{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.5.0-45-generic", "linux-image-6.5.0-45-generic", "linux-modules-6.5.0-45-generic", "linux-riscv-6.5-headers-6.5.0-45" ], "removed": [ "linux-headers-6.5.0-42-generic", "linux-image-6.5.0-42-generic", "linux-modules-6.5.0-42-generic", "linux-riscv-6.5-headers-6.5.0-42" ], "diff": [ "libpython3.10:riscv64", "libpython3.10-minimal:riscv64", "libpython3.10-stdlib:riscv64", "libssl3:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "openssl", "python3.10", "python3.10-minimal" ] } }, "diff": { "deb": [ { "name": "libpython3.10:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.4", "version": "3.10.12-1~22.04.4" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: race condition in ssl.SSLContext methods", " - debian/patches/CVE-2024-0397.patch: fix locking in cert_store_stats", " and get_ca_certs in Modules/_ssl.c.", " - CVE-2024-0397", " * SECURITY UPDATE: is_private and is_global mismatch", " - debian/patches/CVE-2024-4032.patch: fix \"private\" (non-global) IP", " address ranges in Doc/library/ipaddress.rst, Lib/ipaddress.py,", " Lib/test/test_ipaddress.py.", " - CVE-2024-4032", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 29 Jul 2024 12:56:48 -0400" } ], "notes": null }, { "name": "libpython3.10-minimal:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.4", "version": "3.10.12-1~22.04.4" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: race condition in ssl.SSLContext methods", " - debian/patches/CVE-2024-0397.patch: fix locking in cert_store_stats", " and get_ca_certs in Modules/_ssl.c.", " - CVE-2024-0397", " * SECURITY UPDATE: is_private and is_global mismatch", " - debian/patches/CVE-2024-4032.patch: fix \"private\" (non-global) IP", " address ranges in Doc/library/ipaddress.rst, Lib/ipaddress.py,", " Lib/test/test_ipaddress.py.", " - CVE-2024-4032", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 29 Jul 2024 12:56:48 -0400" } ], "notes": null }, { "name": "libpython3.10-stdlib:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.4", "version": "3.10.12-1~22.04.4" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: race condition in ssl.SSLContext methods", " - debian/patches/CVE-2024-0397.patch: fix locking in cert_store_stats", " and get_ca_certs in Modules/_ssl.c.", " - CVE-2024-0397", " * SECURITY UPDATE: is_private and is_global mismatch", " - debian/patches/CVE-2024-4032.patch: fix \"private\" (non-global) IP", " address ranges in Doc/library/ipaddress.rst, Lib/ipaddress.py,", " Lib/test/test_ipaddress.py.", " - CVE-2024-4032", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 29 Jul 2024 12:56:48 -0400" } ], "notes": null }, { "name": "libssl3:riscv64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.16", "version": "3.0.2-0ubuntu1.16" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.17", "version": "3.0.2-0ubuntu1.17" }, "cves": [ { "cve": "CVE-2024-2511", "url": "https://ubuntu.com/security/CVE-2024-2511", "cve_description": "Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-04-08 14:15:00 UTC" }, { "cve": "CVE-2024-4603", "url": "https://ubuntu.com/security/CVE-2024-4603", "cve_description": "Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-05-16 16:15:00 UTC" }, { "cve": "CVE-2024-4741", "url": "https://ubuntu.com/security/CVE-2024-4741", "cve_description": "Use After Free with SSL_free_buffers", "cve_priority": "low", "cve_public_date": "2024-05-28" }, { "cve": "CVE-2024-5535", "url": "https://ubuntu.com/security/CVE-2024-5535", "cve_description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a \"no overlap\" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.", "cve_priority": "low", "cve_public_date": "2024-06-27 11:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-2511", "url": "https://ubuntu.com/security/CVE-2024-2511", "cve_description": "Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-04-08 14:15:00 UTC" }, { "cve": "CVE-2024-4603", "url": "https://ubuntu.com/security/CVE-2024-4603", "cve_description": "Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-05-16 16:15:00 UTC" }, { "cve": "CVE-2024-4741", "url": "https://ubuntu.com/security/CVE-2024-4741", "cve_description": "Use After Free with SSL_free_buffers", "cve_priority": "low", "cve_public_date": "2024-05-28" }, { "cve": "CVE-2024-5535", "url": "https://ubuntu.com/security/CVE-2024-5535", "cve_description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a \"no overlap\" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.", "cve_priority": "low", "cve_public_date": "2024-06-27 11:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unbounded mem growth when processing TLSv1.3 sessions", " - debian/patches/CVE-2024-2511.patch: fix unconstrained session cache", " growth in TLSv1.3 in ssl/ssl_lib.c, ssl/ssl_sess.c,", " ssl/statem/statem_srvr.c.", " - CVE-2024-2511", " * SECURITY UPDATE: checking excessively long DSA keys or params very slow", " - debian/patches/CVE-2024-4603.patch: check DSA parameters for", " excessive sizes before validating in crypto/dsa/dsa_check.c,", " test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem.", " - CVE-2024-4603", " * SECURITY UPDATE: use after free with SSL_free_buffers", " - debian/patches/CVE-2024-4741.patch: only free the read buffers if", " we're not using them in ssl/record/rec_layer_s3.c,", " ssl/record/record.h, ssl/ssl_lib.c.", " - CVE-2024-4741", " * SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto", " - debian/patches/CVE-2024-5535.patch: validate provided client list in", " ssl/ssl_lib.c.", " - CVE-2024-5535", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.17", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 30 Jul 2024 11:18:05 -0400" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.45.45.1~22.04.1", "version": "6.5.0.45.45.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-45.45.1~22.04", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:19:53 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.45.45.1~22.04.1", "version": "6.5.0.45.45.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-45.45.1~22.04", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:19:53 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.45.45.1~22.04.1", "version": "6.5.0.45.45.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-45.45.1~22.04", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:19:53 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.45.45.1~22.04.1", "version": "6.5.0.45.45.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-45.45.1~22.04", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:19:53 +0200" } ], "notes": null }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.16", "version": "3.0.2-0ubuntu1.16" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.17", "version": "3.0.2-0ubuntu1.17" }, "cves": [ { "cve": "CVE-2024-2511", "url": "https://ubuntu.com/security/CVE-2024-2511", "cve_description": "Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-04-08 14:15:00 UTC" }, { "cve": "CVE-2024-4603", "url": "https://ubuntu.com/security/CVE-2024-4603", "cve_description": "Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-05-16 16:15:00 UTC" }, { "cve": "CVE-2024-4741", "url": "https://ubuntu.com/security/CVE-2024-4741", "cve_description": "Use After Free with SSL_free_buffers", "cve_priority": "low", "cve_public_date": "2024-05-28" }, { "cve": "CVE-2024-5535", "url": "https://ubuntu.com/security/CVE-2024-5535", "cve_description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a \"no overlap\" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.", "cve_priority": "low", "cve_public_date": "2024-06-27 11:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-2511", "url": "https://ubuntu.com/security/CVE-2024-2511", "cve_description": "Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-04-08 14:15:00 UTC" }, { "cve": "CVE-2024-4603", "url": "https://ubuntu.com/security/CVE-2024-4603", "cve_description": "Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "cve_priority": "low", "cve_public_date": "2024-05-16 16:15:00 UTC" }, { "cve": "CVE-2024-4741", "url": "https://ubuntu.com/security/CVE-2024-4741", "cve_description": "Use After Free with SSL_free_buffers", "cve_priority": "low", "cve_public_date": "2024-05-28" }, { "cve": "CVE-2024-5535", "url": "https://ubuntu.com/security/CVE-2024-5535", "cve_description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a \"no overlap\" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.", "cve_priority": "low", "cve_public_date": "2024-06-27 11:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unbounded mem growth when processing TLSv1.3 sessions", " - debian/patches/CVE-2024-2511.patch: fix unconstrained session cache", " growth in TLSv1.3 in ssl/ssl_lib.c, ssl/ssl_sess.c,", " ssl/statem/statem_srvr.c.", " - CVE-2024-2511", " * SECURITY UPDATE: checking excessively long DSA keys or params very slow", " - debian/patches/CVE-2024-4603.patch: check DSA parameters for", " excessive sizes before validating in crypto/dsa/dsa_check.c,", " test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem.", " - CVE-2024-4603", " * SECURITY UPDATE: use after free with SSL_free_buffers", " - debian/patches/CVE-2024-4741.patch: only free the read buffers if", " we're not using them in ssl/record/rec_layer_s3.c,", " ssl/record/record.h, ssl/ssl_lib.c.", " - CVE-2024-4741", " * SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto", " - debian/patches/CVE-2024-5535.patch: validate provided client list in", " ssl/ssl_lib.c.", " - CVE-2024-5535", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.17", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 30 Jul 2024 11:18:05 -0400" } ], "notes": null }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.4", "version": "3.10.12-1~22.04.4" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: race condition in ssl.SSLContext methods", " - debian/patches/CVE-2024-0397.patch: fix locking in cert_store_stats", " and get_ca_certs in Modules/_ssl.c.", " - CVE-2024-0397", " * SECURITY UPDATE: is_private and is_global mismatch", " - debian/patches/CVE-2024-4032.patch: fix \"private\" (non-global) IP", " address ranges in Doc/library/ipaddress.rst, Lib/ipaddress.py,", " Lib/test/test_ipaddress.py.", " - CVE-2024-4032", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 29 Jul 2024 12:56:48 -0400" } ], "notes": null }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.4", "version": "3.10.12-1~22.04.4" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-0397", "url": "https://ubuntu.com/security/CVE-2024-0397", "cve_description": "A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "cve_priority": "medium", "cve_public_date": "2024-06-17 16:15:00 UTC" }, { "cve": "CVE-2024-4032", "url": "https://ubuntu.com/security/CVE-2024-4032", "cve_description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", "cve_priority": "low", "cve_public_date": "2024-06-17 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: race condition in ssl.SSLContext methods", " - debian/patches/CVE-2024-0397.patch: fix locking in cert_store_stats", " and get_ca_certs in Modules/_ssl.c.", " - CVE-2024-0397", " * SECURITY UPDATE: is_private and is_global mismatch", " - debian/patches/CVE-2024-4032.patch: fix \"private\" (non-global) IP", " address ranges in Doc/library/ipaddress.rst, Lib/ipaddress.py,", " Lib/test/test_ipaddress.py.", " - CVE-2024-4032", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 29 Jul 2024 12:56:48 -0400" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.5.0-45-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-45.45.1~22.04.1", "version": "6.5.0-45.45.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "changes": [ { "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2071997)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv-6.5/dkms-versions -- update from kernel-versions", " (main/s2024.06.10)", "", " [ Ubuntu: 6.5.0-45.45.1 ]", "", " * mantic/linux-riscv: 6.5.0-45.45.1 -proposed tracker (LP: #2071998)", " * mantic/linux: 6.5.0-45.45 -proposed tracker (LP: #2072006)", " * CVE-2024-25739", " - ubi: Check for too small LEB size in VTBL code", " * CVE-2024-24857 // CVE-2024-24858", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", "", " [ Ubuntu: 6.5.0-44.44.1 ]", "", " * mantic/linux-riscv: 6.5.0-44.44.1 -proposed tracker (LP: #2068333)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Miscellaneous Ubuntu changes", " - Revert \"riscv: Fix set_huge_pte_at() for NAPOT mapping\"", " * mantic/linux: 6.5.0-44.44 -proposed tracker (LP: #2068341)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Some DUTs can't boot up after installing the proposed kernel on Mantic", " (LP: #2061940)", " - SAUCE: Revert \"x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat", " section\"", " - SAUCE: Revert \"x86/boot: Increase section and file alignment to 4k/512\"", " - SAUCE: Revert \"x86/boot: Split off PE/COFF .data section\"", " - SAUCE: Revert \"x86/boot: Drop PE/COFF .reloc section\"", " - SAUCE: Revert \"x86/boot: Construct PE/COFF .text section from assembler\"", " - SAUCE: Revert \"x86/boot: Derive file size from _edata symbol\"", " - SAUCE: Revert \"x86/boot: Define setup size in linker script\"", " - SAUCE: Revert \"x86/boot: Set EFI handover offset directly in header asm\"", " - SAUCE: Revert \"x86/boot: Grab kernel_info offset from zoffset header", " directly\"", " - SAUCE: Revert \"x86/boot: Drop redundant code setting the root device\"", " - SAUCE: Revert \"x86/boot: Drop references to startup_64\"", " - SAUCE: Revert \"x86/boot: Omit compression buffer from PE/COFF image memory", " footprint\"", " - SAUCE: Revert \"x86/boot: Remove the 'bugger off' message\"", " - SAUCE: Revert \"x86/efi: Drop alignment flags from PE section headers\"", " - SAUCE: Revert \"x86/efi: Drop EFI stub .bss from .data section\"", " * CVE-2023-52880", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " * i915 cannot probe successfully on HP ZBook Power 16 G11 (LP: #2067883)", " - drm/i915/mtl: Remove the 'force_probe' requirement for Meteor Lake", " * CVE-2024-26838", " - RDMA/irdma: Fix KASAN issue with tasklet", " * mtk_t7xx WWAN module fails to probe with: Invalid device status 0x1", " (LP: #2049358)", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: PCIe reset rescan\"", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: Add AP CLDMA\"", " - net: wwan: t7xx: Add AP CLDMA", " - wwan: core: Add WWAN fastboot port type", " - net: wwan: t7xx: Add sysfs attribute for device state machine", " - net: wwan: t7xx: Infrastructure for early port configuration", " - net: wwan: t7xx: Add fastboot WWAN port", " * TCP memory leak, slow network (arm64) (LP: #2045560)", " - net: make SK_MEMORY_PCPU_RESERV tunable", " - net: fix sk_memory_allocated_{add|sub} vs softirqs", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", " * Add support for Quectel EM160R-GL modem [1eac:100d] (LP: #2063399)", " - Add support for Quectel EM160R-GL modem", " * Add support for Quectel RM520N-GL modem [1eac:1007] (LP: #2063529)", " - Add support for Quectel RM520N-GL modem", " - Add support for Quectel RM520N-GL modem", " * [SRU][22.04.4]: megaraid_sas: Critical Bug Fixes (LP: #2046722)", " - scsi: megaraid_sas: Log message when controller reset is requested but not", " issued", " - scsi: megaraid_sas: Driver version update to 07.727.03.00-rc1", " * Fix the RTL8852CE BT FW Crash based on SER false alarm (LP: #2060904)", " - wifi: rtw89: disable txptctrl IMR to avoid flase alarm", " - wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of", " firmware command", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", " * CVE-2024-26803", " - net: veth: clear GRO when clearing XDP even when down", " * CVE-2024-26790", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " * CVE-2024-26890", " - Bluetooth: hci_h5: Add ability to allocate memory for private data", " - Bluetooth: btrtl: fix out of bounds memory access", " * CVE-2024-26802", " - stmmac: Clear variable when destroying workqueue", " * CVE-2024-26798", " - fbcon: always restore the old font data in fbcon_do_set_font()", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", " * Fix bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - arp: Prevent overflow in arp_req_get().", " * CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", " * CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", " * CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", " * CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " * CVE-2024-26789", " - crypto: arm64/neonbs - fix out-of-bounds access on short input", " * CVE-2024-26734", " - devlink: fix possible use-after-free and memory leaks in devlink_init()", " * The keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID", " * proc_sched_rt01 from ubuntu_ltp failed (LP: #2057734)", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * Fix acpi_power_meter accessing IPMI region before it's ready (LP: #2059263)", " - ACPI: IPMI: Add helper to wait for when SMI is selected", " - hwmon: (acpi_power_meter) Ensure IPMI space handler is ready on Dell systems", " * Include cifs.ko in linux-modules package (LP: #2042546)", " - [Packaging] Replace fs/cifs with fs/smb/client in inclusion list", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814)", " - btrfs: add and use helper to check if block group is used", " - btrfs: do not delete unused block group if it may be used soon", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - btrfs: don't reserve space for checksums when writing to nocow files", " - btrfs: reject encoded write if inode has nodatasum flag set", " - btrfs: don't drop extent_map for free space inode on write error", " - driver core: Fix device_link_flag_is_sync_state_only()", " - of: unittest: Fix compile in the non-dynamic case", " - KVM: selftests: Fix a semaphore imbalance in the dirty ring logging test", " - wifi: iwlwifi: Fix some error codes", " - wifi: iwlwifi: uninitialized variable in iwl_acpi_get_ppag_table()", " - of: property: Improve finding the supplier of a remote-endpoint property", " - net: openvswitch: limit the number of recursions from action sets", " - lan966x: Fix crash when adding interface under a lag", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - net: sysfs: Fix /sys/class/net/ path for statistics", " - nouveau/svm: fix kvcalloc() argument order", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - scs: add CONFIG_MMU dependency for vfree_atomic()", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - scsi: storvsc: Fix ring buffer size calculation", " - dm-crypt, dm-verity: disable tasklets", " - ASoC: amd: yc: Add DMI quirk for MSI Bravo 15 C7VF", " - parisc: Prevent hung tasks when printing inventory on serial console", " - ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift", " 1 SF114-32", " - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx", " - HID: i2c-hid-of: fix NULL-deref on failed power up", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP", " - usb: ucsi: Add missing ppm_lock", " - usb: ulpi: Fix debugfs directory leak", " - usb: ucsi_acpi: Fix command completion handling", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", " - interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", " - media: ir_toy: fix a memleak in irtoy_tx", " - driver core: fw_devlink: Improve detection of overlapping cycles", " - cifs: fix underflow in parse_server_interfaces()", " - i2c: qcom-geni: Correct I2C TRE sequence", " - irqchip/loongson-eiointc: Use correct struct type in eiointc_domain_alloc()", " - i2c: pasemi: split driver into two separate modules", " - modpost: trim leading spaces when processing source files list", " - mptcp: get rid of msk->subflow", " - mptcp: fix data re-injection from stale subflow", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - selftests: mptcp: add missing kconfig for NF Mangle", " - selftests: mptcp: increase timeout to 30 min", " - mptcp: drop the push_pending field", " - mptcp: check addrs list in userspace_pm_get_local_id", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - Revert \"drm/amd: flush any delayed gfxoff on suspend entry\"", " - drm/virtio: Set segment size for virtio_gpu device", " - lsm: fix the logic in security_inode_getsecctx()", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - ALSA: hda/realtek: Apply headset jack quirk for non-bass alc287 thinkpads", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", " - net: stmmac: do not clear TBS enable bit on link up/down", " - xen-netback: properly sync TX responses", " - modpost: Don't let \"driver\"s reference .exit.*", " - linux/init: remove __memexit* annotations", " - um: Fix adding '-no-pie' for clang", " - modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - ASoC: codecs: wcd938x: handle deferred probe", " - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - iio: core: fix memleak in iio_device_register_sysfs", " - iio: commom: st_sensors: ensure proper DMA alignment", " - iio: accel: bma400: Fix a compilation problem", " - iio: adc: ad_sigma_delta: ensure proper DMA alignment", " - iio: imu: adis: ensure proper DMA alignment", " - iio: imu: bno055: serdev requires REGMAP", " - media: rc: bpf attach/detach requires write permission", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - drm/msm: Wire up tlb ops", " - drm/prime: Support page array >= 4GB", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - drm/amd/display: Preserve original aspect ratio in create stream", " - hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - nfp: flower: fix hardware offload for the transfer layer port", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: prevent infinite while() loop in port startup", " - powerpc/64: Set task pt_regs->link to the LR value on scv entry", " - powerpc/cputable: Add missing PPC_FEATURE_BOOKE on PPC64 Book-E", " - powerpc/pseries: fix accuracy of stolen time", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - KVM: x86/pmu: Fix type length error when reading pmu->fixed_ctr_ctrl", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - io_uring/net: fix multishot accept overflow handling", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/realtek: fix mute/micmute LED For HP mt645", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - wifi: cfg80211: fix wiphy delayed work queueing", " - wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update", " - zonefs: Improve error handling", " - mmc: sdhci-pci-o2micro: Fix a warm reboot issue that disk can't be detected", " by BIOS", " - ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8", " - tools/rtla: Remove unused sched_getattr() function", " - tools/rtla: Replace setting prio with nice for SCHED_OTHER", " - tools/rtla: Exit with EXIT_SUCCESS when help is invoked", " - tools/rtla: Fix uninitialized bucket/data->bucket_size warning", " - tools/rtla: Fix Makefile compiler options for clang", " - fs: relax mount_setattr() permission checks", " - net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - ceph: prevent use-after-free in encode_cap_msg()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE", " - of: property: fix typo in io-channels", " - can: netlink: Fix TDCO calculation using the old data bittiming", " - can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory", " - selftests/mm: Update va_high_addr_switch.sh to check CPU for la57 flag", " - md: bypass block throttle for superblock update", " - block: fix partial zone append completion handling in req_bio_endio()", " - netfilter: ipset: Missing gc cancellations fixed", " - parisc: Fix random data corruption from exception handler", " - nfsd: don't take fi_lock in nfsd_break_deleg_cb()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - of: property: Add in-ports/out-ports support to of_graph_get_port_parent()", " - nilfs2: fix potential bug in end_buffer_async_write", " - arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata", " - work around gcc bugs with 'asm goto' with outputs", " - [Config] updateconfigs for GCC_ASM_GOTO_OUTPUT_WORKAROUND", " - update workarounds for gcc \"asm goto\" issue", " - selftests/landlock: Fix fs_test build with old libc", " - KVM: selftests: Delete superfluous, unused \"stage\" variable in AMX test", " - KVM: selftests: Avoid infinite loop in hyperv_features when invtsc is", " missing", " - drm/msm/gem: Fix double resv lock aquire", " - ASoC: SOF: ipc3-topology: Fix pipeline tear down logic", " - net/handshake: Fix handshake_req_destroy_test1", " - bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY", " - devlink: Fix command annotation documentation", " - of: property: Improve finding the consumer of a remote-endpoint property", " - perf: CXL: fix mismatched cpmu event opcode", " - selftests: forwarding: Fix layer 2 miss test flakiness", " - selftests: forwarding: Fix bridge MDB test flakiness", " - selftests: bridge_mdb: Use MDB get instead of dump", " - selftests: forwarding: Suppress grep warnings", " - ptrace: Introduce exception_ip arch hook", " - mm/memory: Use exception ip to search exception tables", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - nouveau: offload fence uevents work to workqueue", " - HID: bpf: remove double fdget()", " - HID: bpf: actually free hdev memory after attaching a HID-BPF program", " - usb: chipidea: core: handle power lost in workqueue", " - usb: core: Prevent null pointer dereference in update_port_device_state", " - interconnect: qcom: sm8550: Enable sync_state", " - powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add", " - powerpc/6xx: set High BAT Enable flag on G2_LE cores", " - iio: adc: ad4130: zero-initialize clock init data", " - iio: adc: ad4130: only set GPIO_CTRL if pin is unused", " - irqchip/gic-v3-its: Handle non-coherent GICv4 redistributors", " - kallsyms: ignore ARMv4 thunks along with others", " - selftests: mptcp: add mptcp_lib_kill_wait", " - mptcp: fix rcv space initialization", " - mptcp: really cope with fastopen race", " - Revert \"powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add\"", " - drm/amd: Don't init MEC2 firmware when it fails to load", " - usb: typec: tpcm: Fix issues with power being removed during reset", " - tracing/timerlat: Move hrtimer_init to timerlat_fd open()", " - tracing/synthetic: Fix trace_string() return value", " - tracing/probes: Fix to show a parse error for bad type for $comm", " - tracing/probes: Fix to set arg size and fmt after setting type from BTF", " - Revert \"workqueue: Override implicit ordered attribute in", " workqueue_apply_unbound_cpumask()\"", " - iio: pressure: bmp280: Add missing bmp085 to SPI id table", " - pmdomain: mediatek: fix race conditions with genpd", " - drm/amd/display: Add align done check", " - drm/amdgpu/soc21: update VCN 4 max HEVC encoding resolution", " - drm/amd/display: Fix MST Null Ptr for RV", " - net: dsa: mv88e6xxx: Fix failed probe due to unsupported C45 reads", " - nfp: flower: add hardware offload check for post ct entry", " - ftrace: Fix DIRECT_CALLS to use SAVE_REGS by default", " - serial: core: introduce uart_port_tx_flags()", " - serial: mxs-auart: fix tx", " - KVM: x86: make KVM_REQ_NMI request iff NMI pending for vcpu", " - crypto: algif_hash - Remove bogus SGL free on zero-length error path", " - nfp: enable NETDEV_XDP_ACT_REDIRECT feature flag", " - wifi: iwlwifi: mvm: fix a crash when we run out of stations", " - thunderbolt: Fix setting the CNS bit in ROUTER_CS_5", " - smb: client: set correct id, uid and cruid for multiuser automounts", " - KVM: arm64: Fix circular locking dependency", " - arm64/signal: Don't assume that TIF_SVE means we saved SVE state", " - ASoC: SOF: IPC3: fix message bounds on ipc ops", " - tools/rv: Fix curr_reactor uninitialized variable", " - tools/rv: Fix Makefile compiler options for clang", " - tools/rtla: Fix clang warning about mount_point var size", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - blk-wbt: Fix detection of dirty-throttled tasks", " - docs: kernel_feat.py: fix build error for missing files", " - tracing: Fix HAVE_DYNAMIC_FTRACE_WITH_REGS ifdef", " - netfilter: ipset: fix performance regression in swap operation", " - tracefs: Check for dentry->d_inode exists in set_gid()", " - x86/efi: Drop EFI stub .bss from .data section", " - x86/efi: Drop alignment flags from PE section headers", " - x86/boot: Remove the 'bugger off' message", " - x86/boot: Omit compression buffer from PE/COFF image memory footprint", " - x86/boot: Drop redundant code setting the root device", " - x86/boot: Drop references to startup_64", " - x86/boot: Grab kernel_info offset from zoffset header directly", " - x86/boot: Set EFI handover offset directly in header asm", " - x86/boot: Define setup size in linker script", " - x86/boot: Derive file size from _edata symbol", " - x86/boot: Construct PE/COFF .text section from assembler", " - x86/boot: Drop PE/COFF .reloc section", " - x86/boot: Split off PE/COFF .data section", " - x86/boot: Increase section and file alignment to 4k/512", " - x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section", " - x86/barrier: Do not serialize MSR accesses on AMD", " - Documentation/arch/ia64/features.rst: fix kernel-feat directive", " - Upstream stable to v6.1.79, v6.6.18", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26694", " - wifi: iwlwifi: fix double-free bug", " * There is sound from the speakers and headphones at the same time on Oasis 14", " and 16 platforms (LP: #2054487) // Mantic update: upstream stable patchset", " 2024-04-16 (LP: #2061814)", " - ALSA: hda/realtek - Add speaker pin verbtable for Dell dual speaker platform", " - ALSA: hda/realtek: add IDs for Dell dual spk platform", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26710", " - powerpc/kasan: Limit KASAN thread size increase to 32KB", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991)", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools", " - dmaengine: ti: k3-udma: Report short packet errors", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - cifs: failure to add channel on iface should bump up weight", " - drm/msms/dp: fixed link clock divider bits be over written in BPC unknown", " case", " - drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case", " - drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - wifi: mac80211: fix waiting for beacons logic", " - netdevsim: avoid potential loop in nsim_dev_trap_report_work()", " - net: atlantic: Fix DMA mapping for PTP hwts ring", " - selftests: net: cut more slack for gro fwd tests.", " - selftests: net: avoid just another constant wait", " - tunnels: fix out of bounds access when building IPv6 PMTU error", " - atm: idt77252: fix a memleak in open_card_ubr0", " - octeontx2-pf: Fix a memleak otx2_sq_init", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - drm/i915/gvt: Fix uninitialized variable in handle_mmio()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.", " - ppp_async: limit MRU to 64K", " - selftests: cmsg_ipv6: repeat the exact packet", " - netfilter: nft_compat: narrow down revision to unsigned 8-bits", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - drm/amd/display: Implement bounds check for stream encoder creation in", " DCN301", " - netfilter: nft_ct: reject direction for ct id", " - fs/ntfs3: Fix an NULL dereference bug", " - scsi: core: Move scsi_host_busy() out of host lock if it is for per-command", " - blk-iocost: Fix an UBSAN shift-out-of-bounds warning", " - ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision", " - ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - hrtimer: Report offline hrtimer enqueue", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers", " - net: stmmac: xgmac: use #define for string constants", " - ALSA: usb-audio: Sort quirk table entries", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - perf evlist: Fix evlist__new_default() for > 1 core PMU", " - cifs: avoid redundant calls to disable multichannel", " - rust: arc: add explicit `drop()` around `Box::from_raw()`", " - rust: task: remove redundant explicit link", " - rust: print: use explicit link in documentation", " - MAINTAINERS: add Catherine as xfs maintainer for 6.6.y", " - xfs: bump max fsgeom struct version", " - xfs: hoist freeing of rt data fork extent mappings", " - xfs: prevent rt growfs when quota is enabled", " - xfs: rt stubs should return negative errnos when rt disabled", " - xfs: fix units conversion error in xfs_bmap_del_extent_delay", " - xfs: make sure maxlen is still congruent with prod when rounding down", " - xfs: introduce protection for drop nlink", " - xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space", " - xfs: allow read IO and FICLONE to run concurrently", " - xfs: factor out xfs_defer_pending_abort", " - xfs: abort intent items when recovery intents fail", " - xfs: only remap the written blocks in xfs_reflink_end_cow_extent", " - xfs: up(ic_sema) if flushing data device fails", " - xfs: fix internal error from AGFL exhaustion", " - xfs: inode recovery does not validate the recovered inode", " - xfs: clean up dqblk extraction", " - xfs: dquot recovery does not validate the recovered dquot", " - xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags", " - xfs: respect the stable writes flag on the RT device", " - wifi: mac80211: fix RCU use in TDLS fast-xmit", " - wifi: iwlwifi: exit eSR only after the FW does", " - wifi: brcmfmac: Adjust n_channels usage for __counted_by", " - selftests/net: convert unicast_extensions.sh to run it in unique namespace", " - selftests/net: convert pmtu.sh to run it in unique namespace", " - selftests/net: change shebang to bash to support \"source\"", " - selftests: net: fix tcp listener handling in pmtu.sh", " - tsnep: Fix mapping for zero copy XDP_TX action", " - rxrpc: Fix generation of serial numbers to skip zero", " - rxrpc: Fix delayed ACKs to not set the reference serial number", " - rxrpc: Fix counting of new acks and nacks", " - selftests: net: let big_tcp test cope with slow env", " - drm/amd/display: Fix 'panel_cntl' could be null in", " 'dcn21_set_backlight_level()'", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", " - riscv: Improve tlb_flush()", " - riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole", " tlb", " - riscv: Improve flush_tlb_kernel_range()", " - mm: Introduce flush_cache_vmap_early()", " - riscv: mm: execute local TLB flush after populating vmemmap", " - riscv: Fix set_huge_pte_at() for NAPOT mapping", " - riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled", " - riscv: Flush the tlb when a page directory is freed", " - libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*()", " - libceph: just wait for more data to be available on the socket", " - riscv: Fix arch_hugetlb_migration_supported() for NAPOT", " - riscv: declare overflow_stack as exported from traps.c", " - Revert \"usb: typec: tcpm: fix cc role at port reset\"", " - x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - usb: dwc3: pci: add support for the Intel Arrow Lake-H", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - io_uring/poll: move poll execution helpers higher up", " - io_uring/net: un-indent mshot retry path in io_recv_finish()", " - io_uring/poll: add requeue return code from poll multishot handling", " - io_uring/net: limit inline multishot retries", " - Upstream stable to v6.1.78, v6.6.17", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) // The", " keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " * CVE-2024-26593", " - i2c: i801: Fix block process call transactions", " * Mantic update: upstream stable patchset 2024-03-26 (LP: #2059068)", " - selftests/bpf: tests for iterating callbacks", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:18:49 +0200" } ], "notes": "linux-headers-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-45.45.1~22.04.1') was added. linux-headers-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-42-generic. As such we can use the source package version of the removed package, '6.5.0-42.42.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.5.0-45-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-45.45.1~22.04.1", "version": "6.5.0-45.45.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "changes": [ { "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2071997)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv-6.5/dkms-versions -- update from kernel-versions", " (main/s2024.06.10)", "", " [ Ubuntu: 6.5.0-45.45.1 ]", "", " * mantic/linux-riscv: 6.5.0-45.45.1 -proposed tracker (LP: #2071998)", " * mantic/linux: 6.5.0-45.45 -proposed tracker (LP: #2072006)", " * CVE-2024-25739", " - ubi: Check for too small LEB size in VTBL code", " * CVE-2024-24857 // CVE-2024-24858", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", "", " [ Ubuntu: 6.5.0-44.44.1 ]", "", " * mantic/linux-riscv: 6.5.0-44.44.1 -proposed tracker (LP: #2068333)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Miscellaneous Ubuntu changes", " - Revert \"riscv: Fix set_huge_pte_at() for NAPOT mapping\"", " * mantic/linux: 6.5.0-44.44 -proposed tracker (LP: #2068341)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Some DUTs can't boot up after installing the proposed kernel on Mantic", " (LP: #2061940)", " - SAUCE: Revert \"x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat", " section\"", " - SAUCE: Revert \"x86/boot: Increase section and file alignment to 4k/512\"", " - SAUCE: Revert \"x86/boot: Split off PE/COFF .data section\"", " - SAUCE: Revert \"x86/boot: Drop PE/COFF .reloc section\"", " - SAUCE: Revert \"x86/boot: Construct PE/COFF .text section from assembler\"", " - SAUCE: Revert \"x86/boot: Derive file size from _edata symbol\"", " - SAUCE: Revert \"x86/boot: Define setup size in linker script\"", " - SAUCE: Revert \"x86/boot: Set EFI handover offset directly in header asm\"", " - SAUCE: Revert \"x86/boot: Grab kernel_info offset from zoffset header", " directly\"", " - SAUCE: Revert \"x86/boot: Drop redundant code setting the root device\"", " - SAUCE: Revert \"x86/boot: Drop references to startup_64\"", " - SAUCE: Revert \"x86/boot: Omit compression buffer from PE/COFF image memory", " footprint\"", " - SAUCE: Revert \"x86/boot: Remove the 'bugger off' message\"", " - SAUCE: Revert \"x86/efi: Drop alignment flags from PE section headers\"", " - SAUCE: Revert \"x86/efi: Drop EFI stub .bss from .data section\"", " * CVE-2023-52880", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " * i915 cannot probe successfully on HP ZBook Power 16 G11 (LP: #2067883)", " - drm/i915/mtl: Remove the 'force_probe' requirement for Meteor Lake", " * CVE-2024-26838", " - RDMA/irdma: Fix KASAN issue with tasklet", " * mtk_t7xx WWAN module fails to probe with: Invalid device status 0x1", " (LP: #2049358)", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: PCIe reset rescan\"", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: Add AP CLDMA\"", " - net: wwan: t7xx: Add AP CLDMA", " - wwan: core: Add WWAN fastboot port type", " - net: wwan: t7xx: Add sysfs attribute for device state machine", " - net: wwan: t7xx: Infrastructure for early port configuration", " - net: wwan: t7xx: Add fastboot WWAN port", " * TCP memory leak, slow network (arm64) (LP: #2045560)", " - net: make SK_MEMORY_PCPU_RESERV tunable", " - net: fix sk_memory_allocated_{add|sub} vs softirqs", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", " * Add support for Quectel EM160R-GL modem [1eac:100d] (LP: #2063399)", " - Add support for Quectel EM160R-GL modem", " * Add support for Quectel RM520N-GL modem [1eac:1007] (LP: #2063529)", " - Add support for Quectel RM520N-GL modem", " - Add support for Quectel RM520N-GL modem", " * [SRU][22.04.4]: megaraid_sas: Critical Bug Fixes (LP: #2046722)", " - scsi: megaraid_sas: Log message when controller reset is requested but not", " issued", " - scsi: megaraid_sas: Driver version update to 07.727.03.00-rc1", " * Fix the RTL8852CE BT FW Crash based on SER false alarm (LP: #2060904)", " - wifi: rtw89: disable txptctrl IMR to avoid flase alarm", " - wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of", " firmware command", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", " * CVE-2024-26803", " - net: veth: clear GRO when clearing XDP even when down", " * CVE-2024-26790", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " * CVE-2024-26890", " - Bluetooth: hci_h5: Add ability to allocate memory for private data", " - Bluetooth: btrtl: fix out of bounds memory access", " * CVE-2024-26802", " - stmmac: Clear variable when destroying workqueue", " * CVE-2024-26798", " - fbcon: always restore the old font data in fbcon_do_set_font()", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", " * Fix bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - arp: Prevent overflow in arp_req_get().", " * CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", " * CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", " * CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", " * CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " * CVE-2024-26789", " - crypto: arm64/neonbs - fix out-of-bounds access on short input", " * CVE-2024-26734", " - devlink: fix possible use-after-free and memory leaks in devlink_init()", " * The keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID", " * proc_sched_rt01 from ubuntu_ltp failed (LP: #2057734)", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * Fix acpi_power_meter accessing IPMI region before it's ready (LP: #2059263)", " - ACPI: IPMI: Add helper to wait for when SMI is selected", " - hwmon: (acpi_power_meter) Ensure IPMI space handler is ready on Dell systems", " * Include cifs.ko in linux-modules package (LP: #2042546)", " - [Packaging] Replace fs/cifs with fs/smb/client in inclusion list", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814)", " - btrfs: add and use helper to check if block group is used", " - btrfs: do not delete unused block group if it may be used soon", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - btrfs: don't reserve space for checksums when writing to nocow files", " - btrfs: reject encoded write if inode has nodatasum flag set", " - btrfs: don't drop extent_map for free space inode on write error", " - driver core: Fix device_link_flag_is_sync_state_only()", " - of: unittest: Fix compile in the non-dynamic case", " - KVM: selftests: Fix a semaphore imbalance in the dirty ring logging test", " - wifi: iwlwifi: Fix some error codes", " - wifi: iwlwifi: uninitialized variable in iwl_acpi_get_ppag_table()", " - of: property: Improve finding the supplier of a remote-endpoint property", " - net: openvswitch: limit the number of recursions from action sets", " - lan966x: Fix crash when adding interface under a lag", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - net: sysfs: Fix /sys/class/net/ path for statistics", " - nouveau/svm: fix kvcalloc() argument order", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - scs: add CONFIG_MMU dependency for vfree_atomic()", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - scsi: storvsc: Fix ring buffer size calculation", " - dm-crypt, dm-verity: disable tasklets", " - ASoC: amd: yc: Add DMI quirk for MSI Bravo 15 C7VF", " - parisc: Prevent hung tasks when printing inventory on serial console", " - ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift", " 1 SF114-32", " - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx", " - HID: i2c-hid-of: fix NULL-deref on failed power up", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP", " - usb: ucsi: Add missing ppm_lock", " - usb: ulpi: Fix debugfs directory leak", " - usb: ucsi_acpi: Fix command completion handling", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", " - interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", " - media: ir_toy: fix a memleak in irtoy_tx", " - driver core: fw_devlink: Improve detection of overlapping cycles", " - cifs: fix underflow in parse_server_interfaces()", " - i2c: qcom-geni: Correct I2C TRE sequence", " - irqchip/loongson-eiointc: Use correct struct type in eiointc_domain_alloc()", " - i2c: pasemi: split driver into two separate modules", " - modpost: trim leading spaces when processing source files list", " - mptcp: get rid of msk->subflow", " - mptcp: fix data re-injection from stale subflow", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - selftests: mptcp: add missing kconfig for NF Mangle", " - selftests: mptcp: increase timeout to 30 min", " - mptcp: drop the push_pending field", " - mptcp: check addrs list in userspace_pm_get_local_id", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - Revert \"drm/amd: flush any delayed gfxoff on suspend entry\"", " - drm/virtio: Set segment size for virtio_gpu device", " - lsm: fix the logic in security_inode_getsecctx()", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - ALSA: hda/realtek: Apply headset jack quirk for non-bass alc287 thinkpads", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", " - net: stmmac: do not clear TBS enable bit on link up/down", " - xen-netback: properly sync TX responses", " - modpost: Don't let \"driver\"s reference .exit.*", " - linux/init: remove __memexit* annotations", " - um: Fix adding '-no-pie' for clang", " - modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - ASoC: codecs: wcd938x: handle deferred probe", " - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - iio: core: fix memleak in iio_device_register_sysfs", " - iio: commom: st_sensors: ensure proper DMA alignment", " - iio: accel: bma400: Fix a compilation problem", " - iio: adc: ad_sigma_delta: ensure proper DMA alignment", " - iio: imu: adis: ensure proper DMA alignment", " - iio: imu: bno055: serdev requires REGMAP", " - media: rc: bpf attach/detach requires write permission", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - drm/msm: Wire up tlb ops", " - drm/prime: Support page array >= 4GB", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - drm/amd/display: Preserve original aspect ratio in create stream", " - hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - nfp: flower: fix hardware offload for the transfer layer port", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: prevent infinite while() loop in port startup", " - powerpc/64: Set task pt_regs->link to the LR value on scv entry", " - powerpc/cputable: Add missing PPC_FEATURE_BOOKE on PPC64 Book-E", " - powerpc/pseries: fix accuracy of stolen time", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - KVM: x86/pmu: Fix type length error when reading pmu->fixed_ctr_ctrl", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - io_uring/net: fix multishot accept overflow handling", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/realtek: fix mute/micmute LED For HP mt645", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - wifi: cfg80211: fix wiphy delayed work queueing", " - wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update", " - zonefs: Improve error handling", " - mmc: sdhci-pci-o2micro: Fix a warm reboot issue that disk can't be detected", " by BIOS", " - ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8", " - tools/rtla: Remove unused sched_getattr() function", " - tools/rtla: Replace setting prio with nice for SCHED_OTHER", " - tools/rtla: Exit with EXIT_SUCCESS when help is invoked", " - tools/rtla: Fix uninitialized bucket/data->bucket_size warning", " - tools/rtla: Fix Makefile compiler options for clang", " - fs: relax mount_setattr() permission checks", " - net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - ceph: prevent use-after-free in encode_cap_msg()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE", " - of: property: fix typo in io-channels", " - can: netlink: Fix TDCO calculation using the old data bittiming", " - can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory", " - selftests/mm: Update va_high_addr_switch.sh to check CPU for la57 flag", " - md: bypass block throttle for superblock update", " - block: fix partial zone append completion handling in req_bio_endio()", " - netfilter: ipset: Missing gc cancellations fixed", " - parisc: Fix random data corruption from exception handler", " - nfsd: don't take fi_lock in nfsd_break_deleg_cb()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - of: property: Add in-ports/out-ports support to of_graph_get_port_parent()", " - nilfs2: fix potential bug in end_buffer_async_write", " - arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata", " - work around gcc bugs with 'asm goto' with outputs", " - [Config] updateconfigs for GCC_ASM_GOTO_OUTPUT_WORKAROUND", " - update workarounds for gcc \"asm goto\" issue", " - selftests/landlock: Fix fs_test build with old libc", " - KVM: selftests: Delete superfluous, unused \"stage\" variable in AMX test", " - KVM: selftests: Avoid infinite loop in hyperv_features when invtsc is", " missing", " - drm/msm/gem: Fix double resv lock aquire", " - ASoC: SOF: ipc3-topology: Fix pipeline tear down logic", " - net/handshake: Fix handshake_req_destroy_test1", " - bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY", " - devlink: Fix command annotation documentation", " - of: property: Improve finding the consumer of a remote-endpoint property", " - perf: CXL: fix mismatched cpmu event opcode", " - selftests: forwarding: Fix layer 2 miss test flakiness", " - selftests: forwarding: Fix bridge MDB test flakiness", " - selftests: bridge_mdb: Use MDB get instead of dump", " - selftests: forwarding: Suppress grep warnings", " - ptrace: Introduce exception_ip arch hook", " - mm/memory: Use exception ip to search exception tables", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - nouveau: offload fence uevents work to workqueue", " - HID: bpf: remove double fdget()", " - HID: bpf: actually free hdev memory after attaching a HID-BPF program", " - usb: chipidea: core: handle power lost in workqueue", " - usb: core: Prevent null pointer dereference in update_port_device_state", " - interconnect: qcom: sm8550: Enable sync_state", " - powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add", " - powerpc/6xx: set High BAT Enable flag on G2_LE cores", " - iio: adc: ad4130: zero-initialize clock init data", " - iio: adc: ad4130: only set GPIO_CTRL if pin is unused", " - irqchip/gic-v3-its: Handle non-coherent GICv4 redistributors", " - kallsyms: ignore ARMv4 thunks along with others", " - selftests: mptcp: add mptcp_lib_kill_wait", " - mptcp: fix rcv space initialization", " - mptcp: really cope with fastopen race", " - Revert \"powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add\"", " - drm/amd: Don't init MEC2 firmware when it fails to load", " - usb: typec: tpcm: Fix issues with power being removed during reset", " - tracing/timerlat: Move hrtimer_init to timerlat_fd open()", " - tracing/synthetic: Fix trace_string() return value", " - tracing/probes: Fix to show a parse error for bad type for $comm", " - tracing/probes: Fix to set arg size and fmt after setting type from BTF", " - Revert \"workqueue: Override implicit ordered attribute in", " workqueue_apply_unbound_cpumask()\"", " - iio: pressure: bmp280: Add missing bmp085 to SPI id table", " - pmdomain: mediatek: fix race conditions with genpd", " - drm/amd/display: Add align done check", " - drm/amdgpu/soc21: update VCN 4 max HEVC encoding resolution", " - drm/amd/display: Fix MST Null Ptr for RV", " - net: dsa: mv88e6xxx: Fix failed probe due to unsupported C45 reads", " - nfp: flower: add hardware offload check for post ct entry", " - ftrace: Fix DIRECT_CALLS to use SAVE_REGS by default", " - serial: core: introduce uart_port_tx_flags()", " - serial: mxs-auart: fix tx", " - KVM: x86: make KVM_REQ_NMI request iff NMI pending for vcpu", " - crypto: algif_hash - Remove bogus SGL free on zero-length error path", " - nfp: enable NETDEV_XDP_ACT_REDIRECT feature flag", " - wifi: iwlwifi: mvm: fix a crash when we run out of stations", " - thunderbolt: Fix setting the CNS bit in ROUTER_CS_5", " - smb: client: set correct id, uid and cruid for multiuser automounts", " - KVM: arm64: Fix circular locking dependency", " - arm64/signal: Don't assume that TIF_SVE means we saved SVE state", " - ASoC: SOF: IPC3: fix message bounds on ipc ops", " - tools/rv: Fix curr_reactor uninitialized variable", " - tools/rv: Fix Makefile compiler options for clang", " - tools/rtla: Fix clang warning about mount_point var size", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - blk-wbt: Fix detection of dirty-throttled tasks", " - docs: kernel_feat.py: fix build error for missing files", " - tracing: Fix HAVE_DYNAMIC_FTRACE_WITH_REGS ifdef", " - netfilter: ipset: fix performance regression in swap operation", " - tracefs: Check for dentry->d_inode exists in set_gid()", " - x86/efi: Drop EFI stub .bss from .data section", " - x86/efi: Drop alignment flags from PE section headers", " - x86/boot: Remove the 'bugger off' message", " - x86/boot: Omit compression buffer from PE/COFF image memory footprint", " - x86/boot: Drop redundant code setting the root device", " - x86/boot: Drop references to startup_64", " - x86/boot: Grab kernel_info offset from zoffset header directly", " - x86/boot: Set EFI handover offset directly in header asm", " - x86/boot: Define setup size in linker script", " - x86/boot: Derive file size from _edata symbol", " - x86/boot: Construct PE/COFF .text section from assembler", " - x86/boot: Drop PE/COFF .reloc section", " - x86/boot: Split off PE/COFF .data section", " - x86/boot: Increase section and file alignment to 4k/512", " - x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section", " - x86/barrier: Do not serialize MSR accesses on AMD", " - Documentation/arch/ia64/features.rst: fix kernel-feat directive", " - Upstream stable to v6.1.79, v6.6.18", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26694", " - wifi: iwlwifi: fix double-free bug", " * There is sound from the speakers and headphones at the same time on Oasis 14", " and 16 platforms (LP: #2054487) // Mantic update: upstream stable patchset", " 2024-04-16 (LP: #2061814)", " - ALSA: hda/realtek - Add speaker pin verbtable for Dell dual speaker platform", " - ALSA: hda/realtek: add IDs for Dell dual spk platform", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26710", " - powerpc/kasan: Limit KASAN thread size increase to 32KB", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991)", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools", " - dmaengine: ti: k3-udma: Report short packet errors", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - cifs: failure to add channel on iface should bump up weight", " - drm/msms/dp: fixed link clock divider bits be over written in BPC unknown", " case", " - drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case", " - drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - wifi: mac80211: fix waiting for beacons logic", " - netdevsim: avoid potential loop in nsim_dev_trap_report_work()", " - net: atlantic: Fix DMA mapping for PTP hwts ring", " - selftests: net: cut more slack for gro fwd tests.", " - selftests: net: avoid just another constant wait", " - tunnels: fix out of bounds access when building IPv6 PMTU error", " - atm: idt77252: fix a memleak in open_card_ubr0", " - octeontx2-pf: Fix a memleak otx2_sq_init", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - drm/i915/gvt: Fix uninitialized variable in handle_mmio()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.", " - ppp_async: limit MRU to 64K", " - selftests: cmsg_ipv6: repeat the exact packet", " - netfilter: nft_compat: narrow down revision to unsigned 8-bits", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - drm/amd/display: Implement bounds check for stream encoder creation in", " DCN301", " - netfilter: nft_ct: reject direction for ct id", " - fs/ntfs3: Fix an NULL dereference bug", " - scsi: core: Move scsi_host_busy() out of host lock if it is for per-command", " - blk-iocost: Fix an UBSAN shift-out-of-bounds warning", " - ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision", " - ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - hrtimer: Report offline hrtimer enqueue", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers", " - net: stmmac: xgmac: use #define for string constants", " - ALSA: usb-audio: Sort quirk table entries", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - perf evlist: Fix evlist__new_default() for > 1 core PMU", " - cifs: avoid redundant calls to disable multichannel", " - rust: arc: add explicit `drop()` around `Box::from_raw()`", " - rust: task: remove redundant explicit link", " - rust: print: use explicit link in documentation", " - MAINTAINERS: add Catherine as xfs maintainer for 6.6.y", " - xfs: bump max fsgeom struct version", " - xfs: hoist freeing of rt data fork extent mappings", " - xfs: prevent rt growfs when quota is enabled", " - xfs: rt stubs should return negative errnos when rt disabled", " - xfs: fix units conversion error in xfs_bmap_del_extent_delay", " - xfs: make sure maxlen is still congruent with prod when rounding down", " - xfs: introduce protection for drop nlink", " - xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space", " - xfs: allow read IO and FICLONE to run concurrently", " - xfs: factor out xfs_defer_pending_abort", " - xfs: abort intent items when recovery intents fail", " - xfs: only remap the written blocks in xfs_reflink_end_cow_extent", " - xfs: up(ic_sema) if flushing data device fails", " - xfs: fix internal error from AGFL exhaustion", " - xfs: inode recovery does not validate the recovered inode", " - xfs: clean up dqblk extraction", " - xfs: dquot recovery does not validate the recovered dquot", " - xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags", " - xfs: respect the stable writes flag on the RT device", " - wifi: mac80211: fix RCU use in TDLS fast-xmit", " - wifi: iwlwifi: exit eSR only after the FW does", " - wifi: brcmfmac: Adjust n_channels usage for __counted_by", " - selftests/net: convert unicast_extensions.sh to run it in unique namespace", " - selftests/net: convert pmtu.sh to run it in unique namespace", " - selftests/net: change shebang to bash to support \"source\"", " - selftests: net: fix tcp listener handling in pmtu.sh", " - tsnep: Fix mapping for zero copy XDP_TX action", " - rxrpc: Fix generation of serial numbers to skip zero", " - rxrpc: Fix delayed ACKs to not set the reference serial number", " - rxrpc: Fix counting of new acks and nacks", " - selftests: net: let big_tcp test cope with slow env", " - drm/amd/display: Fix 'panel_cntl' could be null in", " 'dcn21_set_backlight_level()'", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", " - riscv: Improve tlb_flush()", " - riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole", " tlb", " - riscv: Improve flush_tlb_kernel_range()", " - mm: Introduce flush_cache_vmap_early()", " - riscv: mm: execute local TLB flush after populating vmemmap", " - riscv: Fix set_huge_pte_at() for NAPOT mapping", " - riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled", " - riscv: Flush the tlb when a page directory is freed", " - libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*()", " - libceph: just wait for more data to be available on the socket", " - riscv: Fix arch_hugetlb_migration_supported() for NAPOT", " - riscv: declare overflow_stack as exported from traps.c", " - Revert \"usb: typec: tcpm: fix cc role at port reset\"", " - x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - usb: dwc3: pci: add support for the Intel Arrow Lake-H", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - io_uring/poll: move poll execution helpers higher up", " - io_uring/net: un-indent mshot retry path in io_recv_finish()", " - io_uring/poll: add requeue return code from poll multishot handling", " - io_uring/net: limit inline multishot retries", " - Upstream stable to v6.1.78, v6.6.17", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) // The", " keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " * CVE-2024-26593", " - i2c: i801: Fix block process call transactions", " * Mantic update: upstream stable patchset 2024-03-26 (LP: #2059068)", " - selftests/bpf: tests for iterating callbacks", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:18:49 +0200" } ], "notes": "linux-image-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-45.45.1~22.04.1') was added. linux-image-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-42-generic. As such we can use the source package version of the removed package, '6.5.0-42.42.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.5.0-45-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-45.45.1~22.04.1", "version": "6.5.0-45.45.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "changes": [ { "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2071997)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv-6.5/dkms-versions -- update from kernel-versions", " (main/s2024.06.10)", "", " [ Ubuntu: 6.5.0-45.45.1 ]", "", " * mantic/linux-riscv: 6.5.0-45.45.1 -proposed tracker (LP: #2071998)", " * mantic/linux: 6.5.0-45.45 -proposed tracker (LP: #2072006)", " * CVE-2024-25739", " - ubi: Check for too small LEB size in VTBL code", " * CVE-2024-24857 // CVE-2024-24858", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", "", " [ Ubuntu: 6.5.0-44.44.1 ]", "", " * mantic/linux-riscv: 6.5.0-44.44.1 -proposed tracker (LP: #2068333)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Miscellaneous Ubuntu changes", " - Revert \"riscv: Fix set_huge_pte_at() for NAPOT mapping\"", " * mantic/linux: 6.5.0-44.44 -proposed tracker (LP: #2068341)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Some DUTs can't boot up after installing the proposed kernel on Mantic", " (LP: #2061940)", " - SAUCE: Revert \"x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat", " section\"", " - SAUCE: Revert \"x86/boot: Increase section and file alignment to 4k/512\"", " - SAUCE: Revert \"x86/boot: Split off PE/COFF .data section\"", " - SAUCE: Revert \"x86/boot: Drop PE/COFF .reloc section\"", " - SAUCE: Revert \"x86/boot: Construct PE/COFF .text section from assembler\"", " - SAUCE: Revert \"x86/boot: Derive file size from _edata symbol\"", " - SAUCE: Revert \"x86/boot: Define setup size in linker script\"", " - SAUCE: Revert \"x86/boot: Set EFI handover offset directly in header asm\"", " - SAUCE: Revert \"x86/boot: Grab kernel_info offset from zoffset header", " directly\"", " - SAUCE: Revert \"x86/boot: Drop redundant code setting the root device\"", " - SAUCE: Revert \"x86/boot: Drop references to startup_64\"", " - SAUCE: Revert \"x86/boot: Omit compression buffer from PE/COFF image memory", " footprint\"", " - SAUCE: Revert \"x86/boot: Remove the 'bugger off' message\"", " - SAUCE: Revert \"x86/efi: Drop alignment flags from PE section headers\"", " - SAUCE: Revert \"x86/efi: Drop EFI stub .bss from .data section\"", " * CVE-2023-52880", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " * i915 cannot probe successfully on HP ZBook Power 16 G11 (LP: #2067883)", " - drm/i915/mtl: Remove the 'force_probe' requirement for Meteor Lake", " * CVE-2024-26838", " - RDMA/irdma: Fix KASAN issue with tasklet", " * mtk_t7xx WWAN module fails to probe with: Invalid device status 0x1", " (LP: #2049358)", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: PCIe reset rescan\"", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: Add AP CLDMA\"", " - net: wwan: t7xx: Add AP CLDMA", " - wwan: core: Add WWAN fastboot port type", " - net: wwan: t7xx: Add sysfs attribute for device state machine", " - net: wwan: t7xx: Infrastructure for early port configuration", " - net: wwan: t7xx: Add fastboot WWAN port", " * TCP memory leak, slow network (arm64) (LP: #2045560)", " - net: make SK_MEMORY_PCPU_RESERV tunable", " - net: fix sk_memory_allocated_{add|sub} vs softirqs", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", " * Add support for Quectel EM160R-GL modem [1eac:100d] (LP: #2063399)", " - Add support for Quectel EM160R-GL modem", " * Add support for Quectel RM520N-GL modem [1eac:1007] (LP: #2063529)", " - Add support for Quectel RM520N-GL modem", " - Add support for Quectel RM520N-GL modem", " * [SRU][22.04.4]: megaraid_sas: Critical Bug Fixes (LP: #2046722)", " - scsi: megaraid_sas: Log message when controller reset is requested but not", " issued", " - scsi: megaraid_sas: Driver version update to 07.727.03.00-rc1", " * Fix the RTL8852CE BT FW Crash based on SER false alarm (LP: #2060904)", " - wifi: rtw89: disable txptctrl IMR to avoid flase alarm", " - wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of", " firmware command", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", " * CVE-2024-26803", " - net: veth: clear GRO when clearing XDP even when down", " * CVE-2024-26790", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " * CVE-2024-26890", " - Bluetooth: hci_h5: Add ability to allocate memory for private data", " - Bluetooth: btrtl: fix out of bounds memory access", " * CVE-2024-26802", " - stmmac: Clear variable when destroying workqueue", " * CVE-2024-26798", " - fbcon: always restore the old font data in fbcon_do_set_font()", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", " * Fix bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - arp: Prevent overflow in arp_req_get().", " * CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", " * CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", " * CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", " * CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " * CVE-2024-26789", " - crypto: arm64/neonbs - fix out-of-bounds access on short input", " * CVE-2024-26734", " - devlink: fix possible use-after-free and memory leaks in devlink_init()", " * The keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID", " * proc_sched_rt01 from ubuntu_ltp failed (LP: #2057734)", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * Fix acpi_power_meter accessing IPMI region before it's ready (LP: #2059263)", " - ACPI: IPMI: Add helper to wait for when SMI is selected", " - hwmon: (acpi_power_meter) Ensure IPMI space handler is ready on Dell systems", " * Include cifs.ko in linux-modules package (LP: #2042546)", " - [Packaging] Replace fs/cifs with fs/smb/client in inclusion list", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814)", " - btrfs: add and use helper to check if block group is used", " - btrfs: do not delete unused block group if it may be used soon", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - btrfs: don't reserve space for checksums when writing to nocow files", " - btrfs: reject encoded write if inode has nodatasum flag set", " - btrfs: don't drop extent_map for free space inode on write error", " - driver core: Fix device_link_flag_is_sync_state_only()", " - of: unittest: Fix compile in the non-dynamic case", " - KVM: selftests: Fix a semaphore imbalance in the dirty ring logging test", " - wifi: iwlwifi: Fix some error codes", " - wifi: iwlwifi: uninitialized variable in iwl_acpi_get_ppag_table()", " - of: property: Improve finding the supplier of a remote-endpoint property", " - net: openvswitch: limit the number of recursions from action sets", " - lan966x: Fix crash when adding interface under a lag", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - net: sysfs: Fix /sys/class/net/ path for statistics", " - nouveau/svm: fix kvcalloc() argument order", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - scs: add CONFIG_MMU dependency for vfree_atomic()", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - scsi: storvsc: Fix ring buffer size calculation", " - dm-crypt, dm-verity: disable tasklets", " - ASoC: amd: yc: Add DMI quirk for MSI Bravo 15 C7VF", " - parisc: Prevent hung tasks when printing inventory on serial console", " - ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift", " 1 SF114-32", " - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx", " - HID: i2c-hid-of: fix NULL-deref on failed power up", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP", " - usb: ucsi: Add missing ppm_lock", " - usb: ulpi: Fix debugfs directory leak", " - usb: ucsi_acpi: Fix command completion handling", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", " - interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", " - media: ir_toy: fix a memleak in irtoy_tx", " - driver core: fw_devlink: Improve detection of overlapping cycles", " - cifs: fix underflow in parse_server_interfaces()", " - i2c: qcom-geni: Correct I2C TRE sequence", " - irqchip/loongson-eiointc: Use correct struct type in eiointc_domain_alloc()", " - i2c: pasemi: split driver into two separate modules", " - modpost: trim leading spaces when processing source files list", " - mptcp: get rid of msk->subflow", " - mptcp: fix data re-injection from stale subflow", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - selftests: mptcp: add missing kconfig for NF Mangle", " - selftests: mptcp: increase timeout to 30 min", " - mptcp: drop the push_pending field", " - mptcp: check addrs list in userspace_pm_get_local_id", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - Revert \"drm/amd: flush any delayed gfxoff on suspend entry\"", " - drm/virtio: Set segment size for virtio_gpu device", " - lsm: fix the logic in security_inode_getsecctx()", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - ALSA: hda/realtek: Apply headset jack quirk for non-bass alc287 thinkpads", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", " - net: stmmac: do not clear TBS enable bit on link up/down", " - xen-netback: properly sync TX responses", " - modpost: Don't let \"driver\"s reference .exit.*", " - linux/init: remove __memexit* annotations", " - um: Fix adding '-no-pie' for clang", " - modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - ASoC: codecs: wcd938x: handle deferred probe", " - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - iio: core: fix memleak in iio_device_register_sysfs", " - iio: commom: st_sensors: ensure proper DMA alignment", " - iio: accel: bma400: Fix a compilation problem", " - iio: adc: ad_sigma_delta: ensure proper DMA alignment", " - iio: imu: adis: ensure proper DMA alignment", " - iio: imu: bno055: serdev requires REGMAP", " - media: rc: bpf attach/detach requires write permission", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - drm/msm: Wire up tlb ops", " - drm/prime: Support page array >= 4GB", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - drm/amd/display: Preserve original aspect ratio in create stream", " - hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - nfp: flower: fix hardware offload for the transfer layer port", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: prevent infinite while() loop in port startup", " - powerpc/64: Set task pt_regs->link to the LR value on scv entry", " - powerpc/cputable: Add missing PPC_FEATURE_BOOKE on PPC64 Book-E", " - powerpc/pseries: fix accuracy of stolen time", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - KVM: x86/pmu: Fix type length error when reading pmu->fixed_ctr_ctrl", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - io_uring/net: fix multishot accept overflow handling", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/realtek: fix mute/micmute LED For HP mt645", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - wifi: cfg80211: fix wiphy delayed work queueing", " - wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update", " - zonefs: Improve error handling", " - mmc: sdhci-pci-o2micro: Fix a warm reboot issue that disk can't be detected", " by BIOS", " - ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8", " - tools/rtla: Remove unused sched_getattr() function", " - tools/rtla: Replace setting prio with nice for SCHED_OTHER", " - tools/rtla: Exit with EXIT_SUCCESS when help is invoked", " - tools/rtla: Fix uninitialized bucket/data->bucket_size warning", " - tools/rtla: Fix Makefile compiler options for clang", " - fs: relax mount_setattr() permission checks", " - net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - ceph: prevent use-after-free in encode_cap_msg()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE", " - of: property: fix typo in io-channels", " - can: netlink: Fix TDCO calculation using the old data bittiming", " - can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory", " - selftests/mm: Update va_high_addr_switch.sh to check CPU for la57 flag", " - md: bypass block throttle for superblock update", " - block: fix partial zone append completion handling in req_bio_endio()", " - netfilter: ipset: Missing gc cancellations fixed", " - parisc: Fix random data corruption from exception handler", " - nfsd: don't take fi_lock in nfsd_break_deleg_cb()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - of: property: Add in-ports/out-ports support to of_graph_get_port_parent()", " - nilfs2: fix potential bug in end_buffer_async_write", " - arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata", " - work around gcc bugs with 'asm goto' with outputs", " - [Config] updateconfigs for GCC_ASM_GOTO_OUTPUT_WORKAROUND", " - update workarounds for gcc \"asm goto\" issue", " - selftests/landlock: Fix fs_test build with old libc", " - KVM: selftests: Delete superfluous, unused \"stage\" variable in AMX test", " - KVM: selftests: Avoid infinite loop in hyperv_features when invtsc is", " missing", " - drm/msm/gem: Fix double resv lock aquire", " - ASoC: SOF: ipc3-topology: Fix pipeline tear down logic", " - net/handshake: Fix handshake_req_destroy_test1", " - bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY", " - devlink: Fix command annotation documentation", " - of: property: Improve finding the consumer of a remote-endpoint property", " - perf: CXL: fix mismatched cpmu event opcode", " - selftests: forwarding: Fix layer 2 miss test flakiness", " - selftests: forwarding: Fix bridge MDB test flakiness", " - selftests: bridge_mdb: Use MDB get instead of dump", " - selftests: forwarding: Suppress grep warnings", " - ptrace: Introduce exception_ip arch hook", " - mm/memory: Use exception ip to search exception tables", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - nouveau: offload fence uevents work to workqueue", " - HID: bpf: remove double fdget()", " - HID: bpf: actually free hdev memory after attaching a HID-BPF program", " - usb: chipidea: core: handle power lost in workqueue", " - usb: core: Prevent null pointer dereference in update_port_device_state", " - interconnect: qcom: sm8550: Enable sync_state", " - powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add", " - powerpc/6xx: set High BAT Enable flag on G2_LE cores", " - iio: adc: ad4130: zero-initialize clock init data", " - iio: adc: ad4130: only set GPIO_CTRL if pin is unused", " - irqchip/gic-v3-its: Handle non-coherent GICv4 redistributors", " - kallsyms: ignore ARMv4 thunks along with others", " - selftests: mptcp: add mptcp_lib_kill_wait", " - mptcp: fix rcv space initialization", " - mptcp: really cope with fastopen race", " - Revert \"powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add\"", " - drm/amd: Don't init MEC2 firmware when it fails to load", " - usb: typec: tpcm: Fix issues with power being removed during reset", " - tracing/timerlat: Move hrtimer_init to timerlat_fd open()", " - tracing/synthetic: Fix trace_string() return value", " - tracing/probes: Fix to show a parse error for bad type for $comm", " - tracing/probes: Fix to set arg size and fmt after setting type from BTF", " - Revert \"workqueue: Override implicit ordered attribute in", " workqueue_apply_unbound_cpumask()\"", " - iio: pressure: bmp280: Add missing bmp085 to SPI id table", " - pmdomain: mediatek: fix race conditions with genpd", " - drm/amd/display: Add align done check", " - drm/amdgpu/soc21: update VCN 4 max HEVC encoding resolution", " - drm/amd/display: Fix MST Null Ptr for RV", " - net: dsa: mv88e6xxx: Fix failed probe due to unsupported C45 reads", " - nfp: flower: add hardware offload check for post ct entry", " - ftrace: Fix DIRECT_CALLS to use SAVE_REGS by default", " - serial: core: introduce uart_port_tx_flags()", " - serial: mxs-auart: fix tx", " - KVM: x86: make KVM_REQ_NMI request iff NMI pending for vcpu", " - crypto: algif_hash - Remove bogus SGL free on zero-length error path", " - nfp: enable NETDEV_XDP_ACT_REDIRECT feature flag", " - wifi: iwlwifi: mvm: fix a crash when we run out of stations", " - thunderbolt: Fix setting the CNS bit in ROUTER_CS_5", " - smb: client: set correct id, uid and cruid for multiuser automounts", " - KVM: arm64: Fix circular locking dependency", " - arm64/signal: Don't assume that TIF_SVE means we saved SVE state", " - ASoC: SOF: IPC3: fix message bounds on ipc ops", " - tools/rv: Fix curr_reactor uninitialized variable", " - tools/rv: Fix Makefile compiler options for clang", " - tools/rtla: Fix clang warning about mount_point var size", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - blk-wbt: Fix detection of dirty-throttled tasks", " - docs: kernel_feat.py: fix build error for missing files", " - tracing: Fix HAVE_DYNAMIC_FTRACE_WITH_REGS ifdef", " - netfilter: ipset: fix performance regression in swap operation", " - tracefs: Check for dentry->d_inode exists in set_gid()", " - x86/efi: Drop EFI stub .bss from .data section", " - x86/efi: Drop alignment flags from PE section headers", " - x86/boot: Remove the 'bugger off' message", " - x86/boot: Omit compression buffer from PE/COFF image memory footprint", " - x86/boot: Drop redundant code setting the root device", " - x86/boot: Drop references to startup_64", " - x86/boot: Grab kernel_info offset from zoffset header directly", " - x86/boot: Set EFI handover offset directly in header asm", " - x86/boot: Define setup size in linker script", " - x86/boot: Derive file size from _edata symbol", " - x86/boot: Construct PE/COFF .text section from assembler", " - x86/boot: Drop PE/COFF .reloc section", " - x86/boot: Split off PE/COFF .data section", " - x86/boot: Increase section and file alignment to 4k/512", " - x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section", " - x86/barrier: Do not serialize MSR accesses on AMD", " - Documentation/arch/ia64/features.rst: fix kernel-feat directive", " - Upstream stable to v6.1.79, v6.6.18", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26694", " - wifi: iwlwifi: fix double-free bug", " * There is sound from the speakers and headphones at the same time on Oasis 14", " and 16 platforms (LP: #2054487) // Mantic update: upstream stable patchset", " 2024-04-16 (LP: #2061814)", " - ALSA: hda/realtek - Add speaker pin verbtable for Dell dual speaker platform", " - ALSA: hda/realtek: add IDs for Dell dual spk platform", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26710", " - powerpc/kasan: Limit KASAN thread size increase to 32KB", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991)", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools", " - dmaengine: ti: k3-udma: Report short packet errors", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - cifs: failure to add channel on iface should bump up weight", " - drm/msms/dp: fixed link clock divider bits be over written in BPC unknown", " case", " - drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case", " - drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - wifi: mac80211: fix waiting for beacons logic", " - netdevsim: avoid potential loop in nsim_dev_trap_report_work()", " - net: atlantic: Fix DMA mapping for PTP hwts ring", " - selftests: net: cut more slack for gro fwd tests.", " - selftests: net: avoid just another constant wait", " - tunnels: fix out of bounds access when building IPv6 PMTU error", " - atm: idt77252: fix a memleak in open_card_ubr0", " - octeontx2-pf: Fix a memleak otx2_sq_init", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - drm/i915/gvt: Fix uninitialized variable in handle_mmio()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.", " - ppp_async: limit MRU to 64K", " - selftests: cmsg_ipv6: repeat the exact packet", " - netfilter: nft_compat: narrow down revision to unsigned 8-bits", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - drm/amd/display: Implement bounds check for stream encoder creation in", " DCN301", " - netfilter: nft_ct: reject direction for ct id", " - fs/ntfs3: Fix an NULL dereference bug", " - scsi: core: Move scsi_host_busy() out of host lock if it is for per-command", " - blk-iocost: Fix an UBSAN shift-out-of-bounds warning", " - ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision", " - ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - hrtimer: Report offline hrtimer enqueue", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers", " - net: stmmac: xgmac: use #define for string constants", " - ALSA: usb-audio: Sort quirk table entries", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - perf evlist: Fix evlist__new_default() for > 1 core PMU", " - cifs: avoid redundant calls to disable multichannel", " - rust: arc: add explicit `drop()` around `Box::from_raw()`", " - rust: task: remove redundant explicit link", " - rust: print: use explicit link in documentation", " - MAINTAINERS: add Catherine as xfs maintainer for 6.6.y", " - xfs: bump max fsgeom struct version", " - xfs: hoist freeing of rt data fork extent mappings", " - xfs: prevent rt growfs when quota is enabled", " - xfs: rt stubs should return negative errnos when rt disabled", " - xfs: fix units conversion error in xfs_bmap_del_extent_delay", " - xfs: make sure maxlen is still congruent with prod when rounding down", " - xfs: introduce protection for drop nlink", " - xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space", " - xfs: allow read IO and FICLONE to run concurrently", " - xfs: factor out xfs_defer_pending_abort", " - xfs: abort intent items when recovery intents fail", " - xfs: only remap the written blocks in xfs_reflink_end_cow_extent", " - xfs: up(ic_sema) if flushing data device fails", " - xfs: fix internal error from AGFL exhaustion", " - xfs: inode recovery does not validate the recovered inode", " - xfs: clean up dqblk extraction", " - xfs: dquot recovery does not validate the recovered dquot", " - xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags", " - xfs: respect the stable writes flag on the RT device", " - wifi: mac80211: fix RCU use in TDLS fast-xmit", " - wifi: iwlwifi: exit eSR only after the FW does", " - wifi: brcmfmac: Adjust n_channels usage for __counted_by", " - selftests/net: convert unicast_extensions.sh to run it in unique namespace", " - selftests/net: convert pmtu.sh to run it in unique namespace", " - selftests/net: change shebang to bash to support \"source\"", " - selftests: net: fix tcp listener handling in pmtu.sh", " - tsnep: Fix mapping for zero copy XDP_TX action", " - rxrpc: Fix generation of serial numbers to skip zero", " - rxrpc: Fix delayed ACKs to not set the reference serial number", " - rxrpc: Fix counting of new acks and nacks", " - selftests: net: let big_tcp test cope with slow env", " - drm/amd/display: Fix 'panel_cntl' could be null in", " 'dcn21_set_backlight_level()'", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", " - riscv: Improve tlb_flush()", " - riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole", " tlb", " - riscv: Improve flush_tlb_kernel_range()", " - mm: Introduce flush_cache_vmap_early()", " - riscv: mm: execute local TLB flush after populating vmemmap", " - riscv: Fix set_huge_pte_at() for NAPOT mapping", " - riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled", " - riscv: Flush the tlb when a page directory is freed", " - libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*()", " - libceph: just wait for more data to be available on the socket", " - riscv: Fix arch_hugetlb_migration_supported() for NAPOT", " - riscv: declare overflow_stack as exported from traps.c", " - Revert \"usb: typec: tcpm: fix cc role at port reset\"", " - x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - usb: dwc3: pci: add support for the Intel Arrow Lake-H", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - io_uring/poll: move poll execution helpers higher up", " - io_uring/net: un-indent mshot retry path in io_recv_finish()", " - io_uring/poll: add requeue return code from poll multishot handling", " - io_uring/net: limit inline multishot retries", " - Upstream stable to v6.1.78, v6.6.17", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) // The", " keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " * CVE-2024-26593", " - i2c: i801: Fix block process call transactions", " * Mantic update: upstream stable patchset 2024-03-26 (LP: #2059068)", " - selftests/bpf: tests for iterating callbacks", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:18:49 +0200" } ], "notes": "linux-modules-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-45.45.1~22.04.1') was added. linux-modules-6.5.0-45-generic version '6.5.0-45.45.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-42-generic. As such we can use the source package version of the removed package, '6.5.0-42.42.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-riscv-6.5-headers-6.5.0-45", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-45.45.1~22.04.1", "version": "6.5.0-45.45.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "changes": [ { "cves": [ { "cve": "CVE-2024-25739", "url": "https://ubuntu.com/security/CVE-2024-25739", "cve_description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "cve_priority": "medium", "cve_public_date": "2024-02-12 03:15:00 UTC" }, { "cve": "CVE-2024-24857", "url": "https://ubuntu.com/security/CVE-2024-24857", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2024-24858", "url": "https://ubuntu.com/security/CVE-2024-24858", "cve_description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "cve_priority": "low", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-52880", "url": "https://ubuntu.com/security/CVE-2023-52880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.", "cve_priority": "high", "cve_public_date": "2024-05-24 16:15:00 UTC" }, { "cve": "CVE-2024-26838", "url": "https://ubuntu.com/security/CVE-2024-26838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet KASAN testing revealed the following issue assocated with freeing an IRQ. [50006.466686] Call Trace: [50006.466691] [50006.489538] dump_stack+0x5c/0x80 [50006.493475] print_address_description.constprop.6+0x1a/0x150 [50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644] kasan_report.cold.11+0x7f/0x118 [50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096] __do_softirq+0x1d0/0xaf8 [50006.555396] irq_exit_rcu+0x219/0x260 [50006.559670] irq_exit+0xa/0x20 [50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645] apic_timer_interrupt+0xf/0x20 [50006.573341] The issue is that a tasklet could be pending on another core racing the delete of the irq. Fix by insuring any scheduled tasklet is killed after deleting the irq.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26923", "url": "https://ubuntu.com/security/CVE-2024-26923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-23307", "url": "https://ubuntu.com/security/CVE-2024-23307", "cve_description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "cve_priority": "low", "cve_public_date": "2024-01-25 07:15:00 UTC" }, { "cve": "CVE-2024-26889", "url": "https://ubuntu.com/security/CVE-2024-26889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-24861", "url": "https://ubuntu.com/security/CVE-2024-24861", "cve_description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "cve_priority": "medium", "cve_public_date": "2024-02-05 08:15:00 UTC" }, { "cve": "CVE-2023-6270", "url": "https://ubuntu.com/security/CVE-2023-6270", "cve_description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "cve_priority": "high", "cve_public_date": "2024-01-04 17:15:00 UTC" }, { "cve": "CVE-2024-26642", "url": "https://ubuntu.com/security/CVE-2024-26642", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-26926", "url": "https://ubuntu.com/security/CVE-2024-26926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 (\"binder: avoid potential data leakage when copying txn\") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df (\"binder: add function to copy binder object from buffer\"), likely removed due to redundancy at the time.", "cve_priority": "medium", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26922", "url": "https://ubuntu.com/security/CVE-2024-26922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "cve_priority": "medium", "cve_public_date": "2024-04-23 13:15:00 UTC" }, { "cve": "CVE-2024-26803", "url": "https://ubuntu.com/security/CVE-2024-26803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26790", "url": "https://ubuntu.com/security/CVE-2024-26790", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26890", "url": "https://ubuntu.com/security/CVE-2024-26890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26802", "url": "https://ubuntu.com/security/CVE-2024-26802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26798", "url": "https://ubuntu.com/security/CVE-2024-26798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the \"system\"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.)", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26733", "url": "https://ubuntu.com/security/CVE-2024-26733", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible array in struct sockaddr\") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 ", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26736", "url": "https://ubuntu.com/security/CVE-2024-26736", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Increase buffer size in afs_update_volume_status() The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26792", "url": "https://ubuntu.com/security/CVE-2024-26792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26782", "url": "https://ubuntu.com/security/CVE-2024-26782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26748", "url": "https://ubuntu.com/security/CVE-2024-26748", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26735", "url": "https://ubuntu.com/security/CVE-2024-26735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26789", "url": "https://ubuntu.com/security/CVE-2024-26789", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-26734", "url": "https://ubuntu.com/security/CVE-2024-26734", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2024-26694", "url": "https://ubuntu.com/security/CVE-2024-26694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26710", "url": "https://ubuntu.com/security/CVE-2024-26710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with KASAN\"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26712", "url": "https://ubuntu.com/security/CVE-2024-26712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix addr error caused by page alignment In kasan_init_region, when k_start is not page aligned, at the begin of for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then `va = block + k_cur - k_start` is less than block, the addr va is invalid, because the memory address space from va to block is not alloced by memblock_alloc, which will not be reserved by memblock_reserve later, it will be used by other places. As a result, memory overwriting occurs. for example: int __init __weak kasan_init_region(void *start, size_t size) { [...] /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */ block = memblock_alloc(k_end - k_start, PAGE_SIZE); [...] for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) { /* at the begin of for loop * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400) * va(dcd96c00) is less than block(dcd97000), va is invalid */ void *va = block + k_cur - k_start; [...] } [...] } Therefore, page alignment is performed on k_start before memblock_alloc() to ensure the validity of the VA address.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2024-26593", "url": "https://ubuntu.com/security/CVE-2024-26593", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.", "cve_priority": "medium", "cve_public_date": "2024-02-23 10:15:00 UTC" }, { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2071997)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv-6.5/dkms-versions -- update from kernel-versions", " (main/s2024.06.10)", "", " [ Ubuntu: 6.5.0-45.45.1 ]", "", " * mantic/linux-riscv: 6.5.0-45.45.1 -proposed tracker (LP: #2071998)", " * mantic/linux: 6.5.0-45.45 -proposed tracker (LP: #2072006)", " * CVE-2024-25739", " - ubi: Check for too small LEB size in VTBL code", " * CVE-2024-24857 // CVE-2024-24858", " - Bluetooth: Fix TOCTOU in HCI debugfs implementation", "", " [ Ubuntu: 6.5.0-44.44.1 ]", "", " * mantic/linux-riscv: 6.5.0-44.44.1 -proposed tracker (LP: #2068333)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Miscellaneous Ubuntu changes", " - Revert \"riscv: Fix set_huge_pte_at() for NAPOT mapping\"", " * mantic/linux: 6.5.0-44.44 -proposed tracker (LP: #2068341)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.06.10)", " * Some DUTs can't boot up after installing the proposed kernel on Mantic", " (LP: #2061940)", " - SAUCE: Revert \"x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat", " section\"", " - SAUCE: Revert \"x86/boot: Increase section and file alignment to 4k/512\"", " - SAUCE: Revert \"x86/boot: Split off PE/COFF .data section\"", " - SAUCE: Revert \"x86/boot: Drop PE/COFF .reloc section\"", " - SAUCE: Revert \"x86/boot: Construct PE/COFF .text section from assembler\"", " - SAUCE: Revert \"x86/boot: Derive file size from _edata symbol\"", " - SAUCE: Revert \"x86/boot: Define setup size in linker script\"", " - SAUCE: Revert \"x86/boot: Set EFI handover offset directly in header asm\"", " - SAUCE: Revert \"x86/boot: Grab kernel_info offset from zoffset header", " directly\"", " - SAUCE: Revert \"x86/boot: Drop redundant code setting the root device\"", " - SAUCE: Revert \"x86/boot: Drop references to startup_64\"", " - SAUCE: Revert \"x86/boot: Omit compression buffer from PE/COFF image memory", " footprint\"", " - SAUCE: Revert \"x86/boot: Remove the 'bugger off' message\"", " - SAUCE: Revert \"x86/efi: Drop alignment flags from PE section headers\"", " - SAUCE: Revert \"x86/efi: Drop EFI stub .bss from .data section\"", " * CVE-2023-52880", " - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc", " * i915 cannot probe successfully on HP ZBook Power 16 G11 (LP: #2067883)", " - drm/i915/mtl: Remove the 'force_probe' requirement for Meteor Lake", " * CVE-2024-26838", " - RDMA/irdma: Fix KASAN issue with tasklet", " * mtk_t7xx WWAN module fails to probe with: Invalid device status 0x1", " (LP: #2049358)", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: PCIe reset rescan\"", " - Revert \"UBUNTU: SAUCE: net: wwan: t7xx: Add AP CLDMA\"", " - net: wwan: t7xx: Add AP CLDMA", " - wwan: core: Add WWAN fastboot port type", " - net: wwan: t7xx: Add sysfs attribute for device state machine", " - net: wwan: t7xx: Infrastructure for early port configuration", " - net: wwan: t7xx: Add fastboot WWAN port", " * TCP memory leak, slow network (arm64) (LP: #2045560)", " - net: make SK_MEMORY_PCPU_RESERV tunable", " - net: fix sk_memory_allocated_{add|sub} vs softirqs", " * CVE-2024-26923", " - af_unix: Do not use atomic ops for unix_sk(sk)->inflight.", " - af_unix: Fix garbage collector racing against connect()", " * Add support for Quectel EM160R-GL modem [1eac:100d] (LP: #2063399)", " - Add support for Quectel EM160R-GL modem", " * Add support for Quectel RM520N-GL modem [1eac:1007] (LP: #2063529)", " - Add support for Quectel RM520N-GL modem", " - Add support for Quectel RM520N-GL modem", " * [SRU][22.04.4]: megaraid_sas: Critical Bug Fixes (LP: #2046722)", " - scsi: megaraid_sas: Log message when controller reset is requested but not", " issued", " - scsi: megaraid_sas: Driver version update to 07.727.03.00-rc1", " * Fix the RTL8852CE BT FW Crash based on SER false alarm (LP: #2060904)", " - wifi: rtw89: disable txptctrl IMR to avoid flase alarm", " - wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of", " firmware command", " * CVE-2024-23307", " - md/raid5: fix atomicity violation in raid5_cache_count", " * CVE-2024-26889", " - Bluetooth: hci_core: Fix possible buffer overflow", " * CVE-2024-24861", " - media: xc4000: Fix atomicity violation in xc4000_get_frequency", " * CVE-2023-6270", " - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", " * CVE-2024-26642", " - netfilter: nf_tables: disallow anonymous set with timeout flag", " * CVE-2024-26926", " - binder: check offset alignment in binder_get_object()", " * CVE-2024-26922", " - drm/amdgpu: validate the parameters of bo mapping operations more clearly", " * CVE-2024-26803", " - net: veth: clear GRO when clearing XDP even when down", " * CVE-2024-26790", " - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", " * CVE-2024-26890", " - Bluetooth: hci_h5: Add ability to allocate memory for private data", " - Bluetooth: btrtl: fix out of bounds memory access", " * CVE-2024-26802", " - stmmac: Clear variable when destroying workqueue", " * CVE-2024-26798", " - fbcon: always restore the old font data in fbcon_do_set_font()", " * RTL8852BE fw security fail then lost WIFI function during suspend/resume", " cycle (LP: #2063096)", " - wifi: rtw89: download firmware with five times retry", " * Fix bluetooth connections with 3.0 device (LP: #2063067)", " - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST", " * USB stick can't be detected (LP: #2040948)", " - usb: Disable USB3 LPM at shutdown", " * CVE-2024-26733", " - arp: Prevent overflow in arp_req_get().", " * CVE-2024-26736", " - afs: Increase buffer size in afs_update_volume_status()", " * CVE-2024-26792", " - btrfs: fix double free of anonymous device after snapshot creation failure", " * CVE-2024-26782", " - mptcp: fix double-free on socket dismantle", " * CVE-2024-26748", " - usb: cdns3: fix memory double free when handle zero packet", " * CVE-2024-26735", " - ipv6: sr: fix possible use-after-free and null-ptr-deref", " * CVE-2024-26789", " - crypto: arm64/neonbs - fix out-of-bounds access on short input", " * CVE-2024-26734", " - devlink: fix possible use-after-free and memory leaks in devlink_init()", " * The keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID", " * proc_sched_rt01 from ubuntu_ltp failed (LP: #2057734)", " - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset", " - sched/rt: Disallow writing invalid values to sched_rt_period_us", " * Avoid creating non-working backlight sysfs knob from ASUS board", " (LP: #2060422)", " - platform/x86: asus-wmi: Consider device is absent when the read is ~0", " * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output \"UBSAN: array-", " index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-", " hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41\" multiple times,", " especially during boot. (LP: #2058477)", " - hv: hyperv.h: Replace one-element array with flexible-array member", " * Fix acpi_power_meter accessing IPMI region before it's ready (LP: #2059263)", " - ACPI: IPMI: Add helper to wait for when SMI is selected", " - hwmon: (acpi_power_meter) Ensure IPMI space handler is ready on Dell systems", " * Include cifs.ko in linux-modules package (LP: #2042546)", " - [Packaging] Replace fs/cifs with fs/smb/client in inclusion list", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814)", " - btrfs: add and use helper to check if block group is used", " - btrfs: do not delete unused block group if it may be used soon", " - btrfs: forbid creating subvol qgroups", " - btrfs: forbid deleting live subvol qgroup", " - btrfs: send: return EOPNOTSUPP on unknown flags", " - btrfs: don't reserve space for checksums when writing to nocow files", " - btrfs: reject encoded write if inode has nodatasum flag set", " - btrfs: don't drop extent_map for free space inode on write error", " - driver core: Fix device_link_flag_is_sync_state_only()", " - of: unittest: Fix compile in the non-dynamic case", " - KVM: selftests: Fix a semaphore imbalance in the dirty ring logging test", " - wifi: iwlwifi: Fix some error codes", " - wifi: iwlwifi: uninitialized variable in iwl_acpi_get_ppag_table()", " - of: property: Improve finding the supplier of a remote-endpoint property", " - net: openvswitch: limit the number of recursions from action sets", " - lan966x: Fix crash when adding interface under a lag", " - spi: ppc4xx: Drop write-only variable", " - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", " - net: sysfs: Fix /sys/class/net/ path for statistics", " - nouveau/svm: fix kvcalloc() argument order", " - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler", " - i40e: Do not allow untrusted VF to remove administratively set MAC", " - i40e: Fix waiting for queues of all VSIs to be disabled", " - scs: add CONFIG_MMU dependency for vfree_atomic()", " - tracing/trigger: Fix to return error if failed to alloc snapshot", " - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", " - scsi: storvsc: Fix ring buffer size calculation", " - dm-crypt, dm-verity: disable tasklets", " - ASoC: amd: yc: Add DMI quirk for MSI Bravo 15 C7VF", " - parisc: Prevent hung tasks when printing inventory on serial console", " - ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift", " 1 SF114-32", " - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx", " - HID: i2c-hid-of: fix NULL-deref on failed power up", " - HID: wacom: generic: Avoid reporting a serial of '0' to userspace", " - HID: wacom: Do not register input devices until after hid_hw_start", " - iio: hid-sensor-als: Return 0 for HID_USAGE_SENSOR_TIME_TIMESTAMP", " - usb: ucsi: Add missing ppm_lock", " - usb: ulpi: Fix debugfs directory leak", " - usb: ucsi_acpi: Fix command completion handling", " - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT", " - usb: f_mass_storage: forbid async queue when shutdown happen", " - usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", " - interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", " - media: ir_toy: fix a memleak in irtoy_tx", " - driver core: fw_devlink: Improve detection of overlapping cycles", " - cifs: fix underflow in parse_server_interfaces()", " - i2c: qcom-geni: Correct I2C TRE sequence", " - irqchip/loongson-eiointc: Use correct struct type in eiointc_domain_alloc()", " - i2c: pasemi: split driver into two separate modules", " - modpost: trim leading spaces when processing source files list", " - mptcp: get rid of msk->subflow", " - mptcp: fix data re-injection from stale subflow", " - selftests: mptcp: add missing kconfig for NF Filter", " - selftests: mptcp: add missing kconfig for NF Filter in v6", " - selftests: mptcp: add missing kconfig for NF Mangle", " - selftests: mptcp: increase timeout to 30 min", " - mptcp: drop the push_pending field", " - mptcp: check addrs list in userspace_pm_get_local_id", " - scsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"", " - Revert \"drm/amd: flush any delayed gfxoff on suspend entry\"", " - drm/virtio: Set segment size for virtio_gpu device", " - lsm: fix the logic in security_inode_getsecctx()", " - firewire: core: correct documentation of fw_csr_string() kernel API", " - ALSA: hda/realtek: Apply headset jack quirk for non-bass alc287 thinkpads", " - kbuild: Fix changing ELF file type for output of gen_btf for big endian", " - nfc: nci: free rx_data_reassembly skb on NCI device cleanup", " - net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", " - net: stmmac: do not clear TBS enable bit on link up/down", " - xen-netback: properly sync TX responses", " - modpost: Don't let \"driver\"s reference .exit.*", " - linux/init: remove __memexit* annotations", " - um: Fix adding '-no-pie' for clang", " - modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS", " - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL", " - ASoC: codecs: wcd938x: handle deferred probe", " - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power", " - binder: signal epoll threads of self-work", " - misc: fastrpc: Mark all sessions as invalid in cb_remove", " - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()", " - tracing: Fix wasted memory in saved_cmdlines logic", " - staging: iio: ad5933: fix type mismatch regression", " - iio: magnetometer: rm3100: add boundary check for the value read from", " RM3100_REG_TMRC", " - iio: core: fix memleak in iio_device_register_sysfs", " - iio: commom: st_sensors: ensure proper DMA alignment", " - iio: accel: bma400: Fix a compilation problem", " - iio: adc: ad_sigma_delta: ensure proper DMA alignment", " - iio: imu: adis: ensure proper DMA alignment", " - iio: imu: bno055: serdev requires REGMAP", " - media: rc: bpf attach/detach requires write permission", " - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails", " - drm/msm: Wire up tlb ops", " - drm/prime: Support page array >= 4GB", " - drm/amd/display: Increase frame-larger-than for all display_mode_vba files", " - drm/amd/display: Preserve original aspect ratio in create stream", " - hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", " - ring-buffer: Clean ring_buffer_poll_wait() error return", " - nfp: flower: fix hardware offload for the transfer layer port", " - serial: max310x: set default value when reading clock ready bit", " - serial: max310x: improve crystal stable clock detection", " - serial: max310x: fail probe if clock crystal is unstable", " - serial: max310x: prevent infinite while() loop in port startup", " - powerpc/64: Set task pt_regs->link to the LR value on scv entry", " - powerpc/cputable: Add missing PPC_FEATURE_BOOKE on PPC64 Book-E", " - powerpc/pseries: fix accuracy of stolen time", " - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6", " - x86/fpu: Stop relying on userspace for info to fault in xsave buffer", " - KVM: x86/pmu: Fix type length error when reading pmu->fixed_ctr_ctrl", " - x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", " - io_uring/net: fix multishot accept overflow handling", " - mmc: slot-gpio: Allow non-sleeping GPIO ro", " - ALSA: hda/realtek: fix mute/micmute LED For HP mt645", " - ALSA: hda/conexant: Add quirk for SWS JS201D", " - nilfs2: fix data corruption in dsync block recovery for small block sizes", " - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", " - crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", " - nfp: use correct macro for LengthSelect in BAR config", " - nfp: flower: prevent re-adding mac index for bonded port", " - wifi: cfg80211: fix wiphy delayed work queueing", " - wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()", " - irqchip/irq-brcmstb-l2: Add write memory barrier before exit", " - irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update", " - zonefs: Improve error handling", " - mmc: sdhci-pci-o2micro: Fix a warm reboot issue that disk can't be detected", " by BIOS", " - ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8", " - tools/rtla: Remove unused sched_getattr() function", " - tools/rtla: Replace setting prio with nice for SCHED_OTHER", " - tools/rtla: Exit with EXIT_SUCCESS when help is invoked", " - tools/rtla: Fix uninitialized bucket/data->bucket_size warning", " - tools/rtla: Fix Makefile compiler options for clang", " - fs: relax mount_setattr() permission checks", " - net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio", " - s390/qeth: Fix potential loss of L3-IP@ in case of network issues", " - net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio", " - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", " - ceph: prevent use-after-free in encode_cap_msg()", " - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", " - mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE", " - of: property: fix typo in io-channels", " - can: netlink: Fix TDCO calculation using the old data bittiming", " - can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock", " - can: j1939: Fix UAF in j1939_sk_match_filter during", " setsockopt(SO_J1939_FILTER)", " - pmdomain: core: Move the unused cleanup to a _sync initcall", " - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of", " lock_task_sighand()", " - tracing: Inform kmemleak of saved_cmdlines allocation", " - selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory", " - selftests/mm: Update va_high_addr_switch.sh to check CPU for la57 flag", " - md: bypass block throttle for superblock update", " - block: fix partial zone append completion handling in req_bio_endio()", " - netfilter: ipset: Missing gc cancellations fixed", " - parisc: Fix random data corruption from exception handler", " - nfsd: don't take fi_lock in nfsd_break_deleg_cb()", " - sched/membarrier: reduce the ability to hammer on sys_membarrier", " - of: property: Add in-ports/out-ports support to of_graph_get_port_parent()", " - nilfs2: fix potential bug in end_buffer_async_write", " - arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata", " - work around gcc bugs with 'asm goto' with outputs", " - [Config] updateconfigs for GCC_ASM_GOTO_OUTPUT_WORKAROUND", " - update workarounds for gcc \"asm goto\" issue", " - selftests/landlock: Fix fs_test build with old libc", " - KVM: selftests: Delete superfluous, unused \"stage\" variable in AMX test", " - KVM: selftests: Avoid infinite loop in hyperv_features when invtsc is", " missing", " - drm/msm/gem: Fix double resv lock aquire", " - ASoC: SOF: ipc3-topology: Fix pipeline tear down logic", " - net/handshake: Fix handshake_req_destroy_test1", " - bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY", " - devlink: Fix command annotation documentation", " - of: property: Improve finding the consumer of a remote-endpoint property", " - perf: CXL: fix mismatched cpmu event opcode", " - selftests: forwarding: Fix layer 2 miss test flakiness", " - selftests: forwarding: Fix bridge MDB test flakiness", " - selftests: bridge_mdb: Use MDB get instead of dump", " - selftests: forwarding: Suppress grep warnings", " - ptrace: Introduce exception_ip arch hook", " - mm/memory: Use exception ip to search exception tables", " - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb", " - selftests/mm: switch to bash from sh", " - selftests: mm: fix map_hugetlb failure on 64K page size systems", " - nouveau: offload fence uevents work to workqueue", " - HID: bpf: remove double fdget()", " - HID: bpf: actually free hdev memory after attaching a HID-BPF program", " - usb: chipidea: core: handle power lost in workqueue", " - usb: core: Prevent null pointer dereference in update_port_device_state", " - interconnect: qcom: sm8550: Enable sync_state", " - powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add", " - powerpc/6xx: set High BAT Enable flag on G2_LE cores", " - iio: adc: ad4130: zero-initialize clock init data", " - iio: adc: ad4130: only set GPIO_CTRL if pin is unused", " - irqchip/gic-v3-its: Handle non-coherent GICv4 redistributors", " - kallsyms: ignore ARMv4 thunks along with others", " - selftests: mptcp: add mptcp_lib_kill_wait", " - mptcp: fix rcv space initialization", " - mptcp: really cope with fastopen race", " - Revert \"powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add\"", " - drm/amd: Don't init MEC2 firmware when it fails to load", " - usb: typec: tpcm: Fix issues with power being removed during reset", " - tracing/timerlat: Move hrtimer_init to timerlat_fd open()", " - tracing/synthetic: Fix trace_string() return value", " - tracing/probes: Fix to show a parse error for bad type for $comm", " - tracing/probes: Fix to set arg size and fmt after setting type from BTF", " - Revert \"workqueue: Override implicit ordered attribute in", " workqueue_apply_unbound_cpumask()\"", " - iio: pressure: bmp280: Add missing bmp085 to SPI id table", " - pmdomain: mediatek: fix race conditions with genpd", " - drm/amd/display: Add align done check", " - drm/amdgpu/soc21: update VCN 4 max HEVC encoding resolution", " - drm/amd/display: Fix MST Null Ptr for RV", " - net: dsa: mv88e6xxx: Fix failed probe due to unsupported C45 reads", " - nfp: flower: add hardware offload check for post ct entry", " - ftrace: Fix DIRECT_CALLS to use SAVE_REGS by default", " - serial: core: introduce uart_port_tx_flags()", " - serial: mxs-auart: fix tx", " - KVM: x86: make KVM_REQ_NMI request iff NMI pending for vcpu", " - crypto: algif_hash - Remove bogus SGL free on zero-length error path", " - nfp: enable NETDEV_XDP_ACT_REDIRECT feature flag", " - wifi: iwlwifi: mvm: fix a crash when we run out of stations", " - thunderbolt: Fix setting the CNS bit in ROUTER_CS_5", " - smb: client: set correct id, uid and cruid for multiuser automounts", " - KVM: arm64: Fix circular locking dependency", " - arm64/signal: Don't assume that TIF_SVE means we saved SVE state", " - ASoC: SOF: IPC3: fix message bounds on ipc ops", " - tools/rv: Fix curr_reactor uninitialized variable", " - tools/rv: Fix Makefile compiler options for clang", " - tools/rtla: Fix clang warning about mount_point var size", " - pmdomain: renesas: r8a77980-sysc: CR7 must be always on", " - blk-wbt: Fix detection of dirty-throttled tasks", " - docs: kernel_feat.py: fix build error for missing files", " - tracing: Fix HAVE_DYNAMIC_FTRACE_WITH_REGS ifdef", " - netfilter: ipset: fix performance regression in swap operation", " - tracefs: Check for dentry->d_inode exists in set_gid()", " - x86/efi: Drop EFI stub .bss from .data section", " - x86/efi: Drop alignment flags from PE section headers", " - x86/boot: Remove the 'bugger off' message", " - x86/boot: Omit compression buffer from PE/COFF image memory footprint", " - x86/boot: Drop redundant code setting the root device", " - x86/boot: Drop references to startup_64", " - x86/boot: Grab kernel_info offset from zoffset header directly", " - x86/boot: Set EFI handover offset directly in header asm", " - x86/boot: Define setup size in linker script", " - x86/boot: Derive file size from _edata symbol", " - x86/boot: Construct PE/COFF .text section from assembler", " - x86/boot: Drop PE/COFF .reloc section", " - x86/boot: Split off PE/COFF .data section", " - x86/boot: Increase section and file alignment to 4k/512", " - x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section", " - x86/barrier: Do not serialize MSR accesses on AMD", " - Documentation/arch/ia64/features.rst: fix kernel-feat directive", " - Upstream stable to v6.1.79, v6.6.18", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26694", " - wifi: iwlwifi: fix double-free bug", " * There is sound from the speakers and headphones at the same time on Oasis 14", " and 16 platforms (LP: #2054487) // Mantic update: upstream stable patchset", " 2024-04-16 (LP: #2061814)", " - ALSA: hda/realtek - Add speaker pin verbtable for Dell dual speaker platform", " - ALSA: hda/realtek: add IDs for Dell dual spk platform", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26710", " - powerpc/kasan: Limit KASAN thread size increase to 32KB", " * Mantic update: upstream stable patchset 2024-04-16 (LP: #2061814) //", " CVE-2024-26712", " - powerpc/kasan: Fix addr error caused by page alignment", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991)", " - ext4: regenerate buddy after block freeing failed if under fc replay", " - dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools", " - dmaengine: ti: k3-udma: Report short packet errors", " - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA", " - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA", " - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code", " - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV", " - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", " - cifs: failure to add channel on iface should bump up weight", " - drm/msms/dp: fixed link clock divider bits be over written in BPC unknown", " case", " - drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case", " - drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup", " - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", " - wifi: mac80211: fix waiting for beacons logic", " - netdevsim: avoid potential loop in nsim_dev_trap_report_work()", " - net: atlantic: Fix DMA mapping for PTP hwts ring", " - selftests: net: cut more slack for gro fwd tests.", " - selftests: net: avoid just another constant wait", " - tunnels: fix out of bounds access when building IPv6 PMTU error", " - atm: idt77252: fix a memleak in open_card_ubr0", " - octeontx2-pf: Fix a memleak otx2_sq_init", " - hwmon: (aspeed-pwm-tacho) mutex for tach reading", " - hwmon: (coretemp) Fix out-of-bounds memory access", " - hwmon: (coretemp) Fix bogus core_id to attr name mapping", " - inet: read sk->sk_family once in inet_recv_error()", " - drm/i915/gvt: Fix uninitialized variable in handle_mmio()", " - rxrpc: Fix response to PING RESPONSE ACKs to a dead call", " - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", " - af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.", " - ppp_async: limit MRU to 64K", " - selftests: cmsg_ipv6: repeat the exact packet", " - netfilter: nft_compat: narrow down revision to unsigned 8-bits", " - netfilter: nft_compat: reject unused compat flag", " - netfilter: nft_compat: restrict match/target protocol to u16", " - drm/amd/display: Implement bounds check for stream encoder creation in", " DCN301", " - netfilter: nft_ct: reject direction for ct id", " - fs/ntfs3: Fix an NULL dereference bug", " - scsi: core: Move scsi_host_busy() out of host lock if it is for per-command", " - blk-iocost: Fix an UBSAN shift-out-of-bounds warning", " - ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision", " - ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter", " - ALSA: usb-audio: add quirk for RODE NT-USB+", " - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e", " - USB: serial: option: add Fibocom FM101-GL variant", " - USB: serial: cp210x: add ID for IMST iM871A-USB", " - usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK", " - hrtimer: Report offline hrtimer enqueue", " - Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU", " - io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers", " - net: stmmac: xgmac: use #define for string constants", " - ALSA: usb-audio: Sort quirk table entries", " - net: stmmac: xgmac: fix a typo of register name in DPP safety handling", " - perf evlist: Fix evlist__new_default() for > 1 core PMU", " - cifs: avoid redundant calls to disable multichannel", " - rust: arc: add explicit `drop()` around `Box::from_raw()`", " - rust: task: remove redundant explicit link", " - rust: print: use explicit link in documentation", " - MAINTAINERS: add Catherine as xfs maintainer for 6.6.y", " - xfs: bump max fsgeom struct version", " - xfs: hoist freeing of rt data fork extent mappings", " - xfs: prevent rt growfs when quota is enabled", " - xfs: rt stubs should return negative errnos when rt disabled", " - xfs: fix units conversion error in xfs_bmap_del_extent_delay", " - xfs: make sure maxlen is still congruent with prod when rounding down", " - xfs: introduce protection for drop nlink", " - xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space", " - xfs: allow read IO and FICLONE to run concurrently", " - xfs: factor out xfs_defer_pending_abort", " - xfs: abort intent items when recovery intents fail", " - xfs: only remap the written blocks in xfs_reflink_end_cow_extent", " - xfs: up(ic_sema) if flushing data device fails", " - xfs: fix internal error from AGFL exhaustion", " - xfs: inode recovery does not validate the recovered inode", " - xfs: clean up dqblk extraction", " - xfs: dquot recovery does not validate the recovered dquot", " - xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags", " - xfs: respect the stable writes flag on the RT device", " - wifi: mac80211: fix RCU use in TDLS fast-xmit", " - wifi: iwlwifi: exit eSR only after the FW does", " - wifi: brcmfmac: Adjust n_channels usage for __counted_by", " - selftests/net: convert unicast_extensions.sh to run it in unique namespace", " - selftests/net: convert pmtu.sh to run it in unique namespace", " - selftests/net: change shebang to bash to support \"source\"", " - selftests: net: fix tcp listener handling in pmtu.sh", " - tsnep: Fix mapping for zero copy XDP_TX action", " - rxrpc: Fix generation of serial numbers to skip zero", " - rxrpc: Fix delayed ACKs to not set the reference serial number", " - rxrpc: Fix counting of new acks and nacks", " - selftests: net: let big_tcp test cope with slow env", " - drm/amd/display: Fix 'panel_cntl' could be null in", " 'dcn21_set_backlight_level()'", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", " - riscv: Improve tlb_flush()", " - riscv: Make __flush_tlb_range() loop over pte instead of flushing the whole", " tlb", " - riscv: Improve flush_tlb_kernel_range()", " - mm: Introduce flush_cache_vmap_early()", " - riscv: mm: execute local TLB flush after populating vmemmap", " - riscv: Fix set_huge_pte_at() for NAPOT mapping", " - riscv: Fix hugetlb_mask_last_page() when NAPOT is enabled", " - riscv: Flush the tlb when a page directory is freed", " - libceph: rename read_sparse_msg_*() to read_partial_sparse_msg_*()", " - libceph: just wait for more data to be available on the socket", " - riscv: Fix arch_hugetlb_migration_supported() for NAPOT", " - riscv: declare overflow_stack as exported from traps.c", " - Revert \"usb: typec: tcpm: fix cc role at port reset\"", " - x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups", " - xhci: process isoc TD properly when there was a transaction error mid TD.", " - xhci: handle isoc Babble and Buffer Overrun events properly", " - usb: dwc3: pci: add support for the Intel Arrow Lake-H", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - io_uring/poll: move poll execution helpers higher up", " - io_uring/net: un-indent mshot retry path in io_recv_finish()", " - io_uring/poll: add requeue return code from poll multishot handling", " - io_uring/net: limit inline multishot retries", " - Upstream stable to v6.1.78, v6.6.17", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) // The", " keyboard does not work after latest kernel update (LP: #2060727)", " - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID", " * CVE-2024-26593", " - i2c: i801: Fix block process call transactions", " * Mantic update: upstream stable patchset 2024-03-26 (LP: #2059068)", " - selftests/bpf: tests for iterating callbacks", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2071997, 1786013, 2071998, 2072006, 2068333, 1786013, 2068341, 1786013, 2061940, 2067883, 2049358, 2045560, 2063399, 2063529, 2046722, 2060904, 2063096, 2063067, 2040948, 2060727, 2057734, 2060422, 2058477, 2059263, 2042546, 2061814, 2061814, 2054487, 2061814, 2061814, 2061814, 2059991, 2059991, 2060727, 2059068, 2059991 ], "author": "Hannah Peuckmann ", "date": "Fri, 19 Jul 2024 13:18:49 +0200" } ], "notes": "linux-riscv-6.5-headers-6.5.0-45 version '6.5.0-45.45.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-45.45.1~22.04.1') was added. linux-riscv-6.5-headers-6.5.0-45 version '6.5.0-45.45.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-42-generic. As such we can use the source package version of the removed package, '6.5.0-42.42.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-riscv-6.5-headers-6.5.0-42", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20240726 to 20240801", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240726", "to_serial": "20240801", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }