{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-112", "linux-headers-5.15.0-112-generic", "linux-image-5.15.0-112-generic", "linux-modules-5.15.0-112-generic" ], "removed": [ "linux-headers-5.15.0-107", "linux-headers-5.15.0-107-generic", "linux-image-5.15.0-107-generic", "linux-modules-5.15.0-107-generic" ], "diff": [ "bind9-dnsutils", "bind9-host", "bind9-libs", "cloud-init", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.18-0ubuntu0.22.04.2", "version": "1:9.18.18-0ubuntu0.22.04.2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.24-0ubuntu0.22.04.1", "version": "1:9.18.24-0ubuntu0.22.04.1" }, "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2040459 ], "changes": [ { "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.18.24 (LP: #2040459)", " - Updates:", " + Mark use of AES as the DNS COOKIE algorithm as depricated.", " + Mark resolver-nonbackoff-tries and resolver-retry-interval statements", " as depricated.", " + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and", " 2801:1b8:10::b.", " + Mark dnssec-must-be-secure option as deprecated.", " + Honor nsupdate -v option for SOA queries by sending both the UPDATE", " request and the initial query over TCP.", " + Reduce memory consumption through dedicated jemalloc memory arenas.", " - Bug fixes:", " + Fix accidental truncation to 32 bit of statistics channel counters.", " + Do not schedule unsigned versions of inline-signed zones containing", " DNSSEC records for resigning.", " + Take local authoritive data into account when looking up stale data", " from the cache.", " + Fix assertion failure when lock-file used at the same time as named -X.", " + Fix lockfile removal issue when starting named 3+ times.", " + Fix validation of If-Modified-Since header in statistics channel for", " its length.", " + Add Content-Length header bounds check to avoid integer overflow.", " + Fix memory leaks from OpenSSL error stack.", " + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs", " and ms-subdomain-self-rhs UPDATE policies.", " + Fix accidental disable of stale-refresh-time feature on rndc flush.", " + Fix possible DNS message corruption from partial writes in TLS DNS.", " - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional", " information.", " * Remove CVE patches fixed upstream:", " - CVE-2023-3341.patch", " - CVE-2023-4236.patch", " [ Fixed in 9.18.19 ]", " - 0001-CVE-2023-4408.patch", " - 0002-CVE-2023-5517.patch", " - 0003-CVE-2023-5679.patch", " - 0004-CVE-2023-50387-CVE-2023-50868.patch", " [ Fixed in 9.18.24 ]", " * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the", " standard library stdatomic.h.", "" ], "package": "bind9", "version": "1:9.18.24-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2040459 ], "author": "Lena Voytek ", "date": "Thu, 11 Apr 2024 14:11:18 -0700" } ], "notes": null }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.18-0ubuntu0.22.04.2", "version": "1:9.18.18-0ubuntu0.22.04.2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.24-0ubuntu0.22.04.1", "version": "1:9.18.24-0ubuntu0.22.04.1" }, "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2040459 ], "changes": [ { "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.18.24 (LP: #2040459)", " - Updates:", " + Mark use of AES as the DNS COOKIE algorithm as depricated.", " + Mark resolver-nonbackoff-tries and resolver-retry-interval statements", " as depricated.", " + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and", " 2801:1b8:10::b.", " + Mark dnssec-must-be-secure option as deprecated.", " + Honor nsupdate -v option for SOA queries by sending both the UPDATE", " request and the initial query over TCP.", " + Reduce memory consumption through dedicated jemalloc memory arenas.", " - Bug fixes:", " + Fix accidental truncation to 32 bit of statistics channel counters.", " + Do not schedule unsigned versions of inline-signed zones containing", " DNSSEC records for resigning.", " + Take local authoritive data into account when looking up stale data", " from the cache.", " + Fix assertion failure when lock-file used at the same time as named -X.", " + Fix lockfile removal issue when starting named 3+ times.", " + Fix validation of If-Modified-Since header in statistics channel for", " its length.", " + Add Content-Length header bounds check to avoid integer overflow.", " + Fix memory leaks from OpenSSL error stack.", " + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs", " and ms-subdomain-self-rhs UPDATE policies.", " + Fix accidental disable of stale-refresh-time feature on rndc flush.", " + Fix possible DNS message corruption from partial writes in TLS DNS.", " - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional", " information.", " * Remove CVE patches fixed upstream:", " - CVE-2023-3341.patch", " - CVE-2023-4236.patch", " [ Fixed in 9.18.19 ]", " - 0001-CVE-2023-4408.patch", " - 0002-CVE-2023-5517.patch", " - 0003-CVE-2023-5679.patch", " - 0004-CVE-2023-50387-CVE-2023-50868.patch", " [ Fixed in 9.18.24 ]", " * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the", " standard library stdatomic.h.", "" ], "package": "bind9", "version": "1:9.18.24-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2040459 ], "author": "Lena Voytek ", "date": "Thu, 11 Apr 2024 14:11:18 -0700" } ], "notes": null }, { "name": "bind9-libs", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.18-0ubuntu0.22.04.2", "version": "1:9.18.18-0ubuntu0.22.04.2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.24-0ubuntu0.22.04.1", "version": "1:9.18.24-0ubuntu0.22.04.1" }, "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2040459 ], "changes": [ { "cves": [ { "cve": "CVE-2023-3341", "url": "https://ubuntu.com/security/CVE-2023-3341", "cve_description": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4236", "url": "https://ubuntu.com/security/CVE-2023-4236", "cve_description": "A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.", "cve_priority": "medium", "cve_public_date": "2023-09-20 13:15:00 UTC" }, { "cve": "CVE-2023-4408", "url": "https://ubuntu.com/security/CVE-2023-4408", "cve_description": "The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5517", "url": "https://ubuntu.com/security/CVE-2023-5517", "cve_description": "A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-5679", "url": "https://ubuntu.com/security/CVE-2023-5679", "cve_description": "A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.", "cve_priority": "medium", "cve_public_date": "2024-02-13 14:15:00 UTC" }, { "cve": "CVE-2023-50387", "url": "https://ubuntu.com/security/CVE-2023-50387", "cve_description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" }, { "cve": "CVE-2023-50868", "url": "https://ubuntu.com/security/CVE-2023-50868", "cve_description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "cve_priority": "medium", "cve_public_date": "2024-02-14 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.18.24 (LP: #2040459)", " - Updates:", " + Mark use of AES as the DNS COOKIE algorithm as depricated.", " + Mark resolver-nonbackoff-tries and resolver-retry-interval statements", " as depricated.", " + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and", " 2801:1b8:10::b.", " + Mark dnssec-must-be-secure option as deprecated.", " + Honor nsupdate -v option for SOA queries by sending both the UPDATE", " request and the initial query over TCP.", " + Reduce memory consumption through dedicated jemalloc memory arenas.", " - Bug fixes:", " + Fix accidental truncation to 32 bit of statistics channel counters.", " + Do not schedule unsigned versions of inline-signed zones containing", " DNSSEC records for resigning.", " + Take local authoritive data into account when looking up stale data", " from the cache.", " + Fix assertion failure when lock-file used at the same time as named -X.", " + Fix lockfile removal issue when starting named 3+ times.", " + Fix validation of If-Modified-Since header in statistics channel for", " its length.", " + Add Content-Length header bounds check to avoid integer overflow.", " + Fix memory leaks from OpenSSL error stack.", " + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs", " and ms-subdomain-self-rhs UPDATE policies.", " + Fix accidental disable of stale-refresh-time feature on rndc flush.", " + Fix possible DNS message corruption from partial writes in TLS DNS.", " - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional", " information.", " * Remove CVE patches fixed upstream:", " - CVE-2023-3341.patch", " - CVE-2023-4236.patch", " [ Fixed in 9.18.19 ]", " - 0001-CVE-2023-4408.patch", " - 0002-CVE-2023-5517.patch", " - 0003-CVE-2023-5679.patch", " - 0004-CVE-2023-50387-CVE-2023-50868.patch", " [ Fixed in 9.18.24 ]", " * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the", " standard library stdatomic.h.", "" ], "package": "bind9", "version": "1:9.18.24-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2040459 ], "author": "Lena Voytek ", "date": "Thu, 11 Apr 2024 14:11:18 -0700" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~22.04.1", "version": "24.1.3-0ubuntu1~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~22.04.4", "version": "24.1.3-0ubuntu1~22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2064132, 2064300, 2064132 ], "changes": [ { "cves": [], "log": [ "", " * cherry-pick 51c6569f: fix(snapd): ubuntu do not snap refresh when", " snap absent (LP: #2064132)", " - fix in 24.1.3-0ubuntu1~20.04.2 did not handle package_upgrade case", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2064132 ], "author": "Chad Smith ", "date": "Fri, 03 May 2024 20:20:35 -0600" }, { "cves": [], "log": [ "", " * d/p/cli-retain-file-argument-as-main-cmd-arg.patch: retain ability to", " provide -f or --file on the command line before cloud-init subcommands", " init, modules or single (LP: #2064300)", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~22.04.3", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2064300 ], "author": "Chad Smith ", "date": "Wed, 01 May 2024 09:54:16 -0600" }, { "cves": [], "log": [ "", " * cherry-pick a6f7577d: bug(package_update): avoid snap refresh in", " images without (LP: #2064132)", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2064132 ], "author": "Chad Smith ", "date": "Mon, 29 Apr 2024 10:01:25 -0600" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.107.107", "version": "5.15.0.107.107" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.112.112", "version": "5.15.0.112.112" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-112", "" ], "package": "linux-meta", "version": "5.15.0.112.112", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:21:08 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-111", "" ], "package": "linux-meta", "version": "5.15.0.111.111", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:30:46 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.107.107", "version": "5.15.0.107.107" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.112.112", "version": "5.15.0.112.112" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-112", "" ], "package": "linux-meta", "version": "5.15.0.112.112", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:21:08 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-111", "" ], "package": "linux-meta", "version": "5.15.0.111.111", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:30:46 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.107.107", "version": "5.15.0.107.107" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.112.112", "version": "5.15.0.112.112" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-112", "" ], "package": "linux-meta", "version": "5.15.0.112.112", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:21:08 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-111", "" ], "package": "linux-meta", "version": "5.15.0.111.111", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:30:46 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.107.107", "version": "5.15.0.107.107" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.112.112", "version": "5.15.0.112.112" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-112", "" ], "package": "linux-meta", "version": "5.15.0.112.112", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:21:08 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-111", "" ], "package": "linux-meta", "version": "5.15.0.111.111", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:30:46 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-112", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-112.122", "version": "5.15.0-112.122" }, "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065898, 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "changes": [ { "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", "", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux", "version": "5.15.0-112.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2065898 ], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:20:33 +0200" }, { "cves": [ { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-111.121 -proposed tracker (LP: #2063763)", "", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", "", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", "", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", "", " * Jammy update: v5.15.153 upstream stable release (LP: #2063290)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - gen_compile_commands: fix invalid escape sequence warning", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - riscv: dts: sifive: add missing #interrupt-cells to pmic", " - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h", " - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - ALSA: hda/realtek - ALC285 reduce pop noise from Headphone port", " - drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - s390/dasd: put block allocation in separate function", " - s390/dasd: add query PPRC function", " - s390/dasd: add copy pair setup", " - s390/dasd: add autoquiesce feature", " - s390/dasd: Use dev_*() for device log messages", " - s390/dasd: fix double module refcount decrement", " - fs/select: rework stack allocation hack for clang", " - md: Don't clear MD_CLOSING when the raid is about to stop", " - lib/cmdline: Fix an invalid format specifier in an assertion msg", " - time: test: Fix incorrect format specifier", " - rtc: test: Fix invalid format specifier.", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - sched/fair: Take the scheduling domain into account in select_idle_core()", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", " - wifi: wilc1000: fix multi-vif management when deleting a vif", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: Explicitly include correct DT includes", " - cpufreq: mediatek-hw: Wait for CPU supplies before probing", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - inet_diag: annotate data-races around inet_diag_table[]", " - bpftool: Silence build warning about calloc()", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - cpufreq: mediatek-hw: Don't error out if supply is not found", " - arm64: dts: imx8mm-kontron: Disable pullups for I2C signals on SL/BL i.MX8MM", " - arm64: dts: imx8mm-kontron: Disable pullups for onboard UART signals on BL", " board", " - arm64: dts: imx8mm-kontron: Add support for ultra high speed modes on SD", " card", " - arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card IO", " voltage", " - arm64: dts: imx8mm-kontron: Disable pull resistors for SD card signals on BL", " board", " - wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", " - wifi: iwlwifi: mvm: report beacon protection failures", " - wifi: iwlwifi: dbg-tlv: ensure NUL termination", " - wifi: iwlwifi: fix EWRD table validity check", " - arm64: dts: imx8mm-venice-gw71xx: fix USB OTG VBUS", " - pwm: atmel-hlcdc: Convert to platform remove callback returning void", " - pwm: atmel-hlcdc: Use consistent variable naming", " - pwm: atmel-hlcdc: Fix clock imbalance related to suspend support", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - pwm: sti: Implement .apply() callback", " - pwm: sti: Fix capture for st,pwm-num-chan < st,capture-num-chan", " - wifi: iwlwifi: mvm: don't set replay counters to 0xff", " - s390/vdso: drop '-fPIC' from LDFLAGS", " - ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()", " - arm64: dts: mt8183: kukui: Add Type C node", " - arm64: dts: mt8183: kukui: Split out keyboard node and describe detachables", " - arm64: dts: mt8183: Move CrosEC base detection node to kukui-based DTs", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - wireless: Remove redundant 'flush_workqueue()' calls", " - wifi: wilc1000: prevent use-after-free on vif when cleaning up all", " interfaces", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA_ACONNECT", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - arm64: dts: renesas: r8a779a0: Update to R-Car Gen4 compatible values", " - arm64: dts: renesas: r8a779a0: Correct avb[01] reg sizes", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - arm64: dts: marvell: reorder crypto interrupts on Armada SoCs", " - ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override", " - ACPI: resource: Do IRQ override on Lunnen Ground laptops", " - ACPI: resource: Add MAIBENBEN X577 to irq1_edge_low_force_override", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - wifi: rtw88: 8821c: Fix false alarm count", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - Bluetooth: hci_qca: Add support for QTI Bluetooth chip wcn6855", " - Bluetooth: hci_qca: don't use IS_ERR_OR_NULL() with gpiod_get_optional()", " - Bluetooth: hci_core: Fix possible buffer overflow", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: phy: fix phy_get_internal_delay accessing an empty array", " - net: hns3: fix kernel crash when 1588 is received on HIP08 devices", " - net: hns3: fix port duplex configure error in IMP reset", " - net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii", " - net: phy: dp83822: Fix RGMII TX delay configuration", " - OPP: debugfs: Fix warning around icc_get_name()", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr", " - bpf: net: Change sk_getsockopt() to take the sockptr_t argument", " - bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument", " - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt()", " function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - drm/tegra: dpaux: Populate AUX bus", " - drm/tegra: dpaux: Fix PM disable depth imbalance in tegra_dpaux_probe", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: dc: rgb: Allow changing PLLD rate on Tegra30+", " - drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()", " - drm/tegra: rgb: Fix missing clk_put() in the error handling paths of", " tegra_dc_rgb_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/ttm: add ttm_resource_fini v2", " - drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node", " - drm/rockchip: lvds: do not overwrite error code", " - drm/rockchip: lvds: do not print scary message when probing defer", " - drm/lima: fix a memleak in lima_heap_alloc", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA210_ADMA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd", " - drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - clk: meson: Add missing clocks to axg_clk_regmaps", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - pinctrl: mediatek: Drop bogus slew rate register range for MT8192", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI/P2PDMA: Fix a sleeping issue in a RCU read section", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - crypto: xilinx - call finalize with bh disabled", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - ASoC: meson: Use dev_err_probe() helper", " - ASoC: meson: aiu: fix function pointer type mismatch", " - ASoC: meson: t9015: fix function pointer type mismatch", " - powerpc: Force inlining of arch_vmap_p{u/m}d_supported()", " - PCI: endpoint: Support NTB transfer between RC and EP", " - [Config]: update CONFIG_PCI_EPF_VNTB", " - NTB: EPF: fix possible memory leak in pci_vntb_probe()", " - NTB: fix possible name leak in ntb_register_device()", " - media: sun8i-di: Fix coefficient writes", " - media: sun8i-di: Fix power on/off sequences", " - media: sun8i-di: Fix chroma difference threshold", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - drm/tidss: Fix initial plane zpos values", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - ASoC: meson: axg-tdm-interface: add frame rate constraint", " - HID: amd_sfh: Update HPD sensor structure elements", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: ttpci: fix two memleaks in budget_av_attach", " - media: mediatek: vcodec: avoid -Wcast-function-type-strict warning", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - module: Add support for default value for module async_probe", " - modules: wait do_free_init correctly", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - leds: aw2013: Unlock mutex before destroying it", " - leds: sgm3140: Add missing timer cleanup and flash gpio control", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - clk: zynq: Prevent null pointer dereference caused by kmalloc failure", " - ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - RDMA/srpt: Do not register event handler until srpt device is fully setup", " - f2fs: multidevice: support direct IO", " - f2fs: invalidate META_MAPPING before IPU/DIO write", " - f2fs: replace congestion_wait() calls with io_schedule_timeout()", " - f2fs: fix to invalidate META_MAPPING before DIO write", " - f2fs: invalidate meta pages only for post_read required inode", " - f2fs: reduce stack memory cost by using bitfield in struct f2fs_io_info", " - f2fs: compress: fix to cover normal cluster write with cp_rwsem", " - f2fs: compress: fix to check unreleased compressed cluster", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - RDMA/rtrs-clt: Check strnlen return len in sysfs mpath_policy_store()", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102", " - NFSv4.2: fix listxattr maximum XDR buffer size", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - f2fs: compress: fix reserve_cblocks counting error when out of space", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - remoteproc: stm32: use correct format strings on 64-bit", " - remoteproc: stm32: Fix incorrect type in assignment for va", " - remoteproc: stm32: Fix incorrect type assignment returned by", " stm32_rproc_get_loaded_rsc_tablef", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - io_uring: don't save/restore iowait state", " - nouveau: reset the bo resource bus info after an eviction", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - soc: fsl: dpio: fix kcalloc() argument order", " - hsr: Fix uninit-value access in hsr_get_node()", " - net: mtk_eth_soc: move MAC_MCR setting to mac_finish()", " - net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up", " - net: ethernet: mtk_eth_soc: fix PPE hanging issue", " - packet: annotate data-races around ignore_outgoing", " - net: veth: do not manipulate GRO when using XDP", " - net: dsa: mt7530: prevent possible incorrect XTAL frequency selection", " - vdpa/mlx5: Allow CVQ size changes", " - wireguard: receive: annotate data-race around receiving_counter.counter", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net: phy: fix phy_read_poll_timeout argument type in genphy_loopback", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - net: report RCU QS on threaded NAPI repolling", " - bpf: report RCU QS in cpumap kthread", " - net: dsa: mt7530: fix handling of LLDP frames", " - net: dsa: mt7530: fix handling of 802.1X PAE frames", " - net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports", " - net: dsa: mt7530: fix handling of all link-local frames", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - remoteproc: stm32: fix incorrect optional pointers", "", " * Jammy update: v5.15.152 upstream stable release (LP: #2063276)", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - i40e: disable NAPI right after disabling irqs when handling xsk_pool", " - tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string", " - geneve: make sure to pull inner header in geneve_rx()", " - net: sparx5: Fix use after free inside sparx5_del_mact_entry", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - cpumap: Zero-initialise xdp_rxq_info struct before running XDP program", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - erofs: apply proper VMA alignment for memory mapped files on THP", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - ALSA: usb-audio: Refcount multiple accesses on the single clock", " - ALSA: usb-audio: Clear fixed clock rate at closing EP", " - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (take#2)", " - ALSA: usb-audio: Properly refcounting clock rate", " - ALSA: usb-audio: Apply mutex around snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Correct the return code from snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Avoid superfluous endpoint setup", " - ALSA: usb-audio: Add quirk for Tascam Model 12", " - ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless", " - ALSA: usb-audio: Fix microphone sound on Nexigo webcam.", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - drm/amd/display: Fix uninitialized variable usage in core_link_ 'read_dpcd()", " & write_dpcd()' functions", " - nfp: flower: add goto_chain_index for ct entry", " - nfp: flower: add hardware offload check for post ct entry", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - drm/amd/pm: do not expose the API used internally only in kv_dpm.c", " - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit", " - selftests: mptcp: decrease BW in simult flows", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - drm/amd/display: Re-arrange FPU code structure for dcn2x", " - drm/amd/display: move calcs folder into DML", " - drm/amd/display: remove DML Makefile duplicate lines", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - proc: Use task_is_running() for wchan in /proc/$pid/stat", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - ALSA: usb-audio: Fix wrong kfree issue in snd_usb_endpoint_free_all", " - ALSA: usb-audio: Always initialize fixed_rate in", " snd_usb_find_implicit_fb_sync_format()", " - ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless", " - ALSA: usb-audio: Sort quirk table entries", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: fix IO data corruption in batched operations", " - Linux 5.15.152", "", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", "", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2023-52447", " - bpf: Defer the free of inner map when necessary", " - rcu-tasks: Provide rcu_trace_implies_rcu_gp()", "", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", "", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209)", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - mtd: spinand: gigadevice: Fix the get ecc status issue", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call", " back", " - net: veth: clear GRO when clearing XDP even when down", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: enable memcg accounting for veth queues", " - veth: try harder when allocating queue memory", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - uapi: in6: replace temporary label with rfc9486", " - stmmac: Clear variable when destroying workqueue", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - netfilter: nfnetlink_queue: silence bogus compiler warning", " - netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook", " - netfilter: make function op structures const", " - netfilter: let reset rules clean out conntrack entries", " - netfilter: bridge: confirm multicast packets before passing them up the", " stack", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - igb: extend PTP timestamp adjustments to i211", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - fbcon: always restore the old font data in fbcon_do_set_font()", " - afs: Fix endless loop in directory parsing", " - riscv: Sparse-Memory/vmemmap out-of-bounds fix", " - ALSA: firewire-lib: fix to check cycle continuity", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: ptdma: use consistent DMA masks", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - mmc: sdhci-xenon: add timeout for PHY init complete", " - mmc: sdhci-xenon: fix PHY init clock stability", " - pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - mptcp: move __mptcp_error_report in protocol.c", " - mptcp: process pending subflow error on close", " - mptcp: rename timer related helper to less confusing names", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - mptcp: clean up harmless false expressions", " - mptcp: add needs_id for netlink appending addr", " - mptcp: push at DSS boundaries", " - mptcp: fix possible deadlock in subflow diag", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - Revert \"drm/bridge: lt8912b: Register and attach our DSI device at probe\"", " - af_unix: Drop oob_skb ref before purging queue in GC.", " - gpio: 74x164: Enable output pins after registers are reset", " - gpiolib: Fix the error path order in gpiochip_add_data_with_key()", " - gpio: fix resource unwinding order in error path", " - Revert \"interconnect: Fix locking for runpm vs reclaim\"", " - Revert \"interconnect: Teach lockdep about icc_bw_lock order\"", " - bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup", " - bpf: Add table ID to bpf_fib_lookup BPF helper", " - bpf: Derive source IP addr via bpf_*_fib_lookup()", " - Linux 5.15.151", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) //", " CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) // Fix", " bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142)", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - smb: client: fix parsing of SMB3.1.1 POSIX create context", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()", " - bpf: Merge printk and seq_printf VARARG max macros", " - bpf: Add struct for bin_args arg in bpf_bprintf_prepare", " - bpf: Do cleanup in bpf_bprintf_cleanup only when needed", " - bpf: Remove trace_printk_lock", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - zonefs: Improve error handling", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - MIPS: reserve exception vector space ONLY ONCE", " - platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet", " - ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap", " corrupt", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - dmaengine: ti: edma: Add some null pointer checks to the edma_probe", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ALSA: usb-audio: Check presence of valid altsetting control", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - spi: sh-msiof: avoid integer overflow in constants", " - Input: xpad - add Lenovo Legion Go controllers", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - ALSA: usb-audio: Ignore clock selector errors for single connection", " - nvme-fc: do not wait in vain when unloading module", " - nvmet-fcloop: swap the list_add_tail arguments", " - nvmet-fc: release reference on target port", " - nvmet-fc: defer cleanup using RCU properly", " - nvmet-fc: hold reference on hostport match", " - nvmet-fc: abort command when there is no binding", " - nvmet-fc: avoid deadlock on delete association path", " - nvmet-fc: take ref count on tgtport before delete assoc", " - ext4: correct the hole length returned by ext4_map_blocks()", " - Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table", " - fs/ntfs3: Modified fix directory element type detection", " - fs/ntfs3: Improve ntfs_dir_count", " - fs/ntfs3: Correct hard links updating when dealing with DOS names", " - fs/ntfs3: Print warning while fixing hard links count", " - fs/ntfs3: Fix detected field-spanning write (size 8) of single field", " \"le->name\"", " - fs/ntfs3: Add NULL ptr dereference checking at the end of", " attr_allocate_frame()", " - fs/ntfs3: Disable ATTR_LIST_ENTRY size check", " - fs/ntfs3: use non-movable memory for ntfs3 MFT buffer cache", " - fs/ntfs3: Prevent generic message \"attempt to access beyond end of device\"", " - fs/ntfs3: Correct function is_rst_area_valid", " - fs/ntfs3: Update inode->i_size after success write into compressed file", " - fs/ntfs3: Fix oob in ntfs_listxattr", " - wifi: mac80211: adding missing drv_mgd_complete_tx() call", " - efi: runtime: Fix potential overflow of soft-reserved region size", " - efi: Don't add memblocks for soft-reserved memory", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - drm/amdgpu: skip to program GFXDEC registers for suspend abort", " - drm/amdgpu: reset gpu for s3 suspend abort case", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - pmdomain: mediatek: fix race conditions with genpd", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - erofs: fix lz4 inplace decompression", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - drm/ttm: Fix an invalid freeing on already freed page in error path", " - dm-crypt: don't modify the data when using authenticated encryption", " - platform/x86: intel-vbtn: Stop calling \"VBDL\" from notify_handler", " - platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - Revert \"x86/ftrace: Use alternative RET encoding\"", " - x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR", " - x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch()", " - x86/ftrace: Use alternative RET encoding", " - x86/returnthunk: Allow different return thunks", " - Revert \"x86/alternative: Make custom return thunk unconditional\"", " - x86/alternative: Make custom return thunk unconditional", " - serial: amba-pl011: Fix DMA transmission in RS485 mode", " - usb: dwc3: gadget: Don't disconnect if not started", " - usb: cdnsp: blocked some cdns3 specific code", " - usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: fix NULL pointer issue when put module's reference", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - mptcp: fix lockless access in subflow ULP diag", " - clk: imx: imx8mp: add shared clk gate for usb suspend clk", " - clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents", " - clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents", " - mtd: rawnand: sunxi: Fix the size of the last OOB region", " - RISC-V: fix funct4 definition for c.jalr in parse_asm.h", " - Input: iqs269a - drop unused device node references", " - Input: iqs269a - configure device with a single block write", " - Input: iqs269a - increase interrupt handler return delay", " - clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed", " - Input: ads7846 - don't report pressure for ads7845", " - clk: renesas: cpg-mssr: Remove superfluous check in resume code", " - clk: imx: avoid memory leak", " - Input: ads7846 - always set last command to PWRDOWN", " - Input: ads7846 - don't check penirq immediately for 7845", " - powerpc/powernv/ioda: Skip unallocated resources when mapping to PE", " - clk: qcom: gpucc-sc7180: fix clk_dis_wait being programmed for CX GDSC", " - clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC", " - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()", " - powerpc/pseries/lparcfg: add missing RTAS retry status handling", " - powerpc/perf/hv-24x7: add missing RTAS retry status handling", " - powerpc/pseries/lpar: add missing RTAS retry status handling", " - MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set", " - MIPS: vpe-mt: drop physical_memsize", " - vdpa/mlx5: Don't clear mr struct on destroy MR", " - ARM: dts: BCM53573: Drop nonexistent #usb-cells", " - RDMA/siw: Balance the reference of cep->kref in the error path", " - RDMA/siw: Correct wrong debug message", " - clk: linux/clk-provider.h: fix kernel-doc warnings and typos", " - platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute", " - acpi: property: Let args be NULL in __acpi_node_get_property_reference", " - ARM: dts: BCM53573: Drop nonexistent \"default-off\" LED trigger", " - tools headers UAPI: Sync linux/fscrypt.h with the kernel sources", " - perf beauty: Update copy of linux/socket.h with the kernel sources", " - tools/virtio: fix build", " - drm/amdgpu: init iommu after amdkfd device init", " - f2fs: don't set GC_FAILURE_PIN for background GC", " - f2fs: write checkpoint during FG_GC", " - drm/i915/dg1: Update DMC_DEBUG3 register", " - kernel/sched: Remove dl_boosted flag comment", " - cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()", " - serial: 8250: Remove serial_rs485 sanitization from em485", " - clk: imx8mp: Add DISP2 pixel clock", " - clk: imx8mp: add clkout1/2 support", " - dt-bindings: clocks: imx8mp: Add ID for usb suspend clock", " - net: ethernet: ti: add missing of_node_put before return", " - powerpc/rtas: make all exports GPL", " - powerpc/rtas: ensure 4KB alignment for rtas_data_buf", " - powerpc/eeh: Small refactor of eeh_handle_normal_event()", " - powerpc/eeh: Set channel state after notifying the drivers", " - PM: core: Redefine pm_ptr() macro", " - PM: core: Add new *_PM_OPS macros, deprecate old ones", " - mmc: jz4740: Use the new PM macros", " - mmc: mxc: Use the new PM macros", " - PM: core: Remove static qualifier in DEFINE_SIMPLE_DEV_PM_OPS macro", " - Input: iqs269a - switch to DEFINE_SIMPLE_DEV_PM_OPS() and pm_sleep_ptr()", " - Input: iqs269a - do not poll during suspend or resume", " - Input: iqs269a - do not poll during ATI", " - net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs", " - netfilter: nf_tables: add rescheduling points during loop detection walks", " - debugobjects: Recheck debug_objects_enabled before reporting", " - nbd: Add the maximum limit of allocated index in nbd_dev_add", " - md: fix data corruption for raid456 when reshape restart while grow up", " - md/raid10: prevent soft lockup while flush writes", " - posix-timers: Ensure timer ID search-loop limit is valid", " - btrfs: add xxhash to fast checksum implementations", " - ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3", " - ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e (3371", " AMD version)", " - arm64: set __exception_irq_entry with __irq_entry as a default", " - arm64: mm: fix VA-range sanity check", " - sched/fair: Don't balance task to its current running CPU", " - wifi: ath11k: fix registration of 6Ghz-only phy without the full channel", " range", " - bpf: Address KCSAN report on bpf_lru_list", " - devlink: report devlink_port_type_warn source device", " - wifi: wext-core: Fix -Wstringop-overflow warning in", " ioctl_standard_iw_point()", " - wifi: iwlwifi: mvm: avoid baid size integer overflow", " - exfat: support dynamic allocate bh for exfat_entry_set_cache", " - arm64: dts: rockchip: fix regulator name on rk3399-rock-4", " - arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4", " - arm64: dts: rockchip: add SPDIF node for ROCK Pi 4", " - ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 and iMac12,2", " - ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA", " - ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks", " - ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA", " - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA", " - xhci: cleanup xhci_hub_control port references", " - xhci: move port specific items such as state completions to port structure", " - xhci: rename resume_done to resume_timestamp", " - xhci: clear usb2 resume related variables in one place.", " - xhci: decouple usb2 port resume and get_port_status request handling", " - xhci: track port suspend state correctly in unsuccessful resume cases", " - cifs: add a warning when the in-flight count goes negative", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/irdma: Fix KASAN issue with tasklet", " - RDMA/irdma: Validate max_send_wr and max_recv_wr", " - RDMA/irdma: Set the CQ read threshold for GEN 1", " - RDMA/irdma: Add AE for too many RNRS", " - RDMA/srpt: Support specifying the srpt_service_guid parameter", " - RDMA/qedr: Fix qedr_create_user_qp error flow", " - arm64: dts: rockchip: set num-cs property for spi on px30", " - RDMA/srpt: fix function pointer cast warnings", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - net: stmmac: Fix incorrect dereference in interrupt handlers", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - ata: libahci_platform: Convert to using devm bulk clocks API", " - ata: libahci_platform: Introduce reset assertion/deassertion methods", " - ata: ahci_ceva: fix error handling for Xilinx GT PHY support", " - bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", " - drm/nouveau/instmem: fix uninitialized_var.cocci warning", " - octeontx2-af: Consider the action set by PF", " - s390: use the correct count for __iowrite64_copy()", " - netfilter: nf_tables: set dormant flag on hook register failure", " - netfilter: flowtable: simplify route logic", " - netfilter: nft_flow_offload: reset dst in route object after setting up flow", " - netfilter: nft_flow_offload: release dst in case direct xmit path is used", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - drm/amd/display: Fix memory leak in dm_sw_fini()", " - i2c: imx: Add timer for handling the stop condition", " - i2c: imx: when being a target, mark the last read as processed", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - netfilter: nf_tables: fix scheduling-while-atomic splat", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - netfilter: nf_tables: can't schedule in nft_chain_validate", " - r8169: use new PM macros", " - Linux 5.15.150", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26733", " - packet: move from strlcpy with unused retval to strscpy", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26583", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: move counting TlsDecryptErrors for sync", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - Revert \"tls: rx: move counting TlsDecryptErrors for sync\"", " - tls: rx: simplify async wait", " - tls: rx: return the already-copied data on crypto error", " - tls: rx: allow only one reader at a time", " - tls: rx: release the sock lock on locking timeout", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux", "version": "5.15.0-111.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:29:50 +0200" } ], "notes": "linux-headers-5.15.0-112 version '5.15.0-112.122' (source package linux version '5.15.0-112.122') was added. linux-headers-5.15.0-112 version '5.15.0-112.122' has the same source package name, linux, as removed package linux-headers-5.15.0-107. As such we can use the source package version of the removed package, '5.15.0-107.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-112-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-112.122", "version": "5.15.0-112.122" }, "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065898, 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "changes": [ { "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", "", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux", "version": "5.15.0-112.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2065898 ], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:20:33 +0200" }, { "cves": [ { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-111.121 -proposed tracker (LP: #2063763)", "", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", "", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", "", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", "", " * Jammy update: v5.15.153 upstream stable release (LP: #2063290)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - gen_compile_commands: fix invalid escape sequence warning", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - riscv: dts: sifive: add missing #interrupt-cells to pmic", " - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h", " - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - ALSA: hda/realtek - ALC285 reduce pop noise from Headphone port", " - drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - s390/dasd: put block allocation in separate function", " - s390/dasd: add query PPRC function", " - s390/dasd: add copy pair setup", " - s390/dasd: add autoquiesce feature", " - s390/dasd: Use dev_*() for device log messages", " - s390/dasd: fix double module refcount decrement", " - fs/select: rework stack allocation hack for clang", " - md: Don't clear MD_CLOSING when the raid is about to stop", " - lib/cmdline: Fix an invalid format specifier in an assertion msg", " - time: test: Fix incorrect format specifier", " - rtc: test: Fix invalid format specifier.", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - sched/fair: Take the scheduling domain into account in select_idle_core()", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", " - wifi: wilc1000: fix multi-vif management when deleting a vif", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: Explicitly include correct DT includes", " - cpufreq: mediatek-hw: Wait for CPU supplies before probing", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - inet_diag: annotate data-races around inet_diag_table[]", " - bpftool: Silence build warning about calloc()", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - cpufreq: mediatek-hw: Don't error out if supply is not found", " - arm64: dts: imx8mm-kontron: Disable pullups for I2C signals on SL/BL i.MX8MM", " - arm64: dts: imx8mm-kontron: Disable pullups for onboard UART signals on BL", " board", " - arm64: dts: imx8mm-kontron: Add support for ultra high speed modes on SD", " card", " - arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card IO", " voltage", " - arm64: dts: imx8mm-kontron: Disable pull resistors for SD card signals on BL", " board", " - wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", " - wifi: iwlwifi: mvm: report beacon protection failures", " - wifi: iwlwifi: dbg-tlv: ensure NUL termination", " - wifi: iwlwifi: fix EWRD table validity check", " - arm64: dts: imx8mm-venice-gw71xx: fix USB OTG VBUS", " - pwm: atmel-hlcdc: Convert to platform remove callback returning void", " - pwm: atmel-hlcdc: Use consistent variable naming", " - pwm: atmel-hlcdc: Fix clock imbalance related to suspend support", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - pwm: sti: Implement .apply() callback", " - pwm: sti: Fix capture for st,pwm-num-chan < st,capture-num-chan", " - wifi: iwlwifi: mvm: don't set replay counters to 0xff", " - s390/vdso: drop '-fPIC' from LDFLAGS", " - ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()", " - arm64: dts: mt8183: kukui: Add Type C node", " - arm64: dts: mt8183: kukui: Split out keyboard node and describe detachables", " - arm64: dts: mt8183: Move CrosEC base detection node to kukui-based DTs", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - wireless: Remove redundant 'flush_workqueue()' calls", " - wifi: wilc1000: prevent use-after-free on vif when cleaning up all", " interfaces", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA_ACONNECT", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - arm64: dts: renesas: r8a779a0: Update to R-Car Gen4 compatible values", " - arm64: dts: renesas: r8a779a0: Correct avb[01] reg sizes", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - arm64: dts: marvell: reorder crypto interrupts on Armada SoCs", " - ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override", " - ACPI: resource: Do IRQ override on Lunnen Ground laptops", " - ACPI: resource: Add MAIBENBEN X577 to irq1_edge_low_force_override", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - wifi: rtw88: 8821c: Fix false alarm count", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - Bluetooth: hci_qca: Add support for QTI Bluetooth chip wcn6855", " - Bluetooth: hci_qca: don't use IS_ERR_OR_NULL() with gpiod_get_optional()", " - Bluetooth: hci_core: Fix possible buffer overflow", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: phy: fix phy_get_internal_delay accessing an empty array", " - net: hns3: fix kernel crash when 1588 is received on HIP08 devices", " - net: hns3: fix port duplex configure error in IMP reset", " - net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii", " - net: phy: dp83822: Fix RGMII TX delay configuration", " - OPP: debugfs: Fix warning around icc_get_name()", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr", " - bpf: net: Change sk_getsockopt() to take the sockptr_t argument", " - bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument", " - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt()", " function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - drm/tegra: dpaux: Populate AUX bus", " - drm/tegra: dpaux: Fix PM disable depth imbalance in tegra_dpaux_probe", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: dc: rgb: Allow changing PLLD rate on Tegra30+", " - drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()", " - drm/tegra: rgb: Fix missing clk_put() in the error handling paths of", " tegra_dc_rgb_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/ttm: add ttm_resource_fini v2", " - drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node", " - drm/rockchip: lvds: do not overwrite error code", " - drm/rockchip: lvds: do not print scary message when probing defer", " - drm/lima: fix a memleak in lima_heap_alloc", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA210_ADMA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd", " - drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - clk: meson: Add missing clocks to axg_clk_regmaps", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - pinctrl: mediatek: Drop bogus slew rate register range for MT8192", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI/P2PDMA: Fix a sleeping issue in a RCU read section", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - crypto: xilinx - call finalize with bh disabled", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - ASoC: meson: Use dev_err_probe() helper", " - ASoC: meson: aiu: fix function pointer type mismatch", " - ASoC: meson: t9015: fix function pointer type mismatch", " - powerpc: Force inlining of arch_vmap_p{u/m}d_supported()", " - PCI: endpoint: Support NTB transfer between RC and EP", " - [Config]: update CONFIG_PCI_EPF_VNTB", " - NTB: EPF: fix possible memory leak in pci_vntb_probe()", " - NTB: fix possible name leak in ntb_register_device()", " - media: sun8i-di: Fix coefficient writes", " - media: sun8i-di: Fix power on/off sequences", " - media: sun8i-di: Fix chroma difference threshold", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - drm/tidss: Fix initial plane zpos values", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - ASoC: meson: axg-tdm-interface: add frame rate constraint", " - HID: amd_sfh: Update HPD sensor structure elements", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: ttpci: fix two memleaks in budget_av_attach", " - media: mediatek: vcodec: avoid -Wcast-function-type-strict warning", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - module: Add support for default value for module async_probe", " - modules: wait do_free_init correctly", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - leds: aw2013: Unlock mutex before destroying it", " - leds: sgm3140: Add missing timer cleanup and flash gpio control", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - clk: zynq: Prevent null pointer dereference caused by kmalloc failure", " - ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - RDMA/srpt: Do not register event handler until srpt device is fully setup", " - f2fs: multidevice: support direct IO", " - f2fs: invalidate META_MAPPING before IPU/DIO write", " - f2fs: replace congestion_wait() calls with io_schedule_timeout()", " - f2fs: fix to invalidate META_MAPPING before DIO write", " - f2fs: invalidate meta pages only for post_read required inode", " - f2fs: reduce stack memory cost by using bitfield in struct f2fs_io_info", " - f2fs: compress: fix to cover normal cluster write with cp_rwsem", " - f2fs: compress: fix to check unreleased compressed cluster", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - RDMA/rtrs-clt: Check strnlen return len in sysfs mpath_policy_store()", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102", " - NFSv4.2: fix listxattr maximum XDR buffer size", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - f2fs: compress: fix reserve_cblocks counting error when out of space", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - remoteproc: stm32: use correct format strings on 64-bit", " - remoteproc: stm32: Fix incorrect type in assignment for va", " - remoteproc: stm32: Fix incorrect type assignment returned by", " stm32_rproc_get_loaded_rsc_tablef", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - io_uring: don't save/restore iowait state", " - nouveau: reset the bo resource bus info after an eviction", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - soc: fsl: dpio: fix kcalloc() argument order", " - hsr: Fix uninit-value access in hsr_get_node()", " - net: mtk_eth_soc: move MAC_MCR setting to mac_finish()", " - net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up", " - net: ethernet: mtk_eth_soc: fix PPE hanging issue", " - packet: annotate data-races around ignore_outgoing", " - net: veth: do not manipulate GRO when using XDP", " - net: dsa: mt7530: prevent possible incorrect XTAL frequency selection", " - vdpa/mlx5: Allow CVQ size changes", " - wireguard: receive: annotate data-race around receiving_counter.counter", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net: phy: fix phy_read_poll_timeout argument type in genphy_loopback", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - net: report RCU QS on threaded NAPI repolling", " - bpf: report RCU QS in cpumap kthread", " - net: dsa: mt7530: fix handling of LLDP frames", " - net: dsa: mt7530: fix handling of 802.1X PAE frames", " - net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports", " - net: dsa: mt7530: fix handling of all link-local frames", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - remoteproc: stm32: fix incorrect optional pointers", "", " * Jammy update: v5.15.152 upstream stable release (LP: #2063276)", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - i40e: disable NAPI right after disabling irqs when handling xsk_pool", " - tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string", " - geneve: make sure to pull inner header in geneve_rx()", " - net: sparx5: Fix use after free inside sparx5_del_mact_entry", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - cpumap: Zero-initialise xdp_rxq_info struct before running XDP program", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - erofs: apply proper VMA alignment for memory mapped files on THP", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - ALSA: usb-audio: Refcount multiple accesses on the single clock", " - ALSA: usb-audio: Clear fixed clock rate at closing EP", " - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (take#2)", " - ALSA: usb-audio: Properly refcounting clock rate", " - ALSA: usb-audio: Apply mutex around snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Correct the return code from snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Avoid superfluous endpoint setup", " - ALSA: usb-audio: Add quirk for Tascam Model 12", " - ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless", " - ALSA: usb-audio: Fix microphone sound on Nexigo webcam.", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - drm/amd/display: Fix uninitialized variable usage in core_link_ 'read_dpcd()", " & write_dpcd()' functions", " - nfp: flower: add goto_chain_index for ct entry", " - nfp: flower: add hardware offload check for post ct entry", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - drm/amd/pm: do not expose the API used internally only in kv_dpm.c", " - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit", " - selftests: mptcp: decrease BW in simult flows", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - drm/amd/display: Re-arrange FPU code structure for dcn2x", " - drm/amd/display: move calcs folder into DML", " - drm/amd/display: remove DML Makefile duplicate lines", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - proc: Use task_is_running() for wchan in /proc/$pid/stat", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - ALSA: usb-audio: Fix wrong kfree issue in snd_usb_endpoint_free_all", " - ALSA: usb-audio: Always initialize fixed_rate in", " snd_usb_find_implicit_fb_sync_format()", " - ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless", " - ALSA: usb-audio: Sort quirk table entries", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: fix IO data corruption in batched operations", " - Linux 5.15.152", "", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", "", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2023-52447", " - bpf: Defer the free of inner map when necessary", " - rcu-tasks: Provide rcu_trace_implies_rcu_gp()", "", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", "", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209)", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - mtd: spinand: gigadevice: Fix the get ecc status issue", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call", " back", " - net: veth: clear GRO when clearing XDP even when down", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: enable memcg accounting for veth queues", " - veth: try harder when allocating queue memory", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - uapi: in6: replace temporary label with rfc9486", " - stmmac: Clear variable when destroying workqueue", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - netfilter: nfnetlink_queue: silence bogus compiler warning", " - netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook", " - netfilter: make function op structures const", " - netfilter: let reset rules clean out conntrack entries", " - netfilter: bridge: confirm multicast packets before passing them up the", " stack", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - igb: extend PTP timestamp adjustments to i211", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - fbcon: always restore the old font data in fbcon_do_set_font()", " - afs: Fix endless loop in directory parsing", " - riscv: Sparse-Memory/vmemmap out-of-bounds fix", " - ALSA: firewire-lib: fix to check cycle continuity", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: ptdma: use consistent DMA masks", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - mmc: sdhci-xenon: add timeout for PHY init complete", " - mmc: sdhci-xenon: fix PHY init clock stability", " - pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - mptcp: move __mptcp_error_report in protocol.c", " - mptcp: process pending subflow error on close", " - mptcp: rename timer related helper to less confusing names", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - mptcp: clean up harmless false expressions", " - mptcp: add needs_id for netlink appending addr", " - mptcp: push at DSS boundaries", " - mptcp: fix possible deadlock in subflow diag", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - Revert \"drm/bridge: lt8912b: Register and attach our DSI device at probe\"", " - af_unix: Drop oob_skb ref before purging queue in GC.", " - gpio: 74x164: Enable output pins after registers are reset", " - gpiolib: Fix the error path order in gpiochip_add_data_with_key()", " - gpio: fix resource unwinding order in error path", " - Revert \"interconnect: Fix locking for runpm vs reclaim\"", " - Revert \"interconnect: Teach lockdep about icc_bw_lock order\"", " - bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup", " - bpf: Add table ID to bpf_fib_lookup BPF helper", " - bpf: Derive source IP addr via bpf_*_fib_lookup()", " - Linux 5.15.151", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) //", " CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) // Fix", " bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142)", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - smb: client: fix parsing of SMB3.1.1 POSIX create context", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()", " - bpf: Merge printk and seq_printf VARARG max macros", " - bpf: Add struct for bin_args arg in bpf_bprintf_prepare", " - bpf: Do cleanup in bpf_bprintf_cleanup only when needed", " - bpf: Remove trace_printk_lock", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - zonefs: Improve error handling", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - MIPS: reserve exception vector space ONLY ONCE", " - platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet", " - ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap", " corrupt", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - dmaengine: ti: edma: Add some null pointer checks to the edma_probe", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ALSA: usb-audio: Check presence of valid altsetting control", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - spi: sh-msiof: avoid integer overflow in constants", " - Input: xpad - add Lenovo Legion Go controllers", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - ALSA: usb-audio: Ignore clock selector errors for single connection", " - nvme-fc: do not wait in vain when unloading module", " - nvmet-fcloop: swap the list_add_tail arguments", " - nvmet-fc: release reference on target port", " - nvmet-fc: defer cleanup using RCU properly", " - nvmet-fc: hold reference on hostport match", " - nvmet-fc: abort command when there is no binding", " - nvmet-fc: avoid deadlock on delete association path", " - nvmet-fc: take ref count on tgtport before delete assoc", " - ext4: correct the hole length returned by ext4_map_blocks()", " - Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table", " - fs/ntfs3: Modified fix directory element type detection", " - fs/ntfs3: Improve ntfs_dir_count", " - fs/ntfs3: Correct hard links updating when dealing with DOS names", " - fs/ntfs3: Print warning while fixing hard links count", " - fs/ntfs3: Fix detected field-spanning write (size 8) of single field", " \"le->name\"", " - fs/ntfs3: Add NULL ptr dereference checking at the end of", " attr_allocate_frame()", " - fs/ntfs3: Disable ATTR_LIST_ENTRY size check", " - fs/ntfs3: use non-movable memory for ntfs3 MFT buffer cache", " - fs/ntfs3: Prevent generic message \"attempt to access beyond end of device\"", " - fs/ntfs3: Correct function is_rst_area_valid", " - fs/ntfs3: Update inode->i_size after success write into compressed file", " - fs/ntfs3: Fix oob in ntfs_listxattr", " - wifi: mac80211: adding missing drv_mgd_complete_tx() call", " - efi: runtime: Fix potential overflow of soft-reserved region size", " - efi: Don't add memblocks for soft-reserved memory", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - drm/amdgpu: skip to program GFXDEC registers for suspend abort", " - drm/amdgpu: reset gpu for s3 suspend abort case", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - pmdomain: mediatek: fix race conditions with genpd", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - erofs: fix lz4 inplace decompression", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - drm/ttm: Fix an invalid freeing on already freed page in error path", " - dm-crypt: don't modify the data when using authenticated encryption", " - platform/x86: intel-vbtn: Stop calling \"VBDL\" from notify_handler", " - platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - Revert \"x86/ftrace: Use alternative RET encoding\"", " - x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR", " - x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch()", " - x86/ftrace: Use alternative RET encoding", " - x86/returnthunk: Allow different return thunks", " - Revert \"x86/alternative: Make custom return thunk unconditional\"", " - x86/alternative: Make custom return thunk unconditional", " - serial: amba-pl011: Fix DMA transmission in RS485 mode", " - usb: dwc3: gadget: Don't disconnect if not started", " - usb: cdnsp: blocked some cdns3 specific code", " - usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: fix NULL pointer issue when put module's reference", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - mptcp: fix lockless access in subflow ULP diag", " - clk: imx: imx8mp: add shared clk gate for usb suspend clk", " - clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents", " - clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents", " - mtd: rawnand: sunxi: Fix the size of the last OOB region", " - RISC-V: fix funct4 definition for c.jalr in parse_asm.h", " - Input: iqs269a - drop unused device node references", " - Input: iqs269a - configure device with a single block write", " - Input: iqs269a - increase interrupt handler return delay", " - clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed", " - Input: ads7846 - don't report pressure for ads7845", " - clk: renesas: cpg-mssr: Remove superfluous check in resume code", " - clk: imx: avoid memory leak", " - Input: ads7846 - always set last command to PWRDOWN", " - Input: ads7846 - don't check penirq immediately for 7845", " - powerpc/powernv/ioda: Skip unallocated resources when mapping to PE", " - clk: qcom: gpucc-sc7180: fix clk_dis_wait being programmed for CX GDSC", " - clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC", " - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()", " - powerpc/pseries/lparcfg: add missing RTAS retry status handling", " - powerpc/perf/hv-24x7: add missing RTAS retry status handling", " - powerpc/pseries/lpar: add missing RTAS retry status handling", " - MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set", " - MIPS: vpe-mt: drop physical_memsize", " - vdpa/mlx5: Don't clear mr struct on destroy MR", " - ARM: dts: BCM53573: Drop nonexistent #usb-cells", " - RDMA/siw: Balance the reference of cep->kref in the error path", " - RDMA/siw: Correct wrong debug message", " - clk: linux/clk-provider.h: fix kernel-doc warnings and typos", " - platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute", " - acpi: property: Let args be NULL in __acpi_node_get_property_reference", " - ARM: dts: BCM53573: Drop nonexistent \"default-off\" LED trigger", " - tools headers UAPI: Sync linux/fscrypt.h with the kernel sources", " - perf beauty: Update copy of linux/socket.h with the kernel sources", " - tools/virtio: fix build", " - drm/amdgpu: init iommu after amdkfd device init", " - f2fs: don't set GC_FAILURE_PIN for background GC", " - f2fs: write checkpoint during FG_GC", " - drm/i915/dg1: Update DMC_DEBUG3 register", " - kernel/sched: Remove dl_boosted flag comment", " - cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()", " - serial: 8250: Remove serial_rs485 sanitization from em485", " - clk: imx8mp: Add DISP2 pixel clock", " - clk: imx8mp: add clkout1/2 support", " - dt-bindings: clocks: imx8mp: Add ID for usb suspend clock", " - net: ethernet: ti: add missing of_node_put before return", " - powerpc/rtas: make all exports GPL", " - powerpc/rtas: ensure 4KB alignment for rtas_data_buf", " - powerpc/eeh: Small refactor of eeh_handle_normal_event()", " - powerpc/eeh: Set channel state after notifying the drivers", " - PM: core: Redefine pm_ptr() macro", " - PM: core: Add new *_PM_OPS macros, deprecate old ones", " - mmc: jz4740: Use the new PM macros", " - mmc: mxc: Use the new PM macros", " - PM: core: Remove static qualifier in DEFINE_SIMPLE_DEV_PM_OPS macro", " - Input: iqs269a - switch to DEFINE_SIMPLE_DEV_PM_OPS() and pm_sleep_ptr()", " - Input: iqs269a - do not poll during suspend or resume", " - Input: iqs269a - do not poll during ATI", " - net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs", " - netfilter: nf_tables: add rescheduling points during loop detection walks", " - debugobjects: Recheck debug_objects_enabled before reporting", " - nbd: Add the maximum limit of allocated index in nbd_dev_add", " - md: fix data corruption for raid456 when reshape restart while grow up", " - md/raid10: prevent soft lockup while flush writes", " - posix-timers: Ensure timer ID search-loop limit is valid", " - btrfs: add xxhash to fast checksum implementations", " - ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3", " - ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e (3371", " AMD version)", " - arm64: set __exception_irq_entry with __irq_entry as a default", " - arm64: mm: fix VA-range sanity check", " - sched/fair: Don't balance task to its current running CPU", " - wifi: ath11k: fix registration of 6Ghz-only phy without the full channel", " range", " - bpf: Address KCSAN report on bpf_lru_list", " - devlink: report devlink_port_type_warn source device", " - wifi: wext-core: Fix -Wstringop-overflow warning in", " ioctl_standard_iw_point()", " - wifi: iwlwifi: mvm: avoid baid size integer overflow", " - exfat: support dynamic allocate bh for exfat_entry_set_cache", " - arm64: dts: rockchip: fix regulator name on rk3399-rock-4", " - arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4", " - arm64: dts: rockchip: add SPDIF node for ROCK Pi 4", " - ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 and iMac12,2", " - ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA", " - ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks", " - ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA", " - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA", " - xhci: cleanup xhci_hub_control port references", " - xhci: move port specific items such as state completions to port structure", " - xhci: rename resume_done to resume_timestamp", " - xhci: clear usb2 resume related variables in one place.", " - xhci: decouple usb2 port resume and get_port_status request handling", " - xhci: track port suspend state correctly in unsuccessful resume cases", " - cifs: add a warning when the in-flight count goes negative", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/irdma: Fix KASAN issue with tasklet", " - RDMA/irdma: Validate max_send_wr and max_recv_wr", " - RDMA/irdma: Set the CQ read threshold for GEN 1", " - RDMA/irdma: Add AE for too many RNRS", " - RDMA/srpt: Support specifying the srpt_service_guid parameter", " - RDMA/qedr: Fix qedr_create_user_qp error flow", " - arm64: dts: rockchip: set num-cs property for spi on px30", " - RDMA/srpt: fix function pointer cast warnings", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - net: stmmac: Fix incorrect dereference in interrupt handlers", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - ata: libahci_platform: Convert to using devm bulk clocks API", " - ata: libahci_platform: Introduce reset assertion/deassertion methods", " - ata: ahci_ceva: fix error handling for Xilinx GT PHY support", " - bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", " - drm/nouveau/instmem: fix uninitialized_var.cocci warning", " - octeontx2-af: Consider the action set by PF", " - s390: use the correct count for __iowrite64_copy()", " - netfilter: nf_tables: set dormant flag on hook register failure", " - netfilter: flowtable: simplify route logic", " - netfilter: nft_flow_offload: reset dst in route object after setting up flow", " - netfilter: nft_flow_offload: release dst in case direct xmit path is used", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - drm/amd/display: Fix memory leak in dm_sw_fini()", " - i2c: imx: Add timer for handling the stop condition", " - i2c: imx: when being a target, mark the last read as processed", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - netfilter: nf_tables: fix scheduling-while-atomic splat", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - netfilter: nf_tables: can't schedule in nft_chain_validate", " - r8169: use new PM macros", " - Linux 5.15.150", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26733", " - packet: move from strlcpy with unused retval to strscpy", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26583", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: move counting TlsDecryptErrors for sync", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - Revert \"tls: rx: move counting TlsDecryptErrors for sync\"", " - tls: rx: simplify async wait", " - tls: rx: return the already-copied data on crypto error", " - tls: rx: allow only one reader at a time", " - tls: rx: release the sock lock on locking timeout", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux", "version": "5.15.0-111.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:29:50 +0200" } ], "notes": "linux-headers-5.15.0-112-generic version '5.15.0-112.122' (source package linux version '5.15.0-112.122') was added. linux-headers-5.15.0-112-generic version '5.15.0-112.122' has the same source package name, linux, as removed package linux-headers-5.15.0-107. As such we can use the source package version of the removed package, '5.15.0-107.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-112-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-107.117", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-112.122", "version": "5.15.0-112.122" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-112.122", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-112.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:21:20 +0200" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-111.121", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-111.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:30:57 +0200" } ], "notes": "linux-image-5.15.0-112-generic version '5.15.0-112.122' (source package linux-signed version '5.15.0-112.122') was added. linux-image-5.15.0-112-generic version '5.15.0-112.122' has the same source package name, linux-signed, as removed package linux-image-5.15.0-107-generic. As such we can use the source package version of the removed package, '5.15.0-107.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-112-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-112.122", "version": "5.15.0-112.122" }, "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065898, 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "changes": [ { "cves": [ { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", "", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux", "version": "5.15.0-112.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2065898 ], "author": "Roxana Nicolescu ", "date": "Thu, 23 May 2024 09:20:33 +0200" }, { "cves": [ { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2023-52530", "url": "https://ubuntu.com/security/CVE-2023-52530", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().", "cve_priority": "medium", "cve_public_date": "2024-03-02 22:15:00 UTC" }, { "cve": "CVE-2023-52447", "url": "https://ubuntu.com/security/CVE-2023-52447", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.", "cve_priority": "high", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2023-47233", "url": "https://ubuntu.com/security/CVE-2023-47233", "cve_description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "cve_priority": "low", "cve_public_date": "2023-11-03 21:15:00 UTC" }, { "cve": "CVE-2024-26584", "url": "https://ubuntu.com/security/CVE-2024-26584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26585", "url": "https://ubuntu.com/security/CVE-2024-26585", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26583", "url": "https://ubuntu.com/security/CVE-2024-26583", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.", "cve_priority": "high", "cve_public_date": "2024-02-21 15:15:00 UTC" }, { "cve": "CVE-2024-26622", "url": "https://ubuntu.com/security/CVE-2024-26622", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.", "cve_priority": "medium", "cve_public_date": "2024-03-04 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-111.121 -proposed tracker (LP: #2063763)", "", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", "", " * Mount CIFS fails with Permission denied (LP: #2061986)", " - cifs: fix ntlmssp auth when there is no key exchange", "", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", "", " * Jammy update: v5.15.153 upstream stable release (LP: #2063290)", " - io_uring/unix: drop usage of io_uring socket", " - io_uring: drop any code related to SCM_RIGHTS", " - selftests: tls: use exact comparison in recv_partial", " - ASoC: rt5645: Make LattePanda board DMI match more precise", " - x86/xen: Add some null pointer checking to smp.c", " - MIPS: Clear Cause.BD in instruction_pointer_set", " - HID: multitouch: Add required quirk for Synaptics 0xcddc device", " - gen_compile_commands: fix invalid escape sequence warning", " - RDMA/mlx5: Fix fortify source warning while accessing Eth segment", " - RDMA/mlx5: Relax DEVX access upon modify commands", " - riscv: dts: sifive: add missing #interrupt-cells to pmic", " - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h", " - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", " - net/iucv: fix the allocation size of iucv_path_table array", " - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check", " - block: sed-opal: handle empty atoms when parsing response", " - dm-verity, dm-crypt: align \"struct bvec_iter\" correctly", " - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready", " - ALSA: hda/realtek - ALC285 reduce pop noise from Headphone port", " - drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series", " - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", " - firewire: core: use long bus reset on gap count error", " - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet", " - Input: gpio_keys_polled - suppress deferred probe error for gpio", " - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC", " - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode", " - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll", " - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak", " - s390/dasd: put block allocation in separate function", " - s390/dasd: add query PPRC function", " - s390/dasd: add copy pair setup", " - s390/dasd: add autoquiesce feature", " - s390/dasd: Use dev_*() for device log messages", " - s390/dasd: fix double module refcount decrement", " - fs/select: rework stack allocation hack for clang", " - md: Don't clear MD_CLOSING when the raid is about to stop", " - lib/cmdline: Fix an invalid format specifier in an assertion msg", " - time: test: Fix incorrect format specifier", " - rtc: test: Fix invalid format specifier.", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " - timekeeping: Fix cross-timestamp interpolation on counter wrap", " - timekeeping: Fix cross-timestamp interpolation corner case decision", " - timekeeping: Fix cross-timestamp interpolation for non-x86", " - sched/fair: Take the scheduling domain into account in select_idle_core()", " - wifi: ath10k: fix NULL pointer dereference in", " ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", " - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled", " - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled", " - wifi: b43: Stop correct queue in DMA worker when QoS is disabled", " - wifi: b43: Disable QoS for bcm4331", " - wifi: wilc1000: fix declarations ordering", " - wifi: wilc1000: fix RCU usage in connect path", " - wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", " - wifi: wilc1000: fix multi-vif management when deleting a vif", " - wifi: mwifiex: debugfs: Drop unnecessary error check for", " debugfs_create_dir()", " - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value", " - cpufreq: Explicitly include correct DT includes", " - cpufreq: mediatek-hw: Wait for CPU supplies before probing", " - sock_diag: annotate data-races around sock_diag_handlers[family]", " - inet_diag: annotate data-races around inet_diag_table[]", " - bpftool: Silence build warning about calloc()", " - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().", " - cpufreq: mediatek-hw: Don't error out if supply is not found", " - arm64: dts: imx8mm-kontron: Disable pullups for I2C signals on SL/BL i.MX8MM", " - arm64: dts: imx8mm-kontron: Disable pullups for onboard UART signals on BL", " board", " - arm64: dts: imx8mm-kontron: Add support for ultra high speed modes on SD", " card", " - arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card IO", " voltage", " - arm64: dts: imx8mm-kontron: Disable pull resistors for SD card signals on BL", " board", " - wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", " - wifi: iwlwifi: mvm: report beacon protection failures", " - wifi: iwlwifi: dbg-tlv: ensure NUL termination", " - wifi: iwlwifi: fix EWRD table validity check", " - arm64: dts: imx8mm-venice-gw71xx: fix USB OTG VBUS", " - pwm: atmel-hlcdc: Convert to platform remove callback returning void", " - pwm: atmel-hlcdc: Use consistent variable naming", " - pwm: atmel-hlcdc: Fix clock imbalance related to suspend support", " - net: blackhole_dev: fix build warning for ethh set but not used", " - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()", " - pwm: sti: Implement .apply() callback", " - pwm: sti: Fix capture for st,pwm-num-chan < st,capture-num-chan", " - wifi: iwlwifi: mvm: don't set replay counters to 0xff", " - s390/vdso: drop '-fPIC' from LDFLAGS", " - ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()", " - arm64: dts: mt8183: kukui: Add Type C node", " - arm64: dts: mt8183: kukui: Split out keyboard node and describe detachables", " - arm64: dts: mt8183: Move CrosEC base detection node to kukui-based DTs", " - arm64: dts: mediatek: mt7622: add missing \"device_type\" to memory nodes", " - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly", " - wireless: Remove redundant 'flush_workqueue()' calls", " - wifi: wilc1000: prevent use-after-free on vif when cleaning up all", " interfaces", " - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()", " - bus: tegra-aconnect: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA_ACONNECT", " - iommu/amd: Mark interrupt as managed", " - wifi: brcmsmac: avoid function pointer casts", " - net: ena: Remove ena_select_queue", " - ARM: dts: arm: realview: Fix development chip ROM compatible value", " - arm64: dts: renesas: r8a779a0: Update to R-Car Gen4 compatible values", " - arm64: dts: renesas: r8a779a0: Correct avb[01] reg sizes", " - ARM: dts: imx6dl-yapp4: Move phy reset into switch node", " - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address", " - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node", " - arm64: dts: marvell: reorder crypto interrupts on Armada SoCs", " - ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override", " - ACPI: resource: Do IRQ override on Lunnen Ground laptops", " - ACPI: resource: Add MAIBENBEN X577 to irq1_edge_low_force_override", " - ACPI: scan: Fix device check notification handling", " - x86, relocs: Ignore relocations in .notes section", " - SUNRPC: fix some memleaks in gssx_dec_option_array", " - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove", " function", " - wifi: rtw88: 8821c: Fix false alarm count", " - PCI: Make pci_dev_is_disconnected() helper public for other drivers", " - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected", " - igb: move PEROUT and EXTTS isr logic to separate functions", " - igb: Fix missing time sync events", " - Bluetooth: Remove superfluous call to hci_conn_check_pending()", " - Bluetooth: hci_qca: Add support for QTI Bluetooth chip wcn6855", " - Bluetooth: hci_qca: don't use IS_ERR_OR_NULL() with gpiod_get_optional()", " - Bluetooth: hci_core: Fix possible buffer overflow", " - sr9800: Add check for usbnet_get_endpoints", " - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches", " - bpf: Fix hashtab overflow check on 32-bit arches", " - bpf: Fix stackmap overflow check on 32-bit arches", " - ipv6: fib6_rules: flush route cache when rule is changed", " - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()", " - net: phy: fix phy_get_internal_delay accessing an empty array", " - net: hns3: fix kernel crash when 1588 is received on HIP08 devices", " - net: hns3: fix port duplex configure error in IMP reset", " - net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii", " - net: phy: dp83822: Fix RGMII TX delay configuration", " - OPP: debugfs: Fix warning around icc_get_name()", " - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function", " - net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr", " - bpf: net: Change sk_getsockopt() to take the sockptr_t argument", " - bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument", " - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt()", " function", " - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()", " function", " - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function", " - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function", " - net/x25: fix incorrect parameter validation in the x25_getsockopt() function", " - nfp: flower: handle acti_netdevs allocation failure", " - dm raid: fix false positive for requeue needed during reshape", " - dm: call the resume method on internal suspend", " - drm/tegra: dsi: Add missing check for of_find_device_by_node", " - drm/tegra: dpaux: Populate AUX bus", " - drm/tegra: dpaux: Fix PM disable depth imbalance in tegra_dpaux_probe", " - drm/tegra: dsi: Make use of the helper function dev_err_probe()", " - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()", " - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path", " of tegra_dsi_probe()", " - drm/tegra: dc: rgb: Allow changing PLLD rate on Tegra30+", " - drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()", " - drm/tegra: rgb: Fix missing clk_put() in the error handling paths of", " tegra_dc_rgb_probe()", " - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths", " of tegra_output_probe()", " - drm/rockchip: inno_hdmi: Fix video timing", " - drm: Don't treat 0 as -1 in drm_fixp2int_ceil", " - drm/ttm: add ttm_resource_fini v2", " - drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node", " - drm/rockchip: lvds: do not overwrite error code", " - drm/rockchip: lvds: do not print scary message when probing defer", " - drm/lima: fix a memleak in lima_heap_alloc", " - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA", " - [Config]: update CONFIG_TEGRA210_ADMA", " - media: tc358743: register v4l2 async device only after successful setup", " - PCI/DPC: Print all TLP Prefixes, not just the first", " - perf record: Fix possible incorrect free in record__switch_output()", " - HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd", " - drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'", " - drm/amd/display: Fix potential NULL pointer dereferences in", " 'dcn10_set_output_transfer_func()'", " - perf evsel: Fix duplicate initialization of data->id in", " evsel__parse_sample()", " - clk: meson: Add missing clocks to axg_clk_regmaps", " - media: em28xx: annotate unchecked call to media_device_register()", " - media: v4l2-tpg: fix some memleaks in tpg_alloc", " - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity", " - media: edia: dvbdev: fix a use-after-free", " - pinctrl: mediatek: Drop bogus slew rate register range for MT8192", " - clk: qcom: reset: Commonize the de/assert functions", " - clk: qcom: reset: Ensure write completion on reset de/assertion", " - quota: simplify drop_dquot_ref()", " - quota: Fix potential NULL pointer dereference", " - quota: Fix rcu annotations of inode dquot pointers", " - PCI/P2PDMA: Fix a sleeping issue in a RCU read section", " - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()", " - crypto: xilinx - call finalize with bh disabled", " - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()", " - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()", " - ALSA: seq: fix function cast warnings", " - perf stat: Avoid metric-only segv", " - ASoC: meson: Use dev_err_probe() helper", " - ASoC: meson: aiu: fix function pointer type mismatch", " - ASoC: meson: t9015: fix function pointer type mismatch", " - powerpc: Force inlining of arch_vmap_p{u/m}d_supported()", " - PCI: endpoint: Support NTB transfer between RC and EP", " - [Config]: update CONFIG_PCI_EPF_VNTB", " - NTB: EPF: fix possible memory leak in pci_vntb_probe()", " - NTB: fix possible name leak in ntb_register_device()", " - media: sun8i-di: Fix coefficient writes", " - media: sun8i-di: Fix power on/off sequences", " - media: sun8i-di: Fix chroma difference threshold", " - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak", " - media: go7007: add check of return value of go7007_read_addr()", " - media: pvrusb2: remove redundant NULL check", " - media: pvrusb2: fix pvr2_stream_callback casts", " - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times", " - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions", " - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken", " - clk: hisilicon: hi3519: Release the correct number of gates in", " hi3519_clk_unregister()", " - clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()", " - drm/tegra: put drm_gem_object ref on error in tegra_fb_create", " - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref", " - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a", " ref", " - crypto: arm/sha - fix function cast warnings", " - drm/tidss: Fix initial plane zpos values", " - mtd: maps: physmap-core: fix flash size larger than 32-bit", " - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype", " - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs", " - ASoC: meson: axg-tdm-interface: add frame rate constraint", " - HID: amd_sfh: Update HPD sensor structure elements", " - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()", " - media: pvrusb2: fix uaf in pvr2_context_set_notify", " - media: dvb-frontends: avoid stack overflow warnings with clang", " - media: go7007: fix a memleak in go7007_load_encoder", " - media: ttpci: fix two memleaks in budget_av_attach", " - media: mediatek: vcodec: avoid -Wcast-function-type-strict warning", " - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip", " - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks", " - drm/msm/dpu: add division of drm_display_mode's hskew parameter", " - module: Add support for default value for module async_probe", " - modules: wait do_free_init correctly", " - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.", " - leds: aw2013: Unlock mutex before destroying it", " - leds: sgm3140: Add missing timer cleanup and flash gpio control", " - backlight: lm3630a: Initialize backlight_properties on init", " - backlight: lm3630a: Don't set bl->props.brightness in get_brightness", " - backlight: da9052: Fully initialize backlight_properties during probe", " - backlight: lm3639: Fully initialize backlight_properties during probe", " - backlight: lp8788: Fully initialize backlight_properties during probe", " - sparc32: Fix section mismatch in leon_pci_grpci", " - clk: Fix clk_core_get NULL dereference", " - clk: zynq: Prevent null pointer dereference caused by kmalloc failure", " - ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops", " - ALSA: usb-audio: Stop parsing channels bits when all channels are found.", " - RDMA/srpt: Do not register event handler until srpt device is fully setup", " - f2fs: multidevice: support direct IO", " - f2fs: invalidate META_MAPPING before IPU/DIO write", " - f2fs: replace congestion_wait() calls with io_schedule_timeout()", " - f2fs: fix to invalidate META_MAPPING before DIO write", " - f2fs: invalidate meta pages only for post_read required inode", " - f2fs: reduce stack memory cost by using bitfield in struct f2fs_io_info", " - f2fs: compress: fix to cover normal cluster write with cp_rwsem", " - f2fs: compress: fix to check unreleased compressed cluster", " - scsi: csiostor: Avoid function pointer casts", " - RDMA/device: Fix a race between mad_client and cm_client init", " - RDMA/rtrs-clt: Check strnlen return len in sysfs mpath_policy_store()", " - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn", " - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()", " - NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102", " - NFSv4.2: fix listxattr maximum XDR buffer size", " - watchdog: stm32_iwdg: initialize default timeout", " - NFS: Fix an off by one in root_nfs_cat()", " - f2fs: compress: fix reserve_cblocks counting error when out of space", " - afs: Revert \"afs: Hide silly-rename files from userspace\"", " - comedi: comedi_test: Prevent timers rescheduling during deletion", " - remoteproc: stm32: use correct format strings on 64-bit", " - remoteproc: stm32: Fix incorrect type in assignment for va", " - remoteproc: stm32: Fix incorrect type assignment returned by", " stm32_rproc_get_loaded_rsc_tablef", " - tty: vt: fix 20 vs 0x20 typo in EScsiignore", " - serial: max310x: fix syntax error in IRQ error message", " - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT", " - arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells", " - kconfig: fix infinite loop when expanding a macro at the end of file", " - rtc: mt6397: select IRQ_DOMAIN instead of depending on it", " - serial: 8250_exar: Don't remove GPIO device on suspend", " - staging: greybus: fix get_channel_from_mode() failure path", " - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin", " - io_uring: don't save/restore iowait state", " - nouveau: reset the bo resource bus info after an eviction", " - octeontx2-af: Use matching wake_up API variant in CGX command interface", " - s390/vtime: fix average steal time calculation", " - soc: fsl: dpio: fix kcalloc() argument order", " - hsr: Fix uninit-value access in hsr_get_node()", " - net: mtk_eth_soc: move MAC_MCR setting to mac_finish()", " - net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up", " - net: ethernet: mtk_eth_soc: fix PPE hanging issue", " - packet: annotate data-races around ignore_outgoing", " - net: veth: do not manipulate GRO when using XDP", " - net: dsa: mt7530: prevent possible incorrect XTAL frequency selection", " - vdpa/mlx5: Allow CVQ size changes", " - wireguard: receive: annotate data-race around receiving_counter.counter", " - rds: introduce acquire/release ordering in acquire/release_in_xmit()", " - hsr: Handle failures in module init", " - net: phy: fix phy_read_poll_timeout argument type in genphy_loopback", " - net/bnx2x: Prevent access to a freed page in page_pool", " - octeontx2-af: Use separate handlers for interrupts", " - netfilter: nf_tables: do not compare internal table flags on updates", " - rcu: add a helper to report consolidated flavor QS", " - net: report RCU QS on threaded NAPI repolling", " - bpf: report RCU QS in cpumap kthread", " - net: dsa: mt7530: fix handling of LLDP frames", " - net: dsa: mt7530: fix handling of 802.1X PAE frames", " - net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports", " - net: dsa: mt7530: fix handling of all link-local frames", " - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler", " - regmap: Add missing map->bus check", " - remoteproc: stm32: fix incorrect optional pointers", "", " * Jammy update: v5.15.152 upstream stable release (LP: #2063276)", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " - net: lan78xx: fix runtime PM count underflow on link stop", " - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able", " - i40e: disable NAPI right after disabling irqs when handling xsk_pool", " - tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string", " - geneve: make sure to pull inner header in geneve_rx()", " - net: sparx5: Fix use after free inside sparx5_del_mact_entry", " - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", " - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", " - cpumap: Zero-initialise xdp_rxq_info struct before running XDP program", " - net/rds: fix WARNING in rds_conn_connect_if_down", " - netfilter: nft_ct: fix l3num expectations with inet pseudo family", " - netfilter: nf_conntrack_h323: Add protection for bmp length out of range", " - erofs: apply proper VMA alignment for memory mapped files on THP", " - netrom: Fix a data-race around sysctl_netrom_default_path_quality", " - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser", " - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser", " - netrom: Fix a data-race around sysctl_netrom_transport_timeout", " - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries", " - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay", " - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size", " - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout", " - netrom: Fix a data-race around sysctl_netrom_routing_control", " - netrom: Fix a data-race around sysctl_netrom_link_fails_count", " - netrom: Fix data-races around sysctl_net_busy_read", " - ALSA: usb-audio: Refcount multiple accesses on the single clock", " - ALSA: usb-audio: Clear fixed clock rate at closing EP", " - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (take#2)", " - ALSA: usb-audio: Properly refcounting clock rate", " - ALSA: usb-audio: Apply mutex around snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Correct the return code from snd_usb_endpoint_set_params()", " - ALSA: usb-audio: Avoid superfluous endpoint setup", " - ALSA: usb-audio: Add quirk for Tascam Model 12", " - ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless", " - ALSA: usb-audio: Fix microphone sound on Nexigo webcam.", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - drm/amd/display: Fix uninitialized variable usage in core_link_ 'read_dpcd()", " & write_dpcd()' functions", " - nfp: flower: add goto_chain_index for ct entry", " - nfp: flower: add hardware offload check for post ct entry", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - serial: max310x: use regmap methods for SPI batch operations", " - serial: max310x: use a separate regmap for each port", " - serial: max310x: prevent infinite while() loop in port startup", " - drm/amd/pm: do not expose the API used internally only in kv_dpm.c", " - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit", " - selftests: mptcp: decrease BW in simult flows", " - hv_netvsc: use netif_is_bond_master() instead of open code", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - drm/amd/display: Re-arrange FPU code structure for dcn2x", " - drm/amd/display: move calcs folder into DML", " - drm/amd/display: remove DML Makefile duplicate lines", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - getrusage: add the \"signal_struct *sig\" local variable", " - getrusage: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - getrusage: use __for_each_thread()", " - getrusage: use sig->stats_lock rather than lock_task_sighand()", " - proc: Use task_is_running() for wchan in /proc/$pid/stat", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - ALSA: usb-audio: Fix wrong kfree issue in snd_usb_endpoint_free_all", " - ALSA: usb-audio: Always initialize fixed_rate in", " snd_usb_find_implicit_fb_sync_format()", " - ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless", " - ALSA: usb-audio: Sort quirk table entries", " - regmap: allow to define reg_update_bits for no bus configuration", " - regmap: Add bulk read/write callbacks into regmap_config", " - serial: max310x: make accessing revision id interface-agnostic", " - serial: max310x: fix IO data corruption in batched operations", " - Linux 5.15.152", "", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", "", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", "", " * CVE-2023-52530", " - wifi: mac80211: fix potential key use-after-free", "", " * CVE-2023-52447", " - bpf: Defer the free of inner map when necessary", " - rcu-tasks: Provide rcu_trace_implies_rcu_gp()", "", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", "", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209)", " - netfilter: nf_tables: disallow timeout for anonymous sets", " - mtd: spinand: gigadevice: Fix the get ecc status issue", " - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", " - net: ip_tunnel: prevent perpetual headroom growth", " - tun: Fix xdp_rxq_info's queue_index when detaching", " - cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call", " back", " - net: veth: clear GRO when clearing XDP even when down", " - ipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()", " - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is", " detected", " - net: enable memcg accounting for veth queues", " - veth: try harder when allocating queue memory", " - net: usb: dm9601: fix wrong return value in dm9601_mdio_read", " - uapi: in6: replace temporary label with rfc9486", " - stmmac: Clear variable when destroying workqueue", " - Bluetooth: Avoid potential use-after-free in hci_error_reset", " - Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR", " - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()", " - netfilter: nfnetlink_queue: silence bogus compiler warning", " - netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook", " - netfilter: make function op structures const", " - netfilter: let reset rules clean out conntrack entries", " - netfilter: bridge: confirm multicast packets before passing them up the", " stack", " - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back", " - igb: extend PTP timestamp adjustments to i211", " - efi/capsule-loader: fix incorrect allocation size", " - power: supply: bq27xxx-i2c: Do not free non existing IRQ", " - ALSA: Drop leftover snd-rtctimer stuff from Makefile", " - fbcon: always restore the old font data in fbcon_do_set_font()", " - afs: Fix endless loop in directory parsing", " - riscv: Sparse-Memory/vmemmap out-of-bounds fix", " - ALSA: firewire-lib: fix to check cycle continuity", " - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", " - wifi: nl80211: reject iftype change with mesh ID change", " - btrfs: dev-replace: properly validate device names", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " - dmaengine: ptdma: use consistent DMA masks", " - dmaengine: fsl-qdma: init irq after reg initialization", " - mmc: core: Fix eMMC initialization with 1-bit bus connection", " - mmc: sdhci-xenon: add timeout for PHY init complete", " - mmc: sdhci-xenon: fix PHY init clock stability", " - pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation", " - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers", " - mptcp: move __mptcp_error_report in protocol.c", " - mptcp: process pending subflow error on close", " - mptcp: rename timer related helper to less confusing names", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - mptcp: clean up harmless false expressions", " - mptcp: add needs_id for netlink appending addr", " - mptcp: push at DSS boundaries", " - mptcp: fix possible deadlock in subflow diag", " - cachefiles: fix memory leak in cachefiles_add_cache()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - Revert \"drm/bridge: lt8912b: Register and attach our DSI device at probe\"", " - af_unix: Drop oob_skb ref before purging queue in GC.", " - gpio: 74x164: Enable output pins after registers are reset", " - gpiolib: Fix the error path order in gpiochip_add_data_with_key()", " - gpio: fix resource unwinding order in error path", " - Revert \"interconnect: Fix locking for runpm vs reclaim\"", " - Revert \"interconnect: Teach lockdep about icc_bw_lock order\"", " - bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup", " - bpf: Add table ID to bpf_fib_lookup BPF helper", " - bpf: Derive source IP addr via bpf_*_fib_lookup()", " - Linux 5.15.151", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) //", " CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", "", " * Jammy update: v5.15.151 upstream stable release (LP: #2060209) // Fix", " bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142)", " - net/sched: Retire CBQ qdisc", " - [Config] updateconfigs for NET_SCH_CBQ", " - net/sched: Retire ATM qdisc", " - [Config] updateconfigs for NET_SCH_ATM", " - net/sched: Retire dsmark qdisc", " - [Config] updateconfigs for NET_SCH_DSMARK", " - smb: client: fix potential OOBs in smb2_parse_contexts()", " - smb: client: fix parsing of SMB3.1.1 POSIX create context", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()", " - bpf: Merge printk and seq_printf VARARG max macros", " - bpf: Add struct for bin_args arg in bpf_bprintf_prepare", " - bpf: Do cleanup in bpf_bprintf_cleanup only when needed", " - bpf: Remove trace_printk_lock", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - zonefs: Improve error handling", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - sched/rt: Fix sysctl_sched_rr_timeslice intial value", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " - scsi: target: core: Add TMF to tmr_list handling", " - dmaengine: shdma: increase size of 'dev_id'", " - dmaengine: fsl-qdma: increase size of 'irq_name'", " - wifi: cfg80211: fix missing interfaces when dumping", " - wifi: mac80211: fix race condition on enabling fast-xmit", " - fbdev: savage: Error out if pixclock equals zero", " - fbdev: sis: Error out if pixclock equals zero", " - spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", " - ahci: asm1166: correct count of reported ports", " - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers", " - MIPS: reserve exception vector space ONLY ONCE", " - platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet", " - ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap", " corrupt", " - ext4: avoid allocating blocks from corrupted group in", " ext4_mb_try_best_found()", " - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", " - dmaengine: ti: edma: Add some null pointer checks to the edma_probe", " - regulator: pwm-regulator: Add validity checks in continuous .get_voltage", " - nvmet-tcp: fix nvme tcp ida memory leak", " - ALSA: usb-audio: Check presence of valid altsetting control", " - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616", " - spi: sh-msiof: avoid integer overflow in constants", " - Input: xpad - add Lenovo Legion Go controllers", " - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in", " sctp_new", " - ALSA: usb-audio: Ignore clock selector errors for single connection", " - nvme-fc: do not wait in vain when unloading module", " - nvmet-fcloop: swap the list_add_tail arguments", " - nvmet-fc: release reference on target port", " - nvmet-fc: defer cleanup using RCU properly", " - nvmet-fc: hold reference on hostport match", " - nvmet-fc: abort command when there is no binding", " - nvmet-fc: avoid deadlock on delete association path", " - nvmet-fc: take ref count on tgtport before delete assoc", " - ext4: correct the hole length returned by ext4_map_blocks()", " - Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table", " - fs/ntfs3: Modified fix directory element type detection", " - fs/ntfs3: Improve ntfs_dir_count", " - fs/ntfs3: Correct hard links updating when dealing with DOS names", " - fs/ntfs3: Print warning while fixing hard links count", " - fs/ntfs3: Fix detected field-spanning write (size 8) of single field", " \"le->name\"", " - fs/ntfs3: Add NULL ptr dereference checking at the end of", " attr_allocate_frame()", " - fs/ntfs3: Disable ATTR_LIST_ENTRY size check", " - fs/ntfs3: use non-movable memory for ntfs3 MFT buffer cache", " - fs/ntfs3: Prevent generic message \"attempt to access beyond end of device\"", " - fs/ntfs3: Correct function is_rst_area_valid", " - fs/ntfs3: Update inode->i_size after success write into compressed file", " - fs/ntfs3: Fix oob in ntfs_listxattr", " - wifi: mac80211: adding missing drv_mgd_complete_tx() call", " - efi: runtime: Fix potential overflow of soft-reserved region size", " - efi: Don't add memblocks for soft-reserved memory", " - hwmon: (coretemp) Enlarge per package core count limit", " - scsi: lpfc: Use unsigned type for num_sge", " - firewire: core: send bus reset promptly on gap count error", " - drm/amdgpu: skip to program GFXDEC registers for suspend abort", " - drm/amdgpu: reset gpu for s3 suspend abort case", " - virtio-blk: Ensure no requests in virtqueues before deleting vqs.", " - pmdomain: mediatek: fix race conditions with genpd", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - erofs: fix lz4 inplace decompression", " - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", " - drm/ttm: Fix an invalid freeing on already freed page in error path", " - dm-crypt: don't modify the data when using authenticated encryption", " - platform/x86: intel-vbtn: Stop calling \"VBDL\" from notify_handler", " - platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names", " - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler", " - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()", " - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", " - PCI/MSI: Prevent MSI hardware interrupt number truncation", " - l2tp: pass correct message length to ip6_append_data", " - ARM: ep93xx: Add terminator to gpiod_lookup_table", " - Revert \"x86/ftrace: Use alternative RET encoding\"", " - x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR", " - x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch()", " - x86/ftrace: Use alternative RET encoding", " - x86/returnthunk: Allow different return thunks", " - Revert \"x86/alternative: Make custom return thunk unconditional\"", " - x86/alternative: Make custom return thunk unconditional", " - serial: amba-pl011: Fix DMA transmission in RS485 mode", " - usb: dwc3: gadget: Don't disconnect if not started", " - usb: cdnsp: blocked some cdns3 specific code", " - usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers", " - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", " - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs", " - usb: roles: fix NULL pointer issue when put module's reference", " - usb: roles: don't get/set_role() when usb_role_switch is unregistered", " - mptcp: fix lockless access in subflow ULP diag", " - clk: imx: imx8mp: add shared clk gate for usb suspend clk", " - clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents", " - clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents", " - mtd: rawnand: sunxi: Fix the size of the last OOB region", " - RISC-V: fix funct4 definition for c.jalr in parse_asm.h", " - Input: iqs269a - drop unused device node references", " - Input: iqs269a - configure device with a single block write", " - Input: iqs269a - increase interrupt handler return delay", " - clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed", " - Input: ads7846 - don't report pressure for ads7845", " - clk: renesas: cpg-mssr: Remove superfluous check in resume code", " - clk: imx: avoid memory leak", " - Input: ads7846 - always set last command to PWRDOWN", " - Input: ads7846 - don't check penirq immediately for 7845", " - powerpc/powernv/ioda: Skip unallocated resources when mapping to PE", " - clk: qcom: gpucc-sc7180: fix clk_dis_wait being programmed for CX GDSC", " - clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC", " - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()", " - powerpc/pseries/lparcfg: add missing RTAS retry status handling", " - powerpc/perf/hv-24x7: add missing RTAS retry status handling", " - powerpc/pseries/lpar: add missing RTAS retry status handling", " - MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set", " - MIPS: vpe-mt: drop physical_memsize", " - vdpa/mlx5: Don't clear mr struct on destroy MR", " - ARM: dts: BCM53573: Drop nonexistent #usb-cells", " - RDMA/siw: Balance the reference of cep->kref in the error path", " - RDMA/siw: Correct wrong debug message", " - clk: linux/clk-provider.h: fix kernel-doc warnings and typos", " - platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute", " - acpi: property: Let args be NULL in __acpi_node_get_property_reference", " - ARM: dts: BCM53573: Drop nonexistent \"default-off\" LED trigger", " - tools headers UAPI: Sync linux/fscrypt.h with the kernel sources", " - perf beauty: Update copy of linux/socket.h with the kernel sources", " - tools/virtio: fix build", " - drm/amdgpu: init iommu after amdkfd device init", " - f2fs: don't set GC_FAILURE_PIN for background GC", " - f2fs: write checkpoint during FG_GC", " - drm/i915/dg1: Update DMC_DEBUG3 register", " - kernel/sched: Remove dl_boosted flag comment", " - cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()", " - serial: 8250: Remove serial_rs485 sanitization from em485", " - clk: imx8mp: Add DISP2 pixel clock", " - clk: imx8mp: add clkout1/2 support", " - dt-bindings: clocks: imx8mp: Add ID for usb suspend clock", " - net: ethernet: ti: add missing of_node_put before return", " - powerpc/rtas: make all exports GPL", " - powerpc/rtas: ensure 4KB alignment for rtas_data_buf", " - powerpc/eeh: Small refactor of eeh_handle_normal_event()", " - powerpc/eeh: Set channel state after notifying the drivers", " - PM: core: Redefine pm_ptr() macro", " - PM: core: Add new *_PM_OPS macros, deprecate old ones", " - mmc: jz4740: Use the new PM macros", " - mmc: mxc: Use the new PM macros", " - PM: core: Remove static qualifier in DEFINE_SIMPLE_DEV_PM_OPS macro", " - Input: iqs269a - switch to DEFINE_SIMPLE_DEV_PM_OPS() and pm_sleep_ptr()", " - Input: iqs269a - do not poll during suspend or resume", " - Input: iqs269a - do not poll during ATI", " - net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs", " - netfilter: nf_tables: add rescheduling points during loop detection walks", " - debugobjects: Recheck debug_objects_enabled before reporting", " - nbd: Add the maximum limit of allocated index in nbd_dev_add", " - md: fix data corruption for raid456 when reshape restart while grow up", " - md/raid10: prevent soft lockup while flush writes", " - posix-timers: Ensure timer ID search-loop limit is valid", " - btrfs: add xxhash to fast checksum implementations", " - ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3", " - ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e (3371", " AMD version)", " - arm64: set __exception_irq_entry with __irq_entry as a default", " - arm64: mm: fix VA-range sanity check", " - sched/fair: Don't balance task to its current running CPU", " - wifi: ath11k: fix registration of 6Ghz-only phy without the full channel", " range", " - bpf: Address KCSAN report on bpf_lru_list", " - devlink: report devlink_port_type_warn source device", " - wifi: wext-core: Fix -Wstringop-overflow warning in", " ioctl_standard_iw_point()", " - wifi: iwlwifi: mvm: avoid baid size integer overflow", " - exfat: support dynamic allocate bh for exfat_entry_set_cache", " - arm64: dts: rockchip: fix regulator name on rk3399-rock-4", " - arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4", " - arm64: dts: rockchip: add SPDIF node for ROCK Pi 4", " - ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch", " - ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 and iMac12,2", " - ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA", " - ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks", " - ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA", " - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA", " - xhci: cleanup xhci_hub_control port references", " - xhci: move port specific items such as state completions to port structure", " - xhci: rename resume_done to resume_timestamp", " - xhci: clear usb2 resume related variables in one place.", " - xhci: decouple usb2 port resume and get_port_status request handling", " - xhci: track port suspend state correctly in unsuccessful resume cases", " - cifs: add a warning when the in-flight count goes negative", " - IB/hfi1: Fix a memleak in init_credit_return", " - RDMA/bnxt_re: Return error for SRQ resize", " - RDMA/irdma: Fix KASAN issue with tasklet", " - RDMA/irdma: Validate max_send_wr and max_recv_wr", " - RDMA/irdma: Set the CQ read threshold for GEN 1", " - RDMA/irdma: Add AE for too many RNRS", " - RDMA/srpt: Support specifying the srpt_service_guid parameter", " - RDMA/qedr: Fix qedr_create_user_qp error flow", " - arm64: dts: rockchip: set num-cs property for spi on px30", " - RDMA/srpt: fix function pointer cast warnings", " - bpf, scripts: Correct GPL license name", " - scsi: jazz_esp: Only build if SCSI core is builtin", " - nouveau: fix function cast warnings", " - net: stmmac: Fix incorrect dereference in interrupt handlers", " - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid", " - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid", " - ata: libahci_platform: Convert to using devm bulk clocks API", " - ata: libahci_platform: Introduce reset assertion/deassertion methods", " - ata: ahci_ceva: fix error handling for Xilinx GT PHY support", " - bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", " - drm/nouveau/instmem: fix uninitialized_var.cocci warning", " - octeontx2-af: Consider the action set by PF", " - s390: use the correct count for __iowrite64_copy()", " - netfilter: nf_tables: set dormant flag on hook register failure", " - netfilter: flowtable: simplify route logic", " - netfilter: nft_flow_offload: reset dst in route object after setting up flow", " - netfilter: nft_flow_offload: release dst in case direct xmit path is used", " - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set", " - drm/amd/display: Fix memory leak in dm_sw_fini()", " - i2c: imx: Add timer for handling the stop condition", " - i2c: imx: when being a target, mark the last read as processed", " - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", " - netfilter: nf_tables: fix scheduling-while-atomic splat", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - netfilter: nf_tables: can't schedule in nft_chain_validate", " - r8169: use new PM macros", " - Linux 5.15.150", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26733", " - packet: move from strlcpy with unused retval to strscpy", " - net: dev: Convert sa_data to flexible array in struct sockaddr", " - arp: Prevent overflow in arp_req_get().", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", "", " * Jammy update: v5.15.150 upstream stable release (LP: #2060142) //", " CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", "", " * CVE-2023-47233", " - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "", " * CVE-2024-26584", " - net: tls: handle backlogging of crypto requests", "", " * CVE-2024-26585", " - tls: fix race between tx work scheduling and socket close", "", " * CVE-2024-26583", " - tls: rx: jump to a more appropriate label", " - tls: rx: drop pointless else after goto", " - tls: stop recv() if initial process_rx_list gave us non-DATA", " - tls: rx: don't store the record type in socket context", " - tls: rx: don't store the decryption status in socket context", " - tls: rx: don't issue wake ups when data is decrypted", " - tls: rx: refactor decrypt_skb_update()", " - tls: hw: rx: use return value of tls_device_decrypted() to carry status", " - tls: rx: drop unnecessary arguments from tls_setup_from_iter()", " - tls: rx: don't report text length from the bowels of decrypt", " - tls: rx: wrap decryption arguments in a structure", " - tls: rx: factor out writing ContentType to cmsg", " - tls: rx: don't track the async count", " - tls: rx: move counting TlsDecryptErrors for sync", " - tls: rx: assume crypto always calls our callback", " - tls: rx: use async as an in-out argument", " - tls: decrement decrypt_pending if no async completion will be called", " - net: tls: fix async vs NIC crypto offload", " - Revert \"tls: rx: move counting TlsDecryptErrors for sync\"", " - tls: rx: simplify async wait", " - tls: rx: return the already-copied data on crypto error", " - tls: rx: allow only one reader at a time", " - tls: rx: release the sock lock on locking timeout", " - tls: extract context alloc/initialization out of tls_set_sw_offload", " - net: tls: factor out tls_*crypt_async_wait()", " - tls: fix race between async notify and socket close", "", " * CVE-2024-26622", " - tomoyo: fix UAF write bug in tomoyo_write_control()", "" ], "package": "linux", "version": "5.15.0-111.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2063763, 2063096, 2061986, 2040948, 2063290, 2063276, 2060422, 2058477, 2060209, 2060209, 2060209, 2063067, 2060142, 2060142, 2060142, 2060142, 2060142 ], "author": "Roxana Nicolescu ", "date": "Fri, 26 Apr 2024 13:29:50 +0200" } ], "notes": "linux-modules-5.15.0-112-generic version '5.15.0-112.122' (source package linux version '5.15.0-112.122') was added. linux-modules-5.15.0-112-generic version '5.15.0-112.122' has the same source package name, linux, as removed package linux-headers-5.15.0-107. As such we can use the source package version of the removed package, '5.15.0-107.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-107", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": "5.15.0-107.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-107-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": "5.15.0-107.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-107-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-107.117", "version": "5.15.0-107.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-107-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-107.117", "version": "5.15.0-107.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20240605.1 to 20240612", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240605.1", "to_serial": "20240612", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }