for intra-function calls", " - x86/speculation: Support intra-function call validation", " - xen/events: close evtchn after mapping cleanup", " - printk: Update @console_may_schedule in console_trylock_spinning()", " - btrfs: allocate btrfs_ioctl_defrag_range_args on stack", " - Revert \"loop: Check for overflow while configuring loop\"", " - loop: Call loop_config_discard() only after new config is applied", " - loop: Remove sector_t truncation checks", " - loop: Factor out setting loop device size", " - loop: Refactor loop_set_status() size calculation", " - loop: Factor out configuring loop from status", " - loop: Check for overflow while configuring loop", " - loop: loop_set_status_from_info() check before assignment", " - perf/core: Fix reentry problem in perf_output_read_group()", " - efivarfs: Request at most 512 bytes for variable names", " - powerpc: xor_vmx: Add '-mhard-float' to CFLAGS", " - bounds: support non-power-of-two CONFIG_NR_CPUS", " - vt: fix memory overlapping when deleting chars in the buffer", " - mm/memory-failure: fix an incorrect use of tail pages", " - mm/migrate: set swap entry values of THP tail pages properly.", " - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", " - exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()", " - mmc: core: Initialize mmc_blk_ioc_data", " - mmc: core: Avoid negative index with array access", " - ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", " - scsi: core: Fix unremoved procfs host directory regression", " - usb: dwc2: host: Fix remote wakeup from hibernation", " - usb: dwc2: host: Fix hibernation flow", " - usb: dwc2: host: Fix ISOC flow in DDMA mode", " - usb: dwc2: gadget: LPM flow fix", " - usb: udc: remove warning when queue disabled ep", " - scsi: qla2xxx: Fix command flush on cable pull", " - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled", " - scsi: lpfc: Correct size for wqe for memset()", " - USB: core: Fix deadlock in usb_deauthorize_interface()", " - nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet", " - ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()", " - tcp: properly terminate timers for kernel sockets", " - dm integrity: fix out-of-range warning", " - r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d", " - Bluetooth: hci_event: set the conn encrypted before conn establishes", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - net/rds: fix possible cp null dereference", " - vfio/pci: Disable auto-enable of exclusive INTx IRQ", " - vfio/pci: Lock external INTx masking ops", " - vfio: Introduce interface to flush virqfd inject workqueue", " - vfio/pci: Create persistent INTx handler", " - vfio/platform: Create persistent IRQ handlers", " - Revert \"x86/mm/ident_map: Use gbpages only where full GB page should be", " mapped.\"", " - mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL", " allocations", " - netfilter: nf_tables: flush pending destroy work before exit_net release", " - netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()", " - bpf, sockmap: Prevent lock inversion deadlock in map delete elem", " - net/sched: act_skbmod: prevent kernel-infoleak", " - net: stmmac: fix rx queue priority assignment", " - selftests: reuseaddr_conflict: add missing new line at the end of the output", " - ipv6: Fix infinite recursion in fib6_dump_done().", " - i40e: fix vf may be used uninitialized in this function warning", " - staging: mmal-vchiq: Allocate and free components as required", " - staging: mmal-vchiq: Fix client_component for 64 bit kernel", " - staging: vc04_services: changen strncpy() to strscpy_pad()", " - staging: vc04_services: fix information leak in create_component()", " - fs: add a vfs_fchown helper", " - fs: add a vfs_fchmod helper", " - initramfs: switch initramfs unpacking to struct file based APIs", " - init: open /initrd.image with O_LARGEFILE", " - erspan: Add type I version 0 support.", " - erspan: make sure erspan_base_hdr is present in skb->head", " - net: ravb: Always process TX descriptor ring", " - ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw", " - ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit", " - scsi: mylex: Fix sysfs buffer lengths", " - ata: sata_mv: Fix PCI device ID table declaration compilation warning", " - ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with", " microphone", " - x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()", " - s390/entry: align system call table on 8 bytes", " - wifi: ath9k: fix LNA selection in ath_ant_try_scan()", " - VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()", " - panic: Flush kernel log buffer at the end", " - arm64: dts: rockchip: fix rk3328 hdmi ports node", " - arm64: dts: rockchip: fix rk3399 hdmi ports node", " - ionic: set adminq irq affinity", " - tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()", " - btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()", " - btrfs: export: handle invalid inode or root reference in btrfs_get_parent()", " - btrfs: send: handle path ref underflow in header iterate_inode_ref()", " - Bluetooth: btintel: Fix null ptr deref in btintel_read_version", " - Input: synaptics-rmi4 - fail probing if memory allocation for \"phys\" fails", " - sysv: don't call sb_bread() with pointers_lock held", " - scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()", " - isofs: handle CDs with bad root inode but good Joliet root directory", " - media: sta2x11: fix irq handler cast", " - drm/amd/display: Fix nanosec stat overflow", " - SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned", " int", " - Revert \"ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default\"", " - block: prevent division by zero in blk_rq_stat_sum()", " - Input: allocate keycode for Display refresh rate toggle", " - ktest: force $buildonly = 1 for 'make_warnings_file' test type", " - tools: iio: replace seekdir() in iio_generic_buffer", " - usb: typec: tcpci: add generic tcpci fallback compatible", " - usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined", " - fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2", " - fbmon: prevent division by zero in fb_videomode_from_videomode()", " - netfilter: nf_tables: reject new basechain after table flag update", " - netfilter: nf_tables: discard table flag update with pending basechain", " deletion", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " - drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()", " - virtio: reenable config if freezing device failed", " - x86/mm/pat: fix VM_PAT handling in COW mappings", " - drm/i915/gt: Reset queue_priority_hint on parking", " - x86/alternative: Don't call text_poke() in lazy TLB mode", " - Bluetooth: btintel: Fixe build regression", " - VMCI: Fix possible memcpy() run-time warning in", " vmci_datagram_invoke_guest_handler()", " - erspan: Check IFLA_GRE_ERSPAN_VER is set.", " - ip_gre: do not report erspan version on GRE interface", " - firmware: meson_sm: fix to avoid potential NULL pointer dereference", " - Linux 5.4.274", "", " * CVE-2024-26586", " - mlxsw: spectrum_acl_tcam: Fix stack corruption", "", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", "", " * Focal update: v5.4.273 upstream stable release (LP: #2064561)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - fs/select: rework stack allocation hack for clang", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - b43: dma: Fix use true/false for bool type variable", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - b43: main: Fix use true/false for bool type", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Add typecast to bpf helpers to help BTF generation", " - bpf: Factor out bpf_spin_lock into helpers.", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - arm64: dts: qcom: db820c: Move non-soc entries out of /soc", " - arm64: dts: qcom: msm8996: Use node references in db820c", " - arm64: dts: qcom: msm8996: Move regulator consumers to db820c", " - arm64: dts: qcom: msm8996: Pad addresses", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: Update tegra configs", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: hns3: fix port duplex configure error in IMP reset", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - gpu: host1x: mipi: Update tegra_mipi_request() to be node based", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/rockchip: lvds: do not overwrite error code", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - clk: qcom: reset: Allow specifying custom reset delay", " - clk: qcom: reset: support resetting multiple bits", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: v4l2-core: correctly validate video and metadata ioctls", " - media: rename VFL_TYPE_GRABBER to _VIDEO", " - media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO", " - media: ttpci: fix two memleaks in budget_av_attach", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - hsr: Fix uninit-value access in hsr_get_node()", " - packet: annotate data-races around ignore_outgoing", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and", " vcc1v2", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - bpf: report RCU QS in cpumap kthread", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - Linux 5.4.273", "", " * Focal update: v5.4.272 upstream stable release (LP: #2064555)", " - lan78xx: Fix white space and style issues", " - lan78xx: Add missing return code checks", " - lan78xx: Fix partial packet errors on suspend/resume", " - lan78xx: Fix race conditions in suspend/resume handling", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - geneve: make sure to pull inner header in geneve_rx()", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - um: allow not setting extra rpaths in the linux binary", " - serial: max310x: Use devm_clk_get_optional() to get the input clock", " - serial: max310x: Try to get crystal clock rate from property", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: Make use of device properties", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - hv_netvsc: Make netvsc/VF binding check both MAC and serial number", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - y2038: rusage: use __kernel_old_timeval", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - serial: max310x: Unprepare and disable clock in error path", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: implement I2C support", " - serial: max310x: fix IO data corruption in batched operations", " - arm64: dts: qcom: add PDC interrupt controller for SDM845", " - arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts", " - Linux 5.4.272", "", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", "", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", "", " * CVE-2024-26828", " - cifs: fix underflow in parse_server_interfaces()", "", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", "", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", "", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", "", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", "", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-189.209", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:07:46 +0200" } ], "notes": "linux-headers-5.4.0-189-generic version '5.4.0-189.209' (source package linux version '5.4.0-189.209') was added. linux-headers-5.4.0-189-generic version '5.4.0-189.209' has the same source package name, linux, as removed package linux-headers-5.4.0-187. As such we can use the source package version of the removed package, '5.4.0-187.207', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-189-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-187.207", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-189.209", "version": "5.4.0-189.209" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-189.209", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.4.0-189.209", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:46:28 +0200" } ], "notes": "linux-image-5.4.0-189-generic version '5.4.0-189.209' (source package linux-signed version '5.4.0-189.209') was added. linux-image-5.4.0-189-generic version '5.4.0-189.209' has the same source package name, linux-signed, as removed package linux-image-5.4.0-187-generic. As such we can use the source package version of the removed package, '5.4.0-187.207', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-189-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-189.209", "version": "5.4.0-189.209" }, "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26586", "url": "https://ubuntu.com/security/CVE-2024-26586", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26828", "url": "https://ubuntu.com/security/CVE-2024-26828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that \"bytes_left\" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.", "cve_priority": "high", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-189.209 -proposed tracker (LP: #2068454)", "", " * Focal update: v5.4.275 upstream stable release (LP: #2067865)", " - batman-adv: Avoid infinite loop trying to resize local TT", " - Bluetooth: Fix memory leak in hci_req_sync_complete()", " - nouveau: fix function cast warning", " - net: openvswitch: fix unwanted error log on timeout policy probing", " - u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file", " - geneve: fix header validation in geneve[6]_xmit_skb", " - ipv6: fib: hide unused 'pn' variable", " - ipv4/route: avoid unused-but-set-variable warning", " - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr", " - net/mlx5: Properly link new fs rules into the tree", " - net: ena: Fix potential sign extension issue", " - btrfs: qgroup: correctly model root qgroup rsv in convert", " - drm/client: Fully protect modes[] with dev->mode_config.mutex", " - vhost: Add smp_rmb() in vhost_vq_avail_empty()", " - selftests: timers: Fix abs() warning in posix_timers test", " - x86/apic: Force native_apic_mem_read() to use the MOV instruction", " - btrfs: record delayed inode root in transaction", " - selftests/ftrace: Limit length in subsystem-enable tests", " - kprobes: Fix possible use-after-free issue on kprobe registration", " - Revert \"tracing/trigger: Fix to return error if failed to alloc snapshot\"", " - netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()", " - tun: limit printing rate when illegal packet received by tun dev", " - RDMA/rxe: Fix the problem \"mutex_destroy missing\"", " - RDMA/mlx5: Fix port number for counter query in multi-port configuration", " - drm: nv04: Fix out of bounds access", " - clk: Remove prepare_lock hold assertion in __clk_release()", " - clk: Mark 'all_lists' as const", " - clk: remove extra empty line", " - clk: Print an info line before disabling unused clocks", " - clk: Initialize struct clk_core kref earlier", " - clk: Get runtime PM before walking tree during disable_unused", " - x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ", " - comedi: vmk80xx: fix incomplete endpoint checking", " - serial/pmac_zilog: Remove flawed mitigation for rx irq flood", " - USB: serial: option: add Fibocom FM135-GL variants", " - USB: serial: option: add support for Fibocom FM650/FG650", " - USB: serial: option: add Lonsung U8300/U9300 product", " - USB: serial: option: support Quectel EM060K sub-models", " - USB: serial: option: add Rolling RW101-GL and RW135-GL support", " - USB: serial: option: add Telit FN920C04 rmnet compositions", " - usb: dwc2: host: Fix dereference issue in DDMA completion flow.", " - speakup: Avoid crash on very long word", " - fs: sysfs: Fix reference leak in sysfs_break_active_protection()", " - nouveau: fix instmem race condition around ptr stores", " - nilfs2: fix OOB in nilfs_set_de_type", " - KVM: async_pf: Cleanup kvm_setup_async_pf()", " - arm64: dts: rockchip: fix alphabetical ordering RK3399 puma", " - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma", " - arm64: dts: mediatek: mt7622: fix IR nodename", " - arm64: dts: mediatek: mt7622: fix ethernet controller \"compatible\"", " - arm64: dts: mediatek: mt7622: drop \"reset-names\" from thermal block", " - arm64: dts: mt2712: add ethernet device node", " - arm64: dts: mediatek: mt2712: fix validation errors", " - ARC: [plat-hsdk]: Remove misplaced interrupt-cells property", " - vxlan: drop packets from invalid src-address", " - mlxsw: core: Unregister EMAD trap using FORWARD action", " - NFC: trf7970a: disable all regulators on removal", " - net: usb: ax88179_178a: stop lying about skb->truesize", " - net: gtp: Fix Use-After-Free in gtp_dellink", " - ipvs: Fix checksumming on GSO of SCTP packets", " - net: openvswitch: Fix Use-After-Free in ovs_ct_exit", " - mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update", " - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash", " - mlxsw: spectrum_acl_tcam: Rate limit error message", " - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash", " - mlxsw: spectrum_acl_tcam: Fix warning during rehash", " - mlxsw: spectrum_acl_tcam: Fix incorrect list API usage", " - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", " - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue", " - iavf: Fix TC config comparison with existing adapter TC config", " - af_unix: Suppress false-positive lockdep splat for spin_lock() in", " __unix_gc().", " - serial: core: Provide port lock wrappers", " - serial: mxs-auart: add spinlock around changing cts state", " - Revert \"crypto: api - Disallow identical driver names\"", " - net/mlx5e: Fix a race in command alloc flow", " - tracing: Show size of requested perf buffer", " - tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker", " together", " - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853", " - btrfs: fix information leak in btrfs_ioctl_logical_to_ino()", " - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma", " - drm/amdgpu: Fix leak when GPU memory allocation fails", " - irqchip/gic-v3-its: Prevent double free on error", " - ethernet: Add helper for assigning packet type when dest address does not", " match device address", " - net: b44: set pause params only when interface is up", " - stackdepot: respect __GFP_NOLOCKDEP allocation flag", " - mtd: diskonchip: work around ubsan link failure", " - tcp: Clean up kernel listener's reqsk in inet_twsk_purge()", " - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()", " - dmaengine: owl: fix register access functions", " - idma64: Don't try to serve interrupts when device is powered off", " - i2c: smbus: fix NULL function pointer dereference", " - HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up", " - bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS", " - udp: preserve the connected status if only UDP cmsg", " - serial: core: fix kernel-doc for uart_port_unlock_irqrestore()", " - Linux 5.4.275", "", " * Focal update: v5.4.274 upstream stable release (LP: #2067857)", " - amdkfd: use calloc instead of kzalloc to avoid integer overflow", " - Documentation/hw-vuln: Update spectre doc", " - x86/cpu: Support AMD Automatic IBRS", " - x86/bugs: Use sysfs_emit()", " - timers: Update kernel-doc for various functions", " - timers: Use del_timer_sync() even on UP", " - timers: Rename del_timer_sync() to timer_delete_sync()", " - media: staging: ipu3-imgu: Set fields before media_entity_pads_init()", " - clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd", " - smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()", " - smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()", " - ARM: dts: mmp2-brownstone: Don't redeclare phandle references", " - arm: dts: marvell: Fix maxium->maxim typo in brownstone dts", " - serial: max310x: fix NULL pointer dereference in I2C instantiation", " - KVM: Always flush async #PF workqueue when vCPU is being destroyed", " - sparc64: NMI watchdog: fix return value of __setup handler", " - sparc: vDSO: fix return value of __setup handler", " - crypto: qat - fix double free during reset", " - crypto: qat - resolve race condition during AER recovery", " - selftests/mqueue: Set timeout to 180 seconds", " - ext4: correct best extent lstart adjustment logic", " - fat: fix uninitialized field in nostale filehandles", " - ubifs: Set page uptodate in the correct place", " - ubi: Check for too small LEB size in VTBL code", " - ubi: correct the calculation of fastmap size", " - mtd: rawnand: meson: fix scrambling mode value in command macro", " - parisc: Do not hardcode registers in checksum functions", " - parisc: Fix ip_fast_csum", " - parisc: Fix csum_ipv6_magic on 32-bit systems", " - parisc: Fix csum_ipv6_magic on 64-bit systems", " - parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds", " - PM: suspend: Set mem_sleep_current during kernel command line setup", " - clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays", " - clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays", " - clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays", " - powerpc/fsl: Fix mfpmr build errors with newer binutils", " - USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB", " - USB: serial: add device ID for VeriFone adapter", " - USB: serial: cp210x: add ID for MGP Instruments PDS100", " - USB: serial: option: add MeiG Smart SLM320 product", " - USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M", " - PM: sleep: wakeirq: fix wake irq warning in system suspend", " - mmc: tmio: avoid concurrent runs of mmc_request_done()", " - fuse: don't unhash root", " - btrfs: fix off-by-one chunk length calculation at contains_pending_extent()", " - PCI: Drop pci_device_remove() test of pci_dev->driver", " - PCI/PM: Drain runtime-idle callbacks before driver removal", " - Revert \"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\"", " - dm-raid: fix lockdep waring in \"pers->hot_add_disk\"", " - mmc: core: Fix switch on gp3 partition", " - hwmon: (amc6821) add of_match table", " - ext4: fix corruption during on-line resize", " - firmware: meson_sm: Rework driver as a proper platform driver", " - nvmem: meson-efuse: fix function pointer type mismatch", " - slimbus: core: Remove usage of the deprecated ida_simple_xx() API", " - speakup: Fix 8bit characters from direct synth", " - kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1", " - vfio/platform: Disable virqfds on cleanup", " - ring-buffer: Fix resetting of shortest_full", " - ring-buffer: Fix full_waiters_pending in poll", " - soc: fsl: qbman: Always disable interrupts when taking cgr_lock", " - soc: fsl: qbman: Add helper for sanity checking cgr ops", " - soc: fsl: qbman: Add CGR update function", " - soc: fsl: qbman: Use raw spinlock for cgr_lock", " - s390/zcrypt: fix reference counting on zcrypt card objects", " - drm/exynos: do not return negative values from .get_modes()", " - drm/imx/ipuv3: do not return negative values from .get_modes()", " - drm/vc4: hdmi: do not return negative values from .get_modes()", " - memtest: use {READ,WRITE}_ONCE in memory scanning", " - nilfs2: fix failure to detect DAT corruption in btree and direct mappings", " - nilfs2: use a more common logging style", " - nilfs2: prevent kernel bug at submit_bh_wbc()", " - x86/CPU/AMD: Update the Zenbleed microcode revisions", " - ahci: asm1064: correct count of reported ports", " - ahci: asm1064: asm1166: don't limit reported ports", " - dm snapshot: fix lockup in dm_exception_table_exit", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - netfilter: nf_tables: reject constant set with timeout", " - xfrm: Avoid clang fortify warning in copy_to_user_tmpl()", " - ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897", " platform", " - USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command", " - usb: gadget: ncm: Fix handling of zero block length packets", " - usb: port: Don't try to peer unused USB ports based on location", " - tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled", " - vt: fix unicode buffer corruption when deleting characters", " - fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion", " - objtool: is_fentry_call() crashes if call has no destination", " - objtool: Add support for intra-function calls", " - x86/speculation: Support intra-function call validation", " - xen/events: close evtchn after mapping cleanup", " - printk: Update @console_may_schedule in console_trylock_spinning()", " - btrfs: allocate btrfs_ioctl_defrag_range_args on stack", " - Revert \"loop: Check for overflow while configuring loop\"", " - loop: Call loop_config_discard() only after new config is applied", " - loop: Remove sector_t truncation checks", " - loop: Factor out setting loop device size", " - loop: Refactor loop_set_status() size calculation", " - loop: Factor out configuring loop from status", " - loop: Check for overflow while configuring loop", " - loop: loop_set_status_from_info() check before assignment", " - perf/core: Fix reentry problem in perf_output_read_group()", " - efivarfs: Request at most 512 bytes for variable names", " - powerpc: xor_vmx: Add '-mhard-float' to CFLAGS", " - bounds: support non-power-of-two CONFIG_NR_CPUS", " - vt: fix memory overlapping when deleting chars in the buffer", " - mm/memory-failure: fix an incorrect use of tail pages", " - mm/migrate: set swap entry values of THP tail pages properly.", " - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", " - exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()", " - mmc: core: Initialize mmc_blk_ioc_data", " - mmc: core: Avoid negative index with array access", " - ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", " - scsi: core: Fix unremoved procfs host directory regression", " - usb: dwc2: host: Fix remote wakeup from hibernation", " - usb: dwc2: host: Fix hibernation flow", " - usb: dwc2: host: Fix ISOC flow in DDMA mode", " - usb: dwc2: gadget: LPM flow fix", " - usb: udc: remove warning when queue disabled ep", " - scsi: qla2xxx: Fix command flush on cable pull", " - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled", " - scsi: lpfc: Correct size for wqe for memset()", " - USB: core: Fix deadlock in usb_deauthorize_interface()", " - nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet", " - ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()", " - tcp: properly terminate timers for kernel sockets", " - dm integrity: fix out-of-range warning", " - r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d", " - Bluetooth: hci_event: set the conn encrypted before conn establishes", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - net/rds: fix possible cp null dereference", " - vfio/pci: Disable auto-enable of exclusive INTx IRQ", " - vfio/pci: Lock external INTx masking ops", " - vfio: Introduce interface to flush virqfd inject workqueue", " - vfio/pci: Create persistent INTx handler", " - vfio/platform: Create persistent IRQ handlers", " - Revert \"x86/mm/ident_map: Use gbpages only where full GB page should be", " mapped.\"", " - mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL", " allocations", " - netfilter: nf_tables: flush pending destroy work before exit_net release", " - netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()", " - bpf, sockmap: Prevent lock inversion deadlock in map delete elem", " - net/sched: act_skbmod: prevent kernel-infoleak", " - net: stmmac: fix rx queue priority assignment", " - selftests: reuseaddr_conflict: add missing new line at the end of the output", " - ipv6: Fix infinite recursion in fib6_dump_done().", " - i40e: fix vf may be used uninitialized in this function warning", " - staging: mmal-vchiq: Allocate and free components as required", " - staging: mmal-vchiq: Fix client_component for 64 bit kernel", " - staging: vc04_services: changen strncpy() to strscpy_pad()", " - staging: vc04_services: fix information leak in create_component()", " - fs: add a vfs_fchown helper", " - fs: add a vfs_fchmod helper", " - initramfs: switch initramfs unpacking to struct file based APIs", " - init: open /initrd.image with O_LARGEFILE", " - erspan: Add type I version 0 support.", " - erspan: make sure erspan_base_hdr is present in skb->head", " - net: ravb: Always process TX descriptor ring", " - ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw", " - ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit", " - scsi: mylex: Fix sysfs buffer lengths", " - ata: sata_mv: Fix PCI device ID table declaration compilation warning", " - ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with", " microphone", " - x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()", " - s390/entry: align system call table on 8 bytes", " - wifi: ath9k: fix LNA selection in ath_ant_try_scan()", " - VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()", " - panic: Flush kernel log buffer at the end", " - arm64: dts: rockchip: fix rk3328 hdmi ports node", " - arm64: dts: rockchip: fix rk3399 hdmi ports node", " - ionic: set adminq irq affinity", " - tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()", " - btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()", " - btrfs: export: handle invalid inode or root reference in btrfs_get_parent()", " - btrfs: send: handle path ref underflow in header iterate_inode_ref()", " - Bluetooth: btintel: Fix null ptr deref in btintel_read_version", " - Input: synaptics-rmi4 - fail probing if memory allocation for \"phys\" fails", " - sysv: don't call sb_bread() with pointers_lock held", " - scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()", " - isofs: handle CDs with bad root inode but good Joliet root directory", " - media: sta2x11: fix irq handler cast", " - drm/amd/display: Fix nanosec stat overflow", " - SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned", " int", " - Revert \"ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default\"", " - block: prevent division by zero in blk_rq_stat_sum()", " - Input: allocate keycode for Display refresh rate toggle", " - ktest: force $buildonly = 1 for 'make_warnings_file' test type", " - tools: iio: replace seekdir() in iio_generic_buffer", " - usb: typec: tcpci: add generic tcpci fallback compatible", " - usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined", " - fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2", " - fbmon: prevent division by zero in fb_videomode_from_videomode()", " - netfilter: nf_tables: reject new basechain after table flag update", " - netfilter: nf_tables: discard table flag update with pending basechain", " deletion", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " - drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()", " - virtio: reenable config if freezing device failed", " - x86/mm/pat: fix VM_PAT handling in COW mappings", " - drm/i915/gt: Reset queue_priority_hint on parking", " - x86/alternative: Don't call text_poke() in lazy TLB mode", " - Bluetooth: btintel: Fixe build regression", " - VMCI: Fix possible memcpy() run-time warning in", " vmci_datagram_invoke_guest_handler()", " - erspan: Check IFLA_GRE_ERSPAN_VER is set.", " - ip_gre: do not report erspan version on GRE interface", " - firmware: meson_sm: fix to avoid potential NULL pointer dereference", " - Linux 5.4.274", "", " * CVE-2024-26586", " - mlxsw: spectrum_acl_tcam: Fix stack corruption", "", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", "", " * Focal update: v5.4.273 upstream stable release (LP: #2064561)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - fs/select: rework stack allocation hack for clang", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - b43: dma: Fix use true/false for bool type variable", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - b43: main: Fix use true/false for bool type", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Add typecast to bpf helpers to help BTF generation", " - bpf: Factor out bpf_spin_lock into helpers.", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - arm64: dts: qcom: db820c: Move non-soc entries out of /soc", " - arm64: dts: qcom: msm8996: Use node references in db820c", " - arm64: dts: qcom: msm8996: Move regulator consumers to db820c", " - arm64: dts: qcom: msm8996: Pad addresses", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: Update tegra configs", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: hns3: fix port duplex configure error in IMP reset", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - gpu: host1x: mipi: Update tegra_mipi_request() to be node based", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/rockchip: lvds: do not overwrite error code", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - clk: qcom: reset: Allow specifying custom reset delay", " - clk: qcom: reset: support resetting multiple bits", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: v4l2-core: correctly validate video and metadata ioctls", " - media: rename VFL_TYPE_GRABBER to _VIDEO", " - media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO", " - media: ttpci: fix two memleaks in budget_av_attach", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - hsr: Fix uninit-value access in hsr_get_node()", " - packet: annotate data-races around ignore_outgoing", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and", " vcc1v2", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - bpf: report RCU QS in cpumap kthread", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - Linux 5.4.273", "", " * Focal update: v5.4.272 upstream stable release (LP: #2064555)", " - lan78xx: Fix white space and style issues", " - lan78xx: Add missing return code checks", " - lan78xx: Fix partial packet errors on suspend/resume", " - lan78xx: Fix race conditions in suspend/resume handling", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - geneve: make sure to pull inner header in geneve_rx()", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - um: allow not setting extra rpaths in the linux binary", " - serial: max310x: Use devm_clk_get_optional() to get the input clock", " - serial: max310x: Try to get crystal clock rate from property", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: Make use of device properties", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - hv_netvsc: Make netvsc/VF binding check both MAC and serial number", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - y2038: rusage: use __kernel_old_timeval", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - serial: max310x: Unprepare and disable clock in error path", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: implement I2C support", " - serial: max310x: fix IO data corruption in batched operations", " - arm64: dts: qcom: add PDC interrupt controller for SDM845", " - arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts", " - Linux 5.4.272", "", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", "", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", "", " * CVE-2024-26828", " - cifs: fix underflow in parse_server_interfaces()", "", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", "", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", "", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", "", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", "", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-189.209", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068454, 2067865, 2067857, 2064561, 2064555 ], "author": "Stefan Bader ", "date": "Fri, 07 Jun 2024 15:07:46 +0200" } ], "notes": "linux-modules-5.4.0-189-generic version '5.4.0-189.209' (source package linux version '5.4.0-189.209') was added. linux-modules-5.4.0-189-generic version '5.4.0-189.209' has the same source package name, linux, as removed package linux-headers-5.4.0-187. As such we can use the source package version of the removed package, '5.4.0-187.207', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-187", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.4.0-187-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-187-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-187-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240709 to 20240710", "from_series": "focal", "to_series": "focal", "from_serial": "20240709", "to_serial": "20240710", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }