{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-192", "linux-headers-5.4.0-192-generic", "linux-image-5.4.0-192-generic", "linux-modules-5.4.0-192-generic" ], "removed": [ "linux-headers-5.4.0-190", "linux-headers-5.4.0-190-generic", "linux-image-5.4.0-190-generic", "linux-modules-5.4.0-190-generic" ], "diff": [ "krb5-locales", "libgssapi-krb5-2:s390x", "libk5crypto3:s390x", "libkrb5-3:s390x", "libkrb5support0:s390x", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "krb5-locales", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.4", "version": "1.17-6ubuntu4.4" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.17-6ubuntu4.6", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:47:15 +1000" } ], "notes": null }, { "name": "libgssapi-krb5-2:s390x", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.4", "version": "1.17-6ubuntu4.4" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.17-6ubuntu4.6", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:47:15 +1000" } ], "notes": null }, { "name": "libk5crypto3:s390x", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.4", "version": "1.17-6ubuntu4.4" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.17-6ubuntu4.6", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:47:15 +1000" } ], "notes": null }, { "name": "libkrb5-3:s390x", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.4", "version": "1.17-6ubuntu4.4" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.17-6ubuntu4.6", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:47:15 +1000" } ], "notes": null }, { "name": "libkrb5support0:s390x", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.4", "version": "1.17-6ubuntu4.4" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37370", "url": "https://ubuntu.com/security/CVE-2024-37370", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "cve_priority": "medium", "cve_public_date": "2024-06-28 22:15:00 UTC" }, { "cve": "CVE-2024-37371", "url": "https://ubuntu.com/security/CVE-2024-37371", "cve_description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "cve_priority": "medium", "cve_public_date": "2024-06-28 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Invalid token requests", " - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS", " message token handling", " - CVE-2024-37370", " - CVE-2024-37371", "" ], "package": "krb5", "version": "1.17-6ubuntu4.6", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 15 Jul 2024 13:47:15 +1000" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.190.188", "version": "5.4.0.190.188" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.192.190", "version": "5.4.0.192.190" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-192", "" ], "package": "linux-meta", "version": "5.4.0.192.190", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:34:19 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.190.188", "version": "5.4.0.190.188" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.192.190", "version": "5.4.0.192.190" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-192", "" ], "package": "linux-meta", "version": "5.4.0.192.190", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:34:19 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.190.188", "version": "5.4.0.190.188" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.192.190", "version": "5.4.0.192.190" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-192", "" ], "package": "linux-meta", "version": "5.4.0.192.190", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:34:19 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.190.188", "version": "5.4.0.190.188" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.192.190", "version": "5.4.0.192.190" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-192", "" ], "package": "linux-meta", "version": "5.4.0.192.190", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:34:19 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-192", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-192.212", "version": "5.4.0-192.212" }, "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)", "", " * Focal update: v5.4.278 upstream stable release (LP: #2071668)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - ring-buffer: Fix a race between readers and resize checks", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - nvme: find numa distance only if controller has valid numa id", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - qed: avoid truncating work queue length", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - ACPI: disable -Wstringop-truncation", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - tcp: minor optimization in tcp_add_backlog()", " - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()", " - tcp: avoid premature drops in tcp_add_backlog()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - platform/x86: wmi: Make two functions static", " - fbdev: sh7760fb: allow modular build", " - drm/arm/malidp: fix a possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - RDMA/hns: Use complete parentheses in macros", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - sunrpc: removed redundant procp check", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - greybus: lights: check return of get_channel_from_mode", " - soundwire: cadence/intel: simplify PDI/port mapping", " - soundwire: intel: don't filter out PDI0/1", " - soundwire: cadence_master: improve PDI allocation", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - iio: pressure: dps310: support negative temperature values", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - Input: ims-pcu - fix printf string overflow", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: Add winch to winch_handlers before registering winch IRQ", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - nfc: nci: Fix uninit-value in nci_rx_work", " - sunrpc: fix NFSACL RPC retry on soft mount", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - params: lift param_set_uint_minmax to common code", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - net: fec: avoid lock evasion when reading pps_enable", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - spi: Don't mark message DMA mapped when no transfer in it is", " - nvmet: fix ns enable/disable possible hang", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - enic: Validate length of nl attributes in enic_set_vf_port", " - smsc95xx: remove redundant function arguments", " - smsc95xx: use usbnet->driver_priv", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - net:fec: Add fec_enet_deinit()", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - ALSA: timer: Set lower bound of start tick time", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - binder: fix max_thread type inconsistency", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING", " - sparc: move struct termio to asm/termios.h", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - nfs: fix undefined behavior in nfs_block_bits()", " - Linux 5.4.278", "", " * CVE-2024-27019", " - netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV", " - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2022-48674", " - erofs: fix pcluster use-after-free on UP platforms", "", " * Focal update: v5.4.277 upstream stable release (LP: #2070179)", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - ext4: fix bug_on in __es_tree_search", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - Revert \"net: bcmgenet: use RGMII loopback for MAC reset\"", " - net: bcmgenet: keep MAC in reset until PHY is up", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - net: bcmgenet: synchronize UMAC_CMD access", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.4.277", "", " * Focal update: v5.4.276 upstream stable release (LP: #2069758)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: Check gpio pin number and use binary search in", " mtk_hw_pin_field_lookup()", " - pinctrl: mediatek: Supporting driving setting without mapping current to", " register value", " - pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set()", " - pinctrl: mediatek: Refine mtk_pinconf_get()", " - pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull", " usage", " - pinctrl: mediatek: remove shadow variable declaration", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - bna: ensure the copied buf is NUL terminated", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: dsa: mv88e6xxx: Add number of MACs in the ATU", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - tipc: fix a possible memleak in tipc_buf_append", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - net:usb:qmi_wwan: support Rolling modules", " - pinctrl: mediatek: Fix fallback call path", " - xfrm: Preserve vlan tags for transport mode software GRO", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - tipc: fix UAF in error path", " - dyndbg: fix old BUG_ON in >control parser", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - regulator: core: fix debugfs creation regression", " - pinctrl: mediatek: Fix fallback behavior for bias_set_combo", " - pinctrl: mediatek: Fix some off by one bugs", " - pinctrl: mediatek: remove set but not used variable 'e'", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - Linux 5.4.276", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "", " * CVE-2022-48655", " - firmware: arm_scmi: Harden accesses to the reset domains", "", " * CVE-2024-26907", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26583", " - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU", " - net/tls: Fix use-after-free after the TLS device goes down and up", " - tls: splice_read: fix record type check", " - tls splice: remove inappropriate flags checking for MSG_PEEK", " - tls: splice_read: fix accessing pre-processed records", " - tls: Fix context leak on tls_device_down", " - net/tls: Check for errors in tls_device_init", " - net/tls: Remove the context from the list in tls_device_down", " - net/tls: pass context to tls_device_decrypted()", " - net/tls: Perform immediate device ctx cleanup when possible", " - net/tls: Multi-threaded calls to TX tls_dev_del", " - net: tls: avoid discarding data on record close", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - tls: rx: simplify async wait", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "" ], "package": "linux", "version": "5.4.0-192.212", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:00:53 +0200" } ], "notes": "linux-headers-5.4.0-192 version '5.4.0-192.212' (source package linux version '5.4.0-192.212') was added. linux-headers-5.4.0-192 version '5.4.0-192.212' has the same source package name, linux, as removed package linux-headers-5.4.0-190. As such we can use the source package version of the removed package, '5.4.0-190.210', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.4.0-192-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-192.212", "version": "5.4.0-192.212" }, "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)", "", " * Focal update: v5.4.278 upstream stable release (LP: #2071668)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - ring-buffer: Fix a race between readers and resize checks", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - nvme: find numa distance only if controller has valid numa id", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - qed: avoid truncating work queue length", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - ACPI: disable -Wstringop-truncation", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - tcp: minor optimization in tcp_add_backlog()", " - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()", " - tcp: avoid premature drops in tcp_add_backlog()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - platform/x86: wmi: Make two functions static", " - fbdev: sh7760fb: allow modular build", " - drm/arm/malidp: fix a possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - RDMA/hns: Use complete parentheses in macros", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - sunrpc: removed redundant procp check", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - greybus: lights: check return of get_channel_from_mode", " - soundwire: cadence/intel: simplify PDI/port mapping", " - soundwire: intel: don't filter out PDI0/1", " - soundwire: cadence_master: improve PDI allocation", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - iio: pressure: dps310: support negative temperature values", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - Input: ims-pcu - fix printf string overflow", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: Add winch to winch_handlers before registering winch IRQ", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - nfc: nci: Fix uninit-value in nci_rx_work", " - sunrpc: fix NFSACL RPC retry on soft mount", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - params: lift param_set_uint_minmax to common code", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - net: fec: avoid lock evasion when reading pps_enable", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - spi: Don't mark message DMA mapped when no transfer in it is", " - nvmet: fix ns enable/disable possible hang", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - enic: Validate length of nl attributes in enic_set_vf_port", " - smsc95xx: remove redundant function arguments", " - smsc95xx: use usbnet->driver_priv", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - net:fec: Add fec_enet_deinit()", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - ALSA: timer: Set lower bound of start tick time", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - binder: fix max_thread type inconsistency", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING", " - sparc: move struct termio to asm/termios.h", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - nfs: fix undefined behavior in nfs_block_bits()", " - Linux 5.4.278", "", " * CVE-2024-27019", " - netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV", " - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2022-48674", " - erofs: fix pcluster use-after-free on UP platforms", "", " * Focal update: v5.4.277 upstream stable release (LP: #2070179)", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - ext4: fix bug_on in __es_tree_search", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - Revert \"net: bcmgenet: use RGMII loopback for MAC reset\"", " - net: bcmgenet: keep MAC in reset until PHY is up", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - net: bcmgenet: synchronize UMAC_CMD access", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.4.277", "", " * Focal update: v5.4.276 upstream stable release (LP: #2069758)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: Check gpio pin number and use binary search in", " mtk_hw_pin_field_lookup()", " - pinctrl: mediatek: Supporting driving setting without mapping current to", " register value", " - pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set()", " - pinctrl: mediatek: Refine mtk_pinconf_get()", " - pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull", " usage", " - pinctrl: mediatek: remove shadow variable declaration", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - bna: ensure the copied buf is NUL terminated", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: dsa: mv88e6xxx: Add number of MACs in the ATU", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - tipc: fix a possible memleak in tipc_buf_append", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - net:usb:qmi_wwan: support Rolling modules", " - pinctrl: mediatek: Fix fallback call path", " - xfrm: Preserve vlan tags for transport mode software GRO", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - tipc: fix UAF in error path", " - dyndbg: fix old BUG_ON in >control parser", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - regulator: core: fix debugfs creation regression", " - pinctrl: mediatek: Fix fallback behavior for bias_set_combo", " - pinctrl: mediatek: Fix some off by one bugs", " - pinctrl: mediatek: remove set but not used variable 'e'", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - Linux 5.4.276", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "", " * CVE-2022-48655", " - firmware: arm_scmi: Harden accesses to the reset domains", "", " * CVE-2024-26907", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26583", " - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU", " - net/tls: Fix use-after-free after the TLS device goes down and up", " - tls: splice_read: fix record type check", " - tls splice: remove inappropriate flags checking for MSG_PEEK", " - tls: splice_read: fix accessing pre-processed records", " - tls: Fix context leak on tls_device_down", " - net/tls: Check for errors in tls_device_init", " - net/tls: Remove the context from the list in tls_device_down", " - net/tls: pass context to tls_device_decrypted()", " - net/tls: Perform immediate device ctx cleanup when possible", " - net/tls: Multi-threaded calls to TX tls_dev_del", " - net: tls: avoid discarding data on record close", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - tls: rx: simplify async wait", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "" ], "package": "linux", "version": "5.4.0-192.212", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:00:53 +0200" } ], "notes": "linux-headers-5.4.0-192-generic version '5.4.0-192.212' (source package linux version '5.4.0-192.212') was added. linux-headers-5.4.0-192-generic version '5.4.0-192.212' has the same source package name, linux, as removed package linux-headers-5.4.0-190. As such we can use the source package version of the removed package, '5.4.0-190.210', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-192-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-190.210", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-192.212", "version": "5.4.0-192.212" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-192.212", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.4.0-192.212", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:33:54 +0200" } ], "notes": "linux-image-5.4.0-192-generic version '5.4.0-192.212' (source package linux-signed version '5.4.0-192.212') was added. linux-image-5.4.0-192-generic version '5.4.0-192.212' has the same source package name, linux-signed, as removed package linux-image-5.4.0-190-generic. As such we can use the source package version of the removed package, '5.4.0-190.210', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-192-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-192.212", "version": "5.4.0-192.212" }, "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "changes": [ { "cves": [ { "cve": "CVE-2024-27019", "url": "https://ubuntu.com/security/CVE-2024-27019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26886", "url": "https://ubuntu.com/security/CVE-2024-26886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2023-52752", "url": "https://ubuntu.com/security/CVE-2023-52752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2022-48674", "url": "https://ubuntu.com/security/CVE-2022-48674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.", "cve_priority": "medium", "cve_public_date": "2024-05-03 15:15:00 UTC" }, { "cve": "CVE-2024-36016", "url": "https://ubuntu.com/security/CVE-2024-36016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size.", "cve_priority": "high", "cve_public_date": "2024-05-29 19:15:00 UTC" }, { "cve": "CVE-2022-48655", "url": "https://ubuntu.com/security/CVE-2022-48655", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Harden accesses to the reset domains Accessing reset domains descriptors by the index upon the SCMI drivers requests through the SCMI reset operations interface can potentially lead to out-of-bound violations if the SCMI driver misbehave. Add an internal consistency check before any such domains descriptors accesses.", "cve_priority": "medium", "cve_public_date": "2024-04-28 13:15:00 UTC" }, { "cve": "CVE-2024-26907", "url": "https://ubuntu.com/security/CVE-2024-26907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)", "", " * Focal update: v5.4.278 upstream stable release (LP: #2071668)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - ring-buffer: Fix a race between readers and resize checks", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - nvme: find numa distance only if controller has valid numa id", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - qed: avoid truncating work queue length", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - ACPI: disable -Wstringop-truncation", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - tcp: minor optimization in tcp_add_backlog()", " - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()", " - tcp: avoid premature drops in tcp_add_backlog()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - platform/x86: wmi: Make two functions static", " - fbdev: sh7760fb: allow modular build", " - drm/arm/malidp: fix a possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - RDMA/hns: Use complete parentheses in macros", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - sunrpc: removed redundant procp check", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - greybus: lights: check return of get_channel_from_mode", " - soundwire: cadence/intel: simplify PDI/port mapping", " - soundwire: intel: don't filter out PDI0/1", " - soundwire: cadence_master: improve PDI allocation", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - iio: pressure: dps310: support negative temperature values", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - Input: ims-pcu - fix printf string overflow", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: Add winch to winch_handlers before registering winch IRQ", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - nfc: nci: Fix uninit-value in nci_rx_work", " - sunrpc: fix NFSACL RPC retry on soft mount", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - params: lift param_set_uint_minmax to common code", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - net: fec: avoid lock evasion when reading pps_enable", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - spi: Don't mark message DMA mapped when no transfer in it is", " - nvmet: fix ns enable/disable possible hang", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - enic: Validate length of nl attributes in enic_set_vf_port", " - smsc95xx: remove redundant function arguments", " - smsc95xx: use usbnet->driver_priv", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - net:fec: Add fec_enet_deinit()", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - ALSA: timer: Set lower bound of start tick time", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - binder: fix max_thread type inconsistency", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING", " - sparc: move struct termio to asm/termios.h", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - nfs: fix undefined behavior in nfs_block_bits()", " - Linux 5.4.278", "", " * CVE-2024-27019", " - netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV", " - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()", "", " * CVE-2024-26886", " - Bluetooth: af_bluetooth: Fix deadlock", "", " * CVE-2023-52752", " - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()", "", " * CVE-2022-48674", " - erofs: fix pcluster use-after-free on UP platforms", "", " * Focal update: v5.4.277 upstream stable release (LP: #2070179)", " - pinctrl: core: handle radix_tree_insert() errors in", " pinctrl_register_one_pin()", " - ext4: fix bug_on in __es_tree_search", " - Revert \"selftests: mm: fix map_hugetlb failure on 64K page size systems\"", " - Revert \"net: bcmgenet: use RGMII loopback for MAC reset\"", " - net: bcmgenet: keep MAC in reset until PHY is up", " - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access", " - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()", " - net: bcmgenet: synchronize UMAC_CMD access", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - arm64: dts: qcom: Fix 'interrupt-map' parent address cells", " - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()", " - drm/amdgpu: Fix possible NULL dereference in", " amdgpu_ras_query_error_status_helper()", " - usb: typec: ucsi: displayport: Fix potential deadlock", " - serial: kgdboc: Fix NMI-safety problems from keyboard reset code", " - docs: kernel_include.py: Cope with docutils 0.21", " - Linux 5.4.277", "", " * Focal update: v5.4.276 upstream stable release (LP: #2069758)", " - dmaengine: pl330: issue_pending waits until WFP state", " - dmaengine: Revert \"dmaengine: pl330: issue_pending waits until WFP state\"", " - wifi: nl80211: don't free NULL coalescing rule", " - pinctrl: core: delete incorrect free in pinctrl_enable()", " - pinctrl: mediatek: Check gpio pin number and use binary search in", " mtk_hw_pin_field_lookup()", " - pinctrl: mediatek: Supporting driving setting without mapping current to", " register value", " - pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set()", " - pinctrl: mediatek: Refine mtk_pinconf_get()", " - pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull", " usage", " - pinctrl: mediatek: remove shadow variable declaration", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback", " - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic", " - pinctrl: mediatek: paris: Rework support for", " PIN_CONFIG_{INPUT,OUTPUT}_ENABLE", " - sunrpc: add a struct rpc_stats arg to rpc_create_args", " - nfs: expose /proc/net/sunrpc/nfs in net namespaces", " - nfs: make the rpc_stat per net namespace", " - nfs: Handle error of rpc_proc_register() in nfs_net_init().", " - power: rt9455: hide unused rt9455_boost_voltage_values", " - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()", " - s390/mm: Fix storage key clearing for guest huge pages", " - s390/mm: Fix clearing storage keys for huge pages", " - bna: ensure the copied buf is NUL terminated", " - nsh: Restore skb->{protocol,data,mac_header} for outer header in", " nsh_gso_segment().", " - net l2tp: drop flow hash on forward", " - net: qede: use return from qede_parse_flow_attr() for flow_spec", " - net: dsa: mv88e6xxx: Add number of MACs in the ATU", " - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341", " - net: bridge: fix multicast-to-unicast with fraglist GSO", " - tipc: fix a possible memleak in tipc_buf_append", " - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change", " - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic", " - gfs2: Fix invalid metadata access in punch_hole", " - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc", " - wifi: cfg80211: fix rdev_dump_mpp() arguments order", " - net: mark racy access on sk->sk_rcvbuf", " - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload", " - ALSA: line6: Zero-initialize message buffers", " - net: bcmgenet: Reset RBUF on first open", " - ata: sata_gemini: Check clk_enable() result", " - firewire: ohci: mask bus reset interrupts between ISR and bottom half", " - tools/power turbostat: Fix added raw MSR output", " - tools/power turbostat: Fix Bzy_MHz documentation typo", " - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve", " - btrfs: always clear PERTRANS metadata during commit", " - scsi: target: Fix SELinux error when systemd-modules loads the target module", " - gpu: host1x: Do not setup DMA for virtual devices", " - MIPS: scall: Save thread_info.syscall unconditionally on entry", " - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior", " - fs/9p: only translate RWX permissions for plain 9P2000", " - fs/9p: translate O_TRUNC into OTRUNC", " - 9p: explicitly deny setlease attempts", " - gpio: wcove: Use -ENOTSUPP consistently", " - gpio: crystalcove: Use -ENOTSUPP consistently", " - clk: Don't hold prepare_lock when calling kref_put()", " - fs/9p: drop inodes immediately on non-.L too", " - net:usb:qmi_wwan: support Rolling modules", " - pinctrl: mediatek: Fix fallback call path", " - xfrm: Preserve vlan tags for transport mode software GRO", " - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets", " - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", " - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout", " - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout", " - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation", " - phonet: fix rtm_phonet_notify() skb allocation", " - net: bridge: fix corrupted ethernet header on multicast-to-unicast", " - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()", " - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()", " - net: qede: use return from qede_parse_flow_attr() for flower", " - firewire: nosy: ensure user_length is taken into account when fetching", " packet contents", " - usb: gadget: composite: fix OS descriptors w_value logic", " - usb: gadget: f_fs: Fix a race condition when processing setup packets.", " - tipc: fix UAF in error path", " - dyndbg: fix old BUG_ON in >control parser", " - drm/vmwgfx: Fix invalid reads in fence signaled events", " - net: fix out-of-bounds access in ops_init", " - regulator: core: fix debugfs creation regression", " - pinctrl: mediatek: Fix fallback behavior for bias_set_combo", " - pinctrl: mediatek: Fix some off by one bugs", " - pinctrl: mediatek: remove set but not used variable 'e'", " - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback", " - Linux 5.4.276", "", " * Freezing user space processes failed after 20.008 seconds (1 tasks refusing", " to freeze, wq_busy=0) (LP: #2061091)", " - ALSA: Fix deadlocks with kctl removals at disconnection", "", " * CVE-2024-36016", " - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()", "", " * CVE-2022-48655", " - firmware: arm_scmi: Harden accesses to the reset domains", "", " * CVE-2024-26907", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26583", " - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU", " - net/tls: Fix use-after-free after the TLS device goes down and up", " - tls: splice_read: fix record type check", " - tls splice: remove inappropriate flags checking for MSG_PEEK", " - tls: splice_read: fix accessing pre-processed records", " - tls: Fix context leak on tls_device_down", " - net/tls: Check for errors in tls_device_init", " - net/tls: Remove the context from the list in tls_device_down", " - net/tls: pass context to tls_device_decrypted()", " - net/tls: Perform immediate device ctx cleanup when possible", " - net/tls: Multi-threaded calls to TX tls_dev_del", " - net: tls: avoid discarding data on record close", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - tls: rx: simplify async wait", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "" ], "package": "linux", "version": "5.4.0-192.212", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2072305, 2071668, 2070179, 2069758, 2061091 ], "author": "Stefan Bader ", "date": "Fri, 05 Jul 2024 11:00:53 +0200" } ], "notes": "linux-modules-5.4.0-192-generic version '5.4.0-192.212' (source package linux version '5.4.0-192.212') was added. linux-modules-5.4.0-192-generic version '5.4.0-192.212' has the same source package name, linux, as removed package linux-headers-5.4.0-190. As such we can use the source package version of the removed package, '5.4.0-190.210', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-190", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": "5.4.0-190.210" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.4.0-190-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": "5.4.0-190.210" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-190-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-190.210", "version": "5.4.0-190.210" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-190-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-190.210", "version": "5.4.0-190.210" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240805 to 20240809", "from_series": "focal", "to_series": "focal", "from_serial": "20240805", "to_serial": "20240809", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }