{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "core20" ] }, "deb": { "added": [ "linux-headers-5.4.0-200", "linux-headers-5.4.0-200-generic-lpae", "linux-image-5.4.0-200-generic-lpae", "linux-modules-5.4.0-200-generic-lpae", "python3-packaging", "python3-pyparsing" ], "removed": [ "linux-headers-5.4.0-193", "linux-headers-5.4.0-193-generic-lpae", "linux-image-5.4.0-193-generic-lpae", "linux-modules-5.4.0-193-generic-lpae" ], "diff": [ "apparmor", "ca-certificates", "cloud-init", "curl", "distro-info-data", "e2fsprogs", "krb5-locales", "libapparmor1:armhf", "libarchive13:armhf", "libcom-err2:armhf", "libcurl3-gnutls:armhf", "libcurl4:armhf", "libexpat1:armhf", "libext2fs2:armhf", "libgssapi-krb5-2:armhf", "libk5crypto3:armhf", "libkrb5-3:armhf", "libkrb5support0:armhf", "libnss-systemd:armhf", "libpam-systemd:armhf", "libpcap0.8:armhf", "libpython3.8:armhf", "libpython3.8-minimal:armhf", "libpython3.8-stdlib:armhf", "libss2:armhf", "libsystemd0:armhf", "libudev1:armhf", "linux-generic-lpae", "linux-headers-generic-lpae", "linux-image-generic-lpae", "logsave", "nano", "python3-configobj", "python3-pkg-resources", "python3-setuptools", "python3-twisted", "python3-twisted-bin:armhf", "python3-update-manager", "python3-urllib3", "python3.8", "python3.8-minimal", "snapd", "sosreport", "systemd", "systemd-sysv", "systemd-timesyncd", "ubuntu-advantage-tools", "ubuntu-pro-client", "ubuntu-pro-client-l10n", "udev", "update-manager-core", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.3", "version": "2.13.3-7ubuntu5.3" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.4", "version": "2.13.3-7ubuntu5.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:", " add calls to filter_slashes() in parser/af_unix.cc, make it external", " in parser/parser.h and change it to void in parser/parser_regex.c.", " - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:", " add variable expansion with expand_entry_variables() in", " parser/mount.cc.", " - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:", " add calls to filter_slashes() in parser/mount.cc.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/Makefile,", " tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:", " remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "2.13.3-7ubuntu5.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:40:00 -0300" } ], "notes": null }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20230311ubuntu0.20.04.1", "version": "20230311ubuntu0.20.04.1" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20240203~20.04.1", "version": "20240203~20.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2081875 ], "changes": [ { "cves": [], "log": [ "", " * Update ca-certificates database to 20240203 (LP: #2081875)", " - Update Mozilla certificate authority bundle to version 2.64", " The following certificate authorities were added (+):", " + Atos TrustedRoot Root CA ECC TLS 2021", " + Atos TrustedRoot Root CA RSA TLS 2021", " + BJCA Global Root CA1", " + BJCA Global Root CA2", " + CommScope Public Trust ECC Root-01", " + CommScope Public Trust ECC Root-02", " + CommScope Public Trust RSA Root-01", " + CommScope Public Trust RSA Root-02", " + Sectigo Public Server Authentication Root E46", " + Sectigo Public Server Authentication Root R46", " + SSL.com TLS ECC Root CA 2022", " + SSL.com TLS RSA Root CA 2022", " + TrustAsia Global Root CA G3", " + TrustAsia Global Root CA G4", " The following certificate authorities were removed (-):", " - Autoridad de Certificacion Firmaprofesional CIF A62634068", " - E-Tugra Certification Authority", " - E-Tugra Global Root CA ECC v3", " - E-Tugra Global Root CA RSA v3", " - Hongkong Post Root CA 1", " - TrustCor ECA-1", " - TrustCor RootCert CA-1", " - TrustCor RootCert CA-2", "" ], "package": "ca-certificates", "version": "20240203~20.04.1", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 2081875 ], "author": "Marc Deslauriers ", "date": "Tue, 24 Sep 2024 13:46:09 -0400" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~20.04.5", "version": "24.1.3-0ubuntu1~20.04.5" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.3.1-0ubuntu0~20.04.1", "version": "24.3.1-0ubuntu0~20.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2079224, 2071762 ], "changes": [ { "cves": [], "log": [ "", " * d/p/no-nocloud-network.patch: Remove nocloud network feature", " * d/p/no-single-process.patch: Remove single process optimization", " * Upstream snapshot based on upstream/main at c0ffdd4d.", " * refresh patches:", " - d/p/cli-retain-file-argument-as-main-cmd-arg.patch", " - d/p/drop-unsupported-systemd-condition-environment.patch", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " - d/p/netplan99-cannot-use-default.patch", " * Upstream snapshot based on 24.3.1. (LP: #2079224).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.3.1/ChangeLog", "" ], "package": "cloud-init", "version": "24.3.1-0ubuntu0~20.04.1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2079224 ], "author": "Chad Smith ", "date": "Fri, 06 Sep 2024 12:18:20 -0600" }, { "cves": [], "log": [ "", " * d/control: remove netifaces due to GH-4634", " * drop d/p/do-not-block-user-login.patch:", " Upstream now has \"Before=systemd-user-sessions\" in cloud-init.service", " * d/p/drop-unsupported-systemd-condition-environment.patch:", " drop ConditionEnvironment from unit files because systemd 245.4 ignores", " those keys and emits warnings at systemctl status", " * d/p/add-deprecation-info-boundary.patch: Update", " DEPRECATION_INFO_BOUNDARY to ensure new deprecations don't trigger", " warnings.", " * refresh patches:", " - d/p/cli-retain-file-argument-as-main-cmd-arg.patch", " - d/p/keep-dhclient-as-priority-client.patch", " - d/p/netplan99-cannot-use-default.patch", " - d/p/retain-ec2-default-net-update-events.patch", " - d/p/retain-netplan-world-readable.patch", " - d/p/retain-old-groups.patch", " - d/p/status-do-not-remove-duplicated-data.patch", " - d/p/status-retain-recoverable-error-exit-code.patch", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " * Upstream snapshot based on 24.2. (LP: #2071762).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.2/ChangeLog", " * drop all d/p/cpick-* files as they are included in upstream snapshot", "" ], "package": "cloud-init", "version": "24.2-0ubuntu1~20.04.1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2071762 ], "author": "James Falcon ", "date": "Thu, 11 Jul 2024 16:36:14 -0500" } ], "notes": null }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.24", "version": "7.68.0-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 11:00:30 -0400" } ], "notes": null }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.43ubuntu1.16", "version": "0.43ubuntu1.16" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.43ubuntu1.17", "version": "0.43ubuntu1.17" }, "cves": [], "launchpad_bugs_fixed": [ 2084572 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 25.04 Plucky Puffin (LP: #2084572)", "" ], "package": "distro-info-data", "version": "0.43ubuntu1.17", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2084572 ], "author": "Benjamin Drung ", "date": "Thu, 17 Oct 2024 12:48:27 +0200" } ], "notes": null }, { "name": "e2fsprogs", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.1", "version": "1.45.5-2ubuntu1.1" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.2", "version": "1.45.5-2ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2036467 ], "changes": [ { "cves": [], "log": [ "", " * Fix superblock checksum mismatch during resize2fs operations,", " most notably during online resize of cloud images during boot.", " Read the superblock with Direct I/O to ensure we get the correct", " view of the disk. (LP: #2036467)", " - lp2036467-resize2fs-use-Direct-I-O-when-reading-the-superblock.patch", "" ], "package": "e2fsprogs", "version": "1.45.5-2ubuntu1.2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2036467 ], "author": "Matthew Ruffell ", "date": "Mon, 09 Oct 2023 14:56:01 +1300" } ], "notes": null }, { "name": "krb5-locales", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.7", "version": "1.17-6ubuntu4.7" }, "cves": [], "launchpad_bugs_fixed": [ 2060666 ], "changes": [ { "cves": [], "log": [ "", " * Fix a memory leak in krb5_gss_inquire_cred (LP: #2060666)", "" ], "package": "krb5", "version": "1.17-6ubuntu4.7", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2060666 ], "author": "Ponnuvel Palaniyappan ", "date": "Thu, 08 Aug 2024 11:06:56 +0100" } ], "notes": null }, { "name": "libapparmor1:armhf", "from_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.3", "version": "2.13.3-7ubuntu5.3" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.4", "version": "2.13.3-7ubuntu5.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:", " add calls to filter_slashes() in parser/af_unix.cc, make it external", " in parser/parser.h and change it to void in parser/parser_regex.c.", " - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:", " add variable expansion with expand_entry_variables() in", " parser/mount.cc.", " - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:", " add calls to filter_slashes() in parser/mount.cc.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/Makefile,", " tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:", " remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "2.13.3-7ubuntu5.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:40:00 -0300" } ], "notes": null }, { "name": "libarchive13:armhf", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.4.0-2ubuntu1.2", "version": "3.4.0-2ubuntu1.2" }, "to_version": { "source_package_name": "libarchive", "source_package_version": "3.4.0-2ubuntu1.4", "version": "3.4.0-2ubuntu1.4" }, "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" }, { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: code execution via negative copy length", " - debian/patches/CVE-2024-20696.patch: protect", " copy_from_lzss_window_to_unp() in", " libarchive/archive_read_support_format_rar.c.", " - CVE-2024-20696", "" ], "package": "libarchive", "version": "3.4.0-2ubuntu1.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 29 Oct 2024 10:06:37 +0100" }, { "cves": [ { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference", " - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write", " functions", " - CVE-2022-36227", "" ], "package": "libarchive", "version": "3.4.0-2ubuntu1.3", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 14 Oct 2024 12:12:43 +1100" } ], "notes": null }, { "name": "libcom-err2:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.1", "version": "1.45.5-2ubuntu1.1" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.2", "version": "1.45.5-2ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2036467 ], "changes": [ { "cves": [], "log": [ "", " * Fix superblock checksum mismatch during resize2fs operations,", " most notably during online resize of cloud images during boot.", " Read the superblock with Direct I/O to ensure we get the correct", " view of the disk. (LP: #2036467)", " - lp2036467-resize2fs-use-Direct-I-O-when-reading-the-superblock.patch", "" ], "package": "e2fsprogs", "version": "1.45.5-2ubuntu1.2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2036467 ], "author": "Matthew Ruffell ", "date": "Mon, 09 Oct 2023 14:56:01 +1300" } ], "notes": null }, { "name": "libcurl3-gnutls:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.24", "version": "7.68.0-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 11:00:30 -0400" } ], "notes": null }, { "name": "libcurl4:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.24", "version": "7.68.0-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 11:00:30 -0400" } ], "notes": null }, { "name": "libexpat1:armhf", "from_version": { "source_package_name": "expat", "source_package_version": "2.2.9-1ubuntu0.6", "version": "2.2.9-1ubuntu0.6" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.2.9-1ubuntu0.7", "version": "2.2.9-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: invalid input length", " - CVE-2024-45490-*.patch: adds a check to the XML_ParseBuffer function of", " expat/lib/xmlparse.c to identify and error out if a negative length is", " provided.", " - CVE-2024-45490", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45491.patch: adds a check to the dtdCopy function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45491", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45492.patch: adds a check to the nextScaffoldPart function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45492", "" ], "package": "expat", "version": "2.2.9-1ubuntu0.7", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Tue, 10 Sep 2024 13:17:46 +0300" } ], "notes": null }, { "name": "libext2fs2:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.1", "version": "1.45.5-2ubuntu1.1" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.2", "version": "1.45.5-2ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2036467 ], "changes": [ { "cves": [], "log": [ "", " * Fix superblock checksum mismatch during resize2fs operations,", " most notably during online resize of cloud images during boot.", " Read the superblock with Direct I/O to ensure we get the correct", " view of the disk. (LP: #2036467)", " - lp2036467-resize2fs-use-Direct-I-O-when-reading-the-superblock.patch", "" ], "package": "e2fsprogs", "version": "1.45.5-2ubuntu1.2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2036467 ], "author": "Matthew Ruffell ", "date": "Mon, 09 Oct 2023 14:56:01 +1300" } ], "notes": null }, { "name": "libgssapi-krb5-2:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.7", "version": "1.17-6ubuntu4.7" }, "cves": [], "launchpad_bugs_fixed": [ 2060666 ], "changes": [ { "cves": [], "log": [ "", " * Fix a memory leak in krb5_gss_inquire_cred (LP: #2060666)", "" ], "package": "krb5", "version": "1.17-6ubuntu4.7", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2060666 ], "author": "Ponnuvel Palaniyappan ", "date": "Thu, 08 Aug 2024 11:06:56 +0100" } ], "notes": null }, { "name": "libk5crypto3:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.7", "version": "1.17-6ubuntu4.7" }, "cves": [], "launchpad_bugs_fixed": [ 2060666 ], "changes": [ { "cves": [], "log": [ "", " * Fix a memory leak in krb5_gss_inquire_cred (LP: #2060666)", "" ], "package": "krb5", "version": "1.17-6ubuntu4.7", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2060666 ], "author": "Ponnuvel Palaniyappan ", "date": "Thu, 08 Aug 2024 11:06:56 +0100" } ], "notes": null }, { "name": "libkrb5-3:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.7", "version": "1.17-6ubuntu4.7" }, "cves": [], "launchpad_bugs_fixed": [ 2060666 ], "changes": [ { "cves": [], "log": [ "", " * Fix a memory leak in krb5_gss_inquire_cred (LP: #2060666)", "" ], "package": "krb5", "version": "1.17-6ubuntu4.7", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2060666 ], "author": "Ponnuvel Palaniyappan ", "date": "Thu, 08 Aug 2024 11:06:56 +0100" } ], "notes": null }, { "name": "libkrb5support0:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.6", "version": "1.17-6ubuntu4.6" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.17-6ubuntu4.7", "version": "1.17-6ubuntu4.7" }, "cves": [], "launchpad_bugs_fixed": [ 2060666 ], "changes": [ { "cves": [], "log": [ "", " * Fix a memory leak in krb5_gss_inquire_cred (LP: #2060666)", "" ], "package": "krb5", "version": "1.17-6ubuntu4.7", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2060666 ], "author": "Ponnuvel Palaniyappan ", "date": "Thu, 08 Aug 2024 11:06:56 +0100" } ], "notes": null }, { "name": "libnss-systemd:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "libpam-systemd:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "libpcap0.8:armhf", "from_version": { "source_package_name": "libpcap", "source_package_version": "1.9.1-3", "version": "1.9.1-3" }, "to_version": { "source_package_name": "libpcap", "source_package_version": "1.9.1-3ubuntu1.20.04.1", "version": "1.9.1-3ubuntu1.20.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2076398 ], "changes": [ { "cves": [], "log": [ "", " * Tcpdump utility captures incorrect packets on VLAN interface when using", " SLL2 (LP: #2076398)", " - d/p/lp2076398-linux-set-handlep-vlan_offset-if-the-linktype-is-cha.patch", "" ], "package": "libpcap", "version": "1.9.1-3ubuntu1.20.04.1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2076398 ], "author": "Chengen Du ", "date": "Fri, 09 Aug 2024 08:27:44 +0000" } ], "notes": null }, { "name": "libpython3.8:armhf", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "libpython3.8-minimal:armhf", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "libpython3.8-stdlib:armhf", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "libss2:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.1", "version": "1.45.5-2ubuntu1.1" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.2", "version": "1.45.5-2ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2036467 ], "changes": [ { "cves": [], "log": [ "", " * Fix superblock checksum mismatch during resize2fs operations,", " most notably during online resize of cloud images during boot.", " Read the superblock with Direct I/O to ensure we get the correct", " view of the disk. (LP: #2036467)", " - lp2036467-resize2fs-use-Direct-I-O-when-reading-the-superblock.patch", "" ], "package": "e2fsprogs", "version": "1.45.5-2ubuntu1.2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2036467 ], "author": "Matthew Ruffell ", "date": "Mon, 09 Oct 2023 14:56:01 +1300" } ], "notes": null }, { "name": "libsystemd0:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "libudev1:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "linux-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.193.191", "version": "5.4.0.193.191" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.200.196", "version": "5.4.0.200.196" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-200", "" ], "package": "linux-meta", "version": "5.4.0.200.196", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:56:44 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-197", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.4.0.197.195", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:41:01 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-196", "" ], "package": "linux-meta", "version": "5.4.0.196.194", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:21:38 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-195", "" ], "package": "linux-meta", "version": "5.4.0.195.193", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:21 +0200" } ], "notes": null }, { "name": "linux-headers-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.193.191", "version": "5.4.0.193.191" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.200.196", "version": "5.4.0.200.196" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-200", "" ], "package": "linux-meta", "version": "5.4.0.200.196", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:56:44 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-197", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.4.0.197.195", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:41:01 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-196", "" ], "package": "linux-meta", "version": "5.4.0.196.194", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:21:38 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-195", "" ], "package": "linux-meta", "version": "5.4.0.195.193", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:21 +0200" } ], "notes": null }, { "name": "linux-image-generic-lpae", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.193.191", "version": "5.4.0.193.191" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.200.196", "version": "5.4.0.200.196" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-200", "" ], "package": "linux-meta", "version": "5.4.0.200.196", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:56:44 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-197", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.4.0.197.195", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:41:01 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-196", "" ], "package": "linux-meta", "version": "5.4.0.196.194", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:21:38 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.4.0-195", "" ], "package": "linux-meta", "version": "5.4.0.195.193", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:21 +0200" } ], "notes": null }, { "name": "logsave", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.1", "version": "1.45.5-2ubuntu1.1" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.45.5-2ubuntu1.2", "version": "1.45.5-2ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2036467 ], "changes": [ { "cves": [], "log": [ "", " * Fix superblock checksum mismatch during resize2fs operations,", " most notably during online resize of cloud images during boot.", " Read the superblock with Direct I/O to ensure we get the correct", " view of the disk. (LP: #2036467)", " - lp2036467-resize2fs-use-Direct-I-O-when-reading-the-superblock.patch", "" ], "package": "e2fsprogs", "version": "1.45.5-2ubuntu1.2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2036467 ], "author": "Matthew Ruffell ", "date": "Mon, 09 Oct 2023 14:56:01 +1300" } ], "notes": null }, { "name": "nano", "from_version": { "source_package_name": "nano", "source_package_version": "4.8-1ubuntu1", "version": "4.8-1ubuntu1" }, "to_version": { "source_package_name": "nano", "source_package_version": "4.8-1ubuntu1.1", "version": "4.8-1ubuntu1.1" }, "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Emergency file could be replaced by a malicious symlink.", " - debian/patches/CVE-2024-5742.patch: Use fchmod and fchown in write_file()", " in src/files.c instead of using chmod and chown in emergency_save() in", " src/nano.c. Add EMERGENCY write type in kind_of_writing_type enum in", " src/nano.h. Update fd in write_file() in src/files.c. Based on upstream.", " - CVE-2024-5742", "" ], "package": "nano", "version": "4.8-1ubuntu1.1", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 09 Oct 2024 17:50:23 -0230" } ], "notes": null }, { "name": "python3-configobj", "from_version": { "source_package_name": "configobj", "source_package_version": "5.0.6-4", "version": "5.0.6-4" }, "to_version": { "source_package_name": "configobj", "source_package_version": "5.0.6-4ubuntu0.1", "version": "5.0.6-4ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-26112", "url": "https://ubuntu.com/security/CVE-2023-26112", "cve_description": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", "cve_priority": "low", "cve_public_date": "2023-04-03 05:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-26112", "url": "https://ubuntu.com/security/CVE-2023-26112", "cve_description": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", "cve_priority": "low", "cve_public_date": "2023-04-03 05:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: ReDoS", " - debian/patches/CVE-2023-26112.patch: updates regex that can cause", " catastrophic backtracking when a match fails in validate.py and adds a", " test in tests/test_validate_errors.py.", " - CVE-2023-26112", "" ], "package": "configobj", "version": "5.0.6-4ubuntu0.1", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Fri, 20 Sep 2024 15:02:40 +0300" } ], "notes": null }, { "name": "python3-pkg-resources", "from_version": { "source_package_name": "setuptools", "source_package_version": "45.2.0-1ubuntu0.1", "version": "45.2.0-1ubuntu0.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "45.2.0-1ubuntu0.2", "version": "45.2.0-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "45.2.0-1ubuntu0.2", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 05 Sep 2024 16:51:51 +0530" } ], "notes": null }, { "name": "python3-setuptools", "from_version": { "source_package_name": "setuptools", "source_package_version": "45.2.0-1ubuntu0.1", "version": "45.2.0-1ubuntu0.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "45.2.0-1ubuntu0.2", "version": "45.2.0-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "45.2.0-1ubuntu0.2", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 05 Sep 2024 16:51:51 +0530" } ], "notes": null }, { "name": "python3-twisted", "from_version": { "source_package_name": "twisted", "source_package_version": "18.9.0-11ubuntu0.20.04.3", "version": "18.9.0-11ubuntu0.20.04.3" }, "to_version": { "source_package_name": "twisted", "source_package_version": "18.9.0-11ubuntu0.20.04.4", "version": "18.9.0-11ubuntu0.20.04.4" }, "cves": [ { "cve": "CVE-2024-41810", "url": "https://ubuntu.com/security/CVE-2024-41810", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-41810", "url": "https://ubuntu.com/security/CVE-2024-41810", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTML injection in HTTP redirect body", " - debian/patches/CVE-2024-41810.patch: added output ", " encoding in redirect HTML", " - CVE-2024-41810", "" ], "package": "twisted", "version": "18.9.0-11ubuntu0.20.04.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Nick Galanis ", "date": "Wed, 21 Aug 2024 16:43:07 +0300" } ], "notes": null }, { "name": "python3-twisted-bin:armhf", "from_version": { "source_package_name": "twisted", "source_package_version": "18.9.0-11ubuntu0.20.04.3", "version": "18.9.0-11ubuntu0.20.04.3" }, "to_version": { "source_package_name": "twisted", "source_package_version": "18.9.0-11ubuntu0.20.04.4", "version": "18.9.0-11ubuntu0.20.04.4" }, "cves": [ { "cve": "CVE-2024-41810", "url": "https://ubuntu.com/security/CVE-2024-41810", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-41810", "url": "https://ubuntu.com/security/CVE-2024-41810", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTML injection in HTTP redirect body", " - debian/patches/CVE-2024-41810.patch: added output ", " encoding in redirect HTML", " - CVE-2024-41810", "" ], "package": "twisted", "version": "18.9.0-11ubuntu0.20.04.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Nick Galanis ", "date": "Wed, 21 Aug 2024 16:43:07 +0300" } ], "notes": null }, { "name": "python3-update-manager", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:20.04.10.21", "version": "1:20.04.10.21" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:20.04.10.23", "version": "1:20.04.10.23" }, "cves": [], "launchpad_bugs_fixed": [ 2064211, 2064211 ], "changes": [ { "cves": [], "log": [ "", " * Print warning message on failing to run updates end-point (LP: #2064211).", "" ], "package": "update-manager", "version": "1:20.04.10.23", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2064211 ], "author": "Nathan Pratta Teodosio ", "date": "Wed, 11 Sep 2024 13:41:08 +0200" }, { "cves": [], "log": [ "", " * Don't crash if the end-points of the Pro API fail (LP: #2064211).", "" ], "package": "update-manager", "version": "1:20.04.10.22", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2064211 ], "author": "Nathan Pratta Teodosio ", "date": "Wed, 26 Jun 2024 11:06:33 +0200" } ], "notes": null }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.25.8-2ubuntu0.3", "version": "1.25.8-2ubuntu0.3" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.25.8-2ubuntu0.4", "version": "1.25.8-2ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped", " when redirecting to a different host.", " - debian/patches/CVE-2024-37891.patch: Add \"Proxy-Authorization\" to", " DEFAULT_REDIRECT_HEADERS_BLACKLIST in src/urllib3/util/retry.py. Add", " header to tests.", " - CVE-2024-37891", "" ], "package": "python-urllib3", "version": "1.25.8-2ubuntu0.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 16 Oct 2024 17:58:58 -0230" } ], "notes": null }, { "name": "python3.8", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "python3.8-minimal", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.63+20.04ubuntu0.1", "version": "2.63+20.04ubuntu0.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.65.3+20.04", "version": "2.65.3+20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2077473, 2077473, 2077473, 2077473, 2072986, 2061179 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Fix missing aux info from store on snap setup", "" ], "package": "snapd", "version": "2.65.3+20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Thu, 12 Sep 2024 09:40:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Bump squashfuse from version 0.5.0 to 0.5.2 (used in snapd deb", " only)", "" ], "package": "snapd", "version": "2.65.2", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 06 Sep 2024 17:08:45 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix snapd riscv64 build", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Sat, 24 Aug 2024 10:31:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 23 Aug 2024 08:49:28 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2072986", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to AppArmor 4.0.1", " - AppArmor: support AppArmor snippet priorities", " - AppArmor prompting: add checks for prompting support, include", " prompting status in system key, and restart snapd if prompting", " flag changes", " - AppArmor prompting: include prompt prefix in AppArmor rules if", " prompting is supported and enabled", " - AppArmor prompting: add common types, constraints, and mappings", " from AppArmor permissions to abstract permissions", " - AppArmor prompting: add path pattern parsing and matching", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views", " using snapctl", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store (no", " REST API/CLI)", " - Snap components: support removing components (REST API, no CLI)", " - Snap components: started support for component hooks", " - Snap components: support kernel modules as components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug api command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Add registry interface that provides snaps access to a particular", " registry view", " - steam-support interface: relaxed AppArmor and seccomp restrictions", " to improve user experience", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", "" ], "package": "snapd", "version": "2.64", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2072986 ], "author": "Ernest Lotter ", "date": "Wed, 24 Jul 2024 21:11:59 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2061179", " - Support for snap services to show the current status of user", " services (experimental)", " - Refresh app awareness: record snap-run-inhibit notice when", " starting app from snap that is busy with refresh (experimental)", " - Refresh app awareness: use warnings as fallback for desktop", " notifications (experimental)", " - Aspect based configuration: make request fields in the aspect-", " bundle's rules optional (experimental)", " - Aspect based configuration: make map keys conform to the same", " format as path sub-keys (experimental)", " - Aspect based configuration: make unset and set behaviour similar", " to configuration options (experimental)", " - Aspect based configuration: limit nesting level for setting value", " (experimental)", " - Components: use symlinks to point active snap component revisions", " - Components: add model assertion support for components", " - Components: fix to ensure local component installation always gets", " a new revision number", " - Add basic support for a CIFS remote filesystem-based home", " directory", " - Add support for AppArmor profile kill mode to avoid snap-confine", " error", " - Allow more than one interface to grant access to the same API", " endpoint or notice type", " - Allow all snapd service's control group processes to send systemd", " notifications to prevent warnings flooding the log", " - Enable not preseeded single boot install", " - Update secboot to handle new sbatlevel", " - Fix to not use cgroup for non-strict confined snaps (devmode,", " classic)", " - Fix two race conditions relating to freedesktop notifications", " - Fix missing tunables in snap-update-ns AppArmor template", " - Fix rejection of snapd snap udev command line by older host snap-", " device-helper", " - Rework seccomp allow/deny list", " - Clean up files removed by gadgets", " - Remove non-viable boot chains to avoid secboot failure", " - posix_mq interface: add support for missing time64 mqueue syscalls", " mq_timedreceive_time64 and mq_timedsend_time64", " - password-manager-service interface: allow kwalletd version 6", " - kubernetes-support interface: allow SOCK_SEQPACKET sockets", " - system-observe interface: allow listing systemd units and their", " properties", " - opengl interface: enable use of nvidia container toolkit CDI", " config generation", "" ], "package": "snapd", "version": "2.63", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2061179 ], "author": "Ernest Lotter ", "date": "Wed, 24 Apr 2024 02:00:39 +0200" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.5.6-0ubuntu1~20.04.2", "version": "4.5.6-0ubuntu1~20.04.2" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~20.04.1", "version": "4.7.2-0ubuntu1~20.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2054395 ], "changes": [ { "cves": [], "log": [ "", " * New 4.7.2 upstream release. (LP: #2054395)", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.7.2", "", " * d/control:", " - Add 'python3-packaging' as part of the runtime depends.", " - Add 'python3-packaging' as part of the build depends:", " Use packaging for version comparison instead of pkg_resources from", " setuptools.", " - Add 'python3-yaml' as part of the build depends:", " The new saltstack collect plugin now imports the yaml module, this is", " now required to build and run the sos package", "", " * Former patches, now fixed:", " - d/p/0002-obfuscate-netplan-ssid-password.patch", "", " * Remaining patches:", " - d/p/0001-debian-change-tmp-dir-location.patch", " - d/p/0002-debian-remove-magic-stderr.patch", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~20.04.1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2054395 ], "author": "Arif Ali ", "date": "Fri, 21 Jun 2024 10:02:02 +0100" } ], "notes": null }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "ubuntu-advantage-tools", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~20.04", "version": "32.3.1~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~20.04", "version": "34~20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737, 2072489, 2060769, 2067810, 2069237, 2060769, 2068744 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to focal (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:21 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" }, { "cves": [], "log": [ "", " * d/apparmor: add apt-news access to package information on the system", " (LP: #2072489) (GH: #3193)", "" ], "package": "ubuntu-advantage-tools", "version": "33.2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2072489 ], "author": "Lucas Moura ", "date": "Wed, 17 Jul 2024 09:50:56 -0300" }, { "cves": [], "log": [ "", " * New upstream release 33.1: (LP: #2060769)", " - system:", " + always pass C.UTF8 as the language when calling a subprocess", " + ignore utf-8 decode errors on subprocess output", "" ], "package": "ubuntu-advantage-tools", "version": "33.1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2060769 ], "author": "Renan Rodrigo ", "date": "Wed, 10 Jul 2024 16:43:02 -0300" }, { "cves": [], "log": [ "", " * d/apparmor: adjust the esm_cache apparmor profile to allow reading of dpkg", " data directory (LP: #2067810) (GH: #3137)", " * New upstream release 33 (LP: #2069237)", " - apt: use Python bindings instead of apt CLI to query for installed", " packages (LP: #2060769) (LP: #2068744)", " - beta: drop support for beta services", " - contracts: add support for contracts which target a specific series", " - fips: change enable functionality to ensure all packages with a FIPS", " candidate are upgraded to the FIPS version (GH: #2667)", " - fix: ", " + add the current_status field to the plan api return object", " + change recommended attach method to magic attach (GH: #3040)", " - livepatch: prefer the term 'coverage' instead of 'support' in messaging", " (GH: #3063)", " - realtime:", " + auto-select the raspi variant when appropriate", " + inform the user when auto-selecting a variant", "" ], "package": "ubuntu-advantage-tools", "version": "33", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2067810, 2069237, 2060769, 2068744 ], "author": "Renan Rodrigo ", "date": "Thu, 13 Jun 2024 00:19:54 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~20.04", "version": "32.3.1~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~20.04", "version": "34~20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737, 2072489, 2060769, 2067810, 2069237, 2060769, 2068744 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to focal (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:21 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" }, { "cves": [], "log": [ "", " * d/apparmor: add apt-news access to package information on the system", " (LP: #2072489) (GH: #3193)", "" ], "package": "ubuntu-advantage-tools", "version": "33.2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2072489 ], "author": "Lucas Moura ", "date": "Wed, 17 Jul 2024 09:50:56 -0300" }, { "cves": [], "log": [ "", " * New upstream release 33.1: (LP: #2060769)", " - system:", " + always pass C.UTF8 as the language when calling a subprocess", " + ignore utf-8 decode errors on subprocess output", "" ], "package": "ubuntu-advantage-tools", "version": "33.1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2060769 ], "author": "Renan Rodrigo ", "date": "Wed, 10 Jul 2024 16:43:02 -0300" }, { "cves": [], "log": [ "", " * d/apparmor: adjust the esm_cache apparmor profile to allow reading of dpkg", " data directory (LP: #2067810) (GH: #3137)", " * New upstream release 33 (LP: #2069237)", " - apt: use Python bindings instead of apt CLI to query for installed", " packages (LP: #2060769) (LP: #2068744)", " - beta: drop support for beta services", " - contracts: add support for contracts which target a specific series", " - fips: change enable functionality to ensure all packages with a FIPS", " candidate are upgraded to the FIPS version (GH: #2667)", " - fix: ", " + add the current_status field to the plan api return object", " + change recommended attach method to magic attach (GH: #3040)", " - livepatch: prefer the term 'coverage' instead of 'support' in messaging", " (GH: #3063)", " - realtime:", " + auto-select the raspi variant when appropriate", " + inform the user when auto-selecting a variant", "" ], "package": "ubuntu-advantage-tools", "version": "33", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2067810, 2069237, 2060769, 2068744 ], "author": "Renan Rodrigo ", "date": "Thu, 13 Jun 2024 00:19:54 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~20.04", "version": "32.3.1~20.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~20.04", "version": "34~20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737, 2072489, 2060769, 2067810, 2069237, 2060769, 2068744 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to focal (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:21 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" }, { "cves": [], "log": [ "", " * d/apparmor: add apt-news access to package information on the system", " (LP: #2072489) (GH: #3193)", "" ], "package": "ubuntu-advantage-tools", "version": "33.2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2072489 ], "author": "Lucas Moura ", "date": "Wed, 17 Jul 2024 09:50:56 -0300" }, { "cves": [], "log": [ "", " * New upstream release 33.1: (LP: #2060769)", " - system:", " + always pass C.UTF8 as the language when calling a subprocess", " + ignore utf-8 decode errors on subprocess output", "" ], "package": "ubuntu-advantage-tools", "version": "33.1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2060769 ], "author": "Renan Rodrigo ", "date": "Wed, 10 Jul 2024 16:43:02 -0300" }, { "cves": [], "log": [ "", " * d/apparmor: adjust the esm_cache apparmor profile to allow reading of dpkg", " data directory (LP: #2067810) (GH: #3137)", " * New upstream release 33 (LP: #2069237)", " - apt: use Python bindings instead of apt CLI to query for installed", " packages (LP: #2060769) (LP: #2068744)", " - beta: drop support for beta services", " - contracts: add support for contracts which target a specific series", " - fips: change enable functionality to ensure all packages with a FIPS", " candidate are upgraded to the FIPS version (GH: #2667)", " - fix: ", " + add the current_status field to the plan api return object", " + change recommended attach method to magic attach (GH: #3040)", " - livepatch: prefer the term 'coverage' instead of 'support' in messaging", " (GH: #3063)", " - realtime:", " + auto-select the raspi variant when appropriate", " + inform the user when auto-selecting a variant", "" ], "package": "ubuntu-advantage-tools", "version": "33", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2067810, 2069237, 2060769, 2068744 ], "author": "Renan Rodrigo ", "date": "Thu, 13 Jun 2024 00:19:54 -0300" } ], "notes": null }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.23", "version": "245.4-4ubuntu3.23" }, "to_version": { "source_package_name": "systemd", "source_package_version": "245.4-4ubuntu3.24", "version": "245.4-4ubuntu3.24" }, "cves": [], "launchpad_bugs_fixed": [ 2055397 ], "changes": [ { "cves": [], "log": [ "", " * network: add RouteMetric= setting in [Address] (LP: #2055397)", " This consists of the following upstream commits:", " * sd-netlink: introduce sd_netlink_message_append_s8() and friends", " * sd-netlink: add missing address types", " * network: add RouteMetric= setting in [Address] section", " * network: dhcp4: also apply RouteMetric= setting in [DHCPv4] to prefix route", " Files:", " - debian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch", " - debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch", " - debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch", " - debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch", " https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=10e86da62257cc03dc1d984478cb1c8efc45097d", "" ], "package": "systemd", "version": "245.4-4ubuntu3.24", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2055397 ], "author": "Ioanna Alifieraki ", "date": "Mon, 17 Jun 2024 16:29:39 -0400" } ], "notes": null }, { "name": "update-manager-core", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:20.04.10.21", "version": "1:20.04.10.21" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:20.04.10.23", "version": "1:20.04.10.23" }, "cves": [], "launchpad_bugs_fixed": [ 2064211, 2064211 ], "changes": [ { "cves": [], "log": [ "", " * Print warning message on failing to run updates end-point (LP: #2064211).", "" ], "package": "update-manager", "version": "1:20.04.10.23", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2064211 ], "author": "Nathan Pratta Teodosio ", "date": "Wed, 11 Sep 2024 13:41:08 +0200" }, { "cves": [], "log": [ "", " * Don't crash if the end-points of the Pro API fail (LP: #2064211).", "" ], "package": "update-manager", "version": "1:20.04.10.22", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2064211 ], "author": "Nathan Pratta Teodosio ", "date": "Wed, 26 Jun 2024 11:06:33 +0200" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.23", "version": "2:8.1.2269-1ubuntu5.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.25", "version": "2:8.1.2269-1ubuntu5.25" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" }, { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.25", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 10:48:33 +0530" }, { "cves": [ { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-41957.patch: set tagname to NULL", " after being freed", " - CVE-2024-41957", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-43374.patch: add lock to keep", " reference valid", " - CVE-2024-43374", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 04 Sep 2024 13:11:27 +1000" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.23", "version": "2:8.1.2269-1ubuntu5.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.25", "version": "2:8.1.2269-1ubuntu5.25" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" }, { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.25", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 10:48:33 +0530" }, { "cves": [ { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-41957.patch: set tagname to NULL", " after being freed", " - CVE-2024-41957", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-43374.patch: add lock to keep", " reference valid", " - CVE-2024-43374", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 04 Sep 2024 13:11:27 +1000" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.23", "version": "2:8.1.2269-1ubuntu5.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.25", "version": "2:8.1.2269-1ubuntu5.25" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" }, { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.25", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 10:48:33 +0530" }, { "cves": [ { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-41957.patch: set tagname to NULL", " after being freed", " - CVE-2024-41957", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-43374.patch: add lock to keep", " reference valid", " - CVE-2024-43374", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 04 Sep 2024 13:11:27 +1000" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.23", "version": "2:8.1.2269-1ubuntu5.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.25", "version": "2:8.1.2269-1ubuntu5.25" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" }, { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.25", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 10:48:33 +0530" }, { "cves": [ { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-41957.patch: set tagname to NULL", " after being freed", " - CVE-2024-41957", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-43374.patch: add lock to keep", " reference valid", " - CVE-2024-43374", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 04 Sep 2024 13:11:27 +1000" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.23", "version": "2:8.1.2269-1ubuntu5.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.1.2269-1ubuntu5.25", "version": "2:8.1.2269-1ubuntu5.25" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" }, { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.25", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 10:48:33 +0530" }, { "cves": [ { "cve": "CVE-2024-41957", "url": "https://ubuntu.com/security/CVE-2024-41957", "cve_description": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647", "cve_priority": "medium", "cve_public_date": "2024-08-01 22:15:00 UTC" }, { "cve": "CVE-2024-43374", "url": "https://ubuntu.com/security/CVE-2024-43374", "cve_description": "The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.", "cve_priority": "medium", "cve_public_date": "2024-08-16 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-41957.patch: set tagname to NULL", " after being freed", " - CVE-2024-41957", " * SECURITY UPDATE: use after free", " - debian/patches/CVE-2024-43374.patch: add lock to keep", " reference valid", " - CVE-2024-43374", "" ], "package": "vim", "version": "2:8.1.2269-1ubuntu5.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 04 Sep 2024 13:11:27 +1000" } ], "notes": null } ], "snap": [ { "name": "core20", "from_version": { "source_package_name": null, "source_package_version": null, "version": "2320" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "2435" } } ] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-200", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-200.220", "version": "5.4.0-200.220" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595, 2078205, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", "", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", "", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", "", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", "", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", "", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", "", " * CVE-2024-41073", " - nvme: avoid double free special payload", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", "", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", "", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", "", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", "", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", "", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", "", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", "", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", "", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux", "version": "5.4.0-200.220", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:40:47 +0200" }, { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", "", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", "", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.4.0-196.216", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078205 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:06:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", "", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", "", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", "", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", "", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux", "version": "5.4.0-195.215", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:01 +0200" } ], "notes": "linux-headers-5.4.0-200 version '5.4.0-200.220' (source package linux version '5.4.0-200.220') was added. linux-headers-5.4.0-200 version '5.4.0-200.220' has the same source package name, linux, as removed package linux-headers-5.4.0-193. As such we can use the source package version of the removed package, '5.4.0-193.213', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.4.0-200-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-200.220", "version": "5.4.0-200.220" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595, 2078205, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", "", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", "", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", "", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", "", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", "", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", "", " * CVE-2024-41073", " - nvme: avoid double free special payload", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", "", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", "", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", "", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", "", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", "", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", "", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", "", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", "", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux", "version": "5.4.0-200.220", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:40:47 +0200" }, { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", "", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", "", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.4.0-196.216", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078205 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:06:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", "", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", "", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", "", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", "", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux", "version": "5.4.0-195.215", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:01 +0200" } ], "notes": "linux-headers-5.4.0-200-generic-lpae version '5.4.0-200.220' (source package linux version '5.4.0-200.220') was added. linux-headers-5.4.0-200-generic-lpae version '5.4.0-200.220' has the same source package name, linux, as removed package linux-headers-5.4.0-193. As such we can use the source package version of the removed package, '5.4.0-193.213', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-200-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-200.220", "version": "5.4.0-200.220" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595, 2078205, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", "", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", "", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", "", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", "", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", "", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", "", " * CVE-2024-41073", " - nvme: avoid double free special payload", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", "", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", "", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", "", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", "", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", "", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", "", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", "", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", "", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux", "version": "5.4.0-200.220", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:40:47 +0200" }, { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", "", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", "", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.4.0-196.216", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078205 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:06:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", "", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", "", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", "", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", "", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux", "version": "5.4.0-195.215", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:01 +0200" } ], "notes": "linux-image-5.4.0-200-generic-lpae version '5.4.0-200.220' (source package linux version '5.4.0-200.220') was added. linux-image-5.4.0-200-generic-lpae version '5.4.0-200.220' has the same source package name, linux, as removed package linux-headers-5.4.0-193. As such we can use the source package version of the removed package, '5.4.0-193.213', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-200-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-200.220", "version": "5.4.0-200.220" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595, 2078205, 2075954, 2075175, 2074215, 2075175, 2073621 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26641", "url": "https://ubuntu.com/security/CVE-2024-26641", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2021-47212", "url": "https://ubuntu.com/security/CVE-2021-47212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-42244", "url": "https://ubuntu.com/security/CVE-2024-42244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 (\"USB: serial: use generic method if no alternative is provided in usb serial layer\"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "cve_priority": "medium", "cve_public_date": "2024-08-07 16:15:00 UTC" }, { "cve": "CVE-2024-40929", "url": "https://ubuntu.com/security/CVE-2024-40929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-41073", "url": "https://ubuntu.com/security/CVE-2024-41073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-42229", "url": "https://ubuntu.com/security/CVE-2024-42229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-35848", "url": "https://ubuntu.com/security/CVE-2024-35848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.", "cve_priority": "medium", "cve_public_date": "2024-05-17 15:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26668", "url": "https://ubuntu.com/security/CVE-2024-26668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26640", "url": "https://ubuntu.com/security/CVE-2024-26640", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00', 0x181e42, 0x0)", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2023-52614", "url": "https://ubuntu.com/security/CVE-2023-52614", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error.", "cve_priority": "medium", "cve_public_date": "2024-03-18 11:15:00 UTC" }, { "cve": "CVE-2023-52531", "url": "https://ubuntu.com/security/CVE-2023-52531", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the \"(u8 *)\" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected.", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2022-36402", "url": "https://ubuntu.com/security/CVE-2022-36402", "cve_description": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "cve_priority": "high", "cve_public_date": "2022-09-16 17:15:00 UTC" }, { "cve": "CVE-2024-27051", "url": "https://ubuntu.com/security/CVE-2024-27051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-05-01 13:15:00 UTC" }, { "cve": "CVE-2024-26891", "url": "https://ubuntu.com/security/CVE-2024-26891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26885", "url": "https://ubuntu.com/security/CVE-2024-26885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.09.30)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * CVE-2024-26641", " - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", "", " * CVE-2021-47212", " - net/mlx5: Update error handler for UCTX and UMEM", "", " * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks", " (LP: #2081085)", " - bdi: use bdi_dev_name() to get device name", "", " * Focal update: v5.4.284 upstream stable release (LP: #2081278)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - i2c: Fix conditional for substituting empty ACPI functions", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - ionic: fix potential irq name truncation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - smack: tcp: ipv4, fix incorrect labeling", " - wifi: cfg80211: make hash table duplicates more survivable", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - block: initialize integrity buffer to zero before writing it to media", " - net: set SOCK_RCU_FREE before inserting socket into hashtable", " - virtio_net: Fix napi_skb_cache_put warning", " - udf: Limit file size to 4TB", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - reset: hi6220: Add support for AO reset controller", " - clk: hi6220: use CLK_OF_DECLARE_DRIVER", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - can: bcm: Remove proc entry when dev is unregistered.", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - cx82310_eth: re-enable ethernet mode after router reboot", " - drivers/net/usb: Remove all strcpy() uses", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - net: bridge: fdb: convert is_local to bitops", " - net: bridge: fdb: convert is_static to bitops", " - net: bridge: fdb: convert is_sticky to bitops", " - net: bridge: fdb: convert added_by_user to bitops", " - net: bridge: fdb: convert added_by_external_learn to use bitops", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - PCI: Add missing bridge lock to pci_bus_lock()", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - cx82310_eth: fix error return code in cx82310_bind()", " - Linux 5.4.284", "", " * CVE-2024-42244", " - USB: serial: mos7840: fix crash on resume", "", " * CVE-2024-40929", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", "", " * CVE-2024-41073", " - nvme: avoid double free special payload", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-42229", " - crypto: aead, cipher - zeroize key buffer after use", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-35848", " - misc: eeprom: at24: fix regulator underflow", " - misc: eeprom: at24: register nvmem only after eeprom is ready to use", " - eeprom: at24: fix memory corruption race condition", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26668", " - netfilter: nft_limit: rename stateful structure", " - netfilter: nft_limit: reject configurations that cause integer overflow", "", " * CVE-2024-26640", " - net-zerocopy: Refactor frag-is-remappable test.", " - tcp: add sanity checks to rx zerocopy", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * CVE-2023-52614", " - PM / devfreq: Fix buffer overflow in trans_stat_show", "", " * CVE-2023-52531", " - wifi: iwlwifi: mvm: Fix a memory corruption issue", "", " * CVE-2022-36402", " - drm/vmwgfx: Use enum to represent graphics context capabilities", " - drm/vmwgfx: Fix shader stage validation", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - overflow.h: Add flex_array_size() helper", " - overflow: Implement size_t saturating arithmetic helpers", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - s390/uv: Panic for set and remove shared access UVC errors", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix DMA descriptor cleanup path", " - net: axienet: Improve DMA error handling", " - net: axienet: Factor out TX descriptor chain cleanup", " - net: axienet: Check for DMA mapping errors", " - net: axienet: Drop MDIO interrupt registers from ethtools dump", " - net: axienet: Wrap DMA pointer writes to prepare for 64 bit", " - net: axienet: Upgrade descriptors to hold 64-bit addresses", " - net: axienet: Autodetect 64-bit DMA capability", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm mpath: pass IO start time to path selector", " - dm: do not use waitqueue for request-based DM", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - Bluetooth: Make use of __check_timeout on hci_sched_le", " - Bluetooth: hci_core: Fix not handling link timeouts propertly", " - Bluetooth: hci_core: Fix LE quote calculation", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - net: dsa: mv88e6xxx: global2: Expose ATU stats register", " - net: dsa: mv88e6xxx: global1_atu: Add helper for get next", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm: use drm_debug_enabled() to check for debug categories", " - drm/msm/dpu: don't play tricks with debug macros", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - ALSA: timer: Relax start tick time check for slave timer elements", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - r8152: Factor out OOB link list waits", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add dev_up/dev_down hooks to phy_ops", " - nfc: pn533: Add autopoll capability", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - net: dsa: mv8e6xxx: Fix stub function parameters", " - scsi: aacraid: Fix double-free on probe failure", " - Linux 5.4.283", "", " * CVE-2024-27051", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations", "", " * CVE-2024-26891", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", "", " * Focal update: v5.4.282 upstream stable release (LP: #2078388)", " - EDAC, skx_common: Refactor so that we initialize \"dev\" in result of adxl", " decode.", " - EDAC, skx: Retrieve and print retry_rd_err_log registers", " - EDAC/skx_common: Add new ADXL components for 2-level memory", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - net/smc: Allow SMC-D 1MB DMB allocations", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - qed: Improve the stack space of filter_config()", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Allow entity-defined get_info and get_cur", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/nilfs2: remove some unused macros to tame gcc", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - drm/amd/display: Check for NULL pointer", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - binder: fix hang of unregistered readers", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - f2fs: fix to don't dirty inode for readonly filesystem", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - um: time-travel: fix time-travel-start option", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - ASoC: Intel: Convert to new X86 CPU match macros", " - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - nvme-pci: add missing condition check for existence of mapped data", " - mm: avoid overflows in dirty throttling logic", " - PCI: rockchip: Make 'ep-gpios' DT property optional", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - parport: Convert printk(KERN_ to pr_(", " - parport: Standardize use of printmode", " - dev/parport: fix the array out-of-bounds risk", " - driver core: Cast to (void *) with __force for __percpu pointer", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - remoteproc: imx_rproc: ignore mapping vdev regions", " - remoteproc: imx_rproc: Fix ignoring mapping vdev regions", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - net/iucv: fix use after free in iucv_sock_close()", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: fec: Stop PPS on driver remove", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Don't filter out duplicate alerts", " - i2c: smbus: Improve handling of stuck alerts", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - spi: fsl-lpspi: remove unneeded array", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - ntp: Clamp maxerror and esterror to operating range", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - scsi: mpt3sas: Remove scsi_dma_map() error messages", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - serial: core: check uartclk for zero to avoid divide by zero", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - Fix gcc 4.9 build issue in 5.4.y", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: prefer nft_chain_validate", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - media: uvcvideo: Use entity get_cur in uvc_ctrl_set", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Linux 5.4.282", "", " * CVE-2024-26885", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", "", " * Focal update: v5.4.281 upstream stable release (LP: #2076097)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - Input: silead - Always support 10 fingers", " - ila: block BH in ila_output()", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - fs: better handle deep ancestor chains in is_subdir()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.4.281", "", " * Focal update: v5.4.283 upstream stable release (LP: #2080595) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux", "version": "5.4.0-200.220", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082937, 1786013, 2081085, 2081278, 2080595, 2078388, 2076097, 2080595 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:40:47 +0200" }, { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", "", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", "", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.4.0-196.216", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078205 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:06:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-26929", "url": "https://ubuntu.com/security/CVE-2024-26929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport The server was crashing after LOGO because fcport was getting freed twice. -----------[ cut here ]----------- kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx] ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx] qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx] ? kernfs_fop_write+0x11e/0x1a0 Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-24860", "url": "https://ubuntu.com/security/CVE-2024-24860", "cve_description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" }, { "cve": "CVE-2021-46926", "url": "https://ubuntu.com/security/CVE-2021-46926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.", "cve_priority": "medium", "cve_public_date": "2024-02-27 10:15:00 UTC" } ], "log": [ "", " * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)", "", " * Focal update: v5.4.280 upstream stable release (LP: #2075175)", " - Compiler Attributes: Add __uninitialized macro", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tcp: tcp_mark_head_lost is only valid for sack-tcp", " - tcp: add ece_ack flag to reno sack functions", " - net: tcp better handling of reordering then loss cases", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - wifi: wilc1000: fix ies_len type in connect path", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - media: dw2102: fix a potential buffer overflow", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: add TCP_INFO status for failed client TFO", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - ppp: reject claimed-as-LCP but actually malformed packets", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: fix detection of IP layer", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries", " - tcp: refactor tcp_retransmit_timer()", " - net: tcp: fix unexcepted socket die when snd_wnd is 0", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - Linux 5.4.280", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:", " v5.4.280 upstream stable release (LP: #2075175)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Focal update: v5.4.279 upstream stable release (LP: #2073621)", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/mlx5: Stop waiting for PCI if pci channel is offline", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret", " - ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params", " - ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional", " - ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing", " - ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling", " - ASoC: ti: davinci-mcasp: Handle missing required DT properties", " - ASoC: ti: davinci-mcasp: Fix race condition during probe", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - Input: try trimming too long modalias strings", " - SUNRPC: return proper error from gss_wrap_req_priv", " - gpio: tqmx86: fix typo in Kconfig label", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - hv_utils: drain the timesync packets on onchannelcallback", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - virtio_net: checksum offloading handling fix", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - i2c: ocores: set IACK bit after core is enabled", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock", " - iio: dac: ad5592r: un-indent code-block for scale read", " - iio: dac: ad5592r: fix temperature channel scaling value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - netfilter: nf_tables: validate family when identifying table via handle", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - net: phy: mchp: Add support for LAN8814 QUAD PHY", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - sparc: fix old compat_sys_select()", " - parisc: use correct compat recv/recvfrom syscalls", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - nvme: fixup comment for nvme RDMA Provider Type", " - gpio: davinci: Validate the obtained number of IRQs", " - x86: stop playing stack games in profile_pc()", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: adc: ad7266: Fix variable checking bug", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - mtd: spinand: macronix: Add support for serial NAND flash", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - Linux 5.4.279", "", " * CVE-2024-26921", " - skbuff: introduce skb_expand_head()", " - skb_expand_head() adjust skb->truesize incorrectly", " - inet: inet_defrag: prevent sk release while still in use", "", " * CVE-2024-26929", " - scsi: qla2xxx: Fix double free of fcport", "", " * CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Refactoring VF MAC filters counting to make more reliable", " - i40e: Fix MAC address setting for a VF via Host/VM", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-24860", " - Bluetooth: Fix atomicity violation in {min, max}_key_size_set", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2024-2201", " - [Config] Set SPECTRE_BHI_ON=y", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "", " * CVE-2021-46926", " - ALSA: hda: intel-sdw-acpi: harden detection of controller", "" ], "package": "linux", "version": "5.4.0-195.215", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2075954, 2075175, 2074215, 2075175, 2073621 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:01 +0200" } ], "notes": "linux-modules-5.4.0-200-generic-lpae version '5.4.0-200.220' (source package linux version '5.4.0-200.220') was added. linux-modules-5.4.0-200-generic-lpae version '5.4.0-200.220' has the same source package name, linux, as removed package linux-headers-5.4.0-193. As such we can use the source package version of the removed package, '5.4.0-193.213', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "python3-packaging", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python-packaging", "source_package_version": "20.3-1", "version": "20.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "20.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 23 Mar 2020 09:44:10 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * Bump standards version.", "" ], "package": "python-packaging", "version": "20.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 18 Feb 2020 17:29:16 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "20.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 07 Jan 2020 15:20:18 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." }, { "name": "python3-pyparsing", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "pyparsing", "source_package_version": "2.4.6-1", "version": "2.4.6-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", "", " [ Drew Parsons ]", " * add unitTests to debian/tests", "", " [ Debian Janitor ]", " * Set upstream metadata fields: Repository, Repository-Browse.", "", " [ Håvard Flaget Aasen ]", " * New upstream version 2.4.6", " * Set upstream metadata fields: Bug-Database, Bug-Submit", " and append .git to Repository", " * Update Standards-Version to 4.5.0", " * Add sphinxdoc:Depends to doc package", " * Remove obsolete files d/README.source, d/new-upstream and", " cleaned d/watch since source no longer gets repacked", " * Add Rules-Requires-Root: no", "" ], "package": "pyparsing", "version": "2.4.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Håvard Flaget Aasen ", "date": "Fri, 24 Jan 2020 23:07:06 +0100" }, { "cves": [], "log": [ "", " * Team upload.", "", " [ Ondřej Nový ]", " * Convert git repository from git-dpm to gbp layout", " * Use debhelper-compat instead of debian/compat.", "", " [ Drew Parsons ]", " * New upstream release.", " * Standards-Version: 4.4.0", " * Build-Depends: debhelper-compat (= 12)", " - doc-base: places docs under python-pyparsing doc dir", " * update Homepage to https://github.com/pyparsing/pyparsing/", " * mark python-pyparsing-doc as Multi-Arch: foreign", " * exclude bytecode (pyc,__pycache__) from examples", " * add debian/tests (autopkgtest)", " * remove Kevin Coyner from Uploaders. Thanks", " for your great work in the past! Closes: #929551.", "" ], "package": "pyparsing", "version": "2.4.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Drew Parsons ", "date": "Tue, 03 Sep 2019 05:08:36 +0800" }, { "cves": [], "log": [ "", " * Uploading to unstable.", "" ], "package": "pyparsing", "version": "2.2.0+dfsg1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Thomas Goirand ", "date": "Sun, 25 Feb 2018 20:32:31 +0000" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-193", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": "5.4.0-193.213" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.4.0-193-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": "5.4.0-193.213" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-193-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": "5.4.0-193.213" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-193-generic-lpae", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-193.213", "version": "5.4.0-193.213" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from release image serial 20240821 to 20241112", "from_series": "focal", "to_series": "focal", "from_serial": "20240821", "to_serial": "20241112", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }