{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "core20", "snapd", "lxd" ] }, "deb": { "added": [ "linux-headers-5.15.0-126", "linux-headers-5.15.0-126-generic", "linux-image-5.15.0-126-generic", "linux-modules-5.15.0-126-generic", "python3-packaging" ], "removed": [ "linux-headers-5.15.0-122", "linux-headers-5.15.0-122-generic", "linux-image-5.15.0-122-generic", "linux-modules-5.15.0-122-generic", "netplan-generator", "python3-netplan" ], "diff": [ "curl", "distro-info-data", "libarchive13", "libcurl3-gnutls", "libcurl4", "libglib2.0-0", "libglib2.0-bin", "libglib2.0-data", "libmodule-scandeps-perl", "libnetplan0", "libpython3.10", "libpython3.10-minimal", "libpython3.10-stdlib", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "nano", "needrestart", "netplan.io", "python3-twisted", "python3-urllib3", "python3.10", "python3.10-minimal", "snapd", "sosreport", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.7", "version": "0.52ubuntu0.7" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.8", "version": "0.52ubuntu0.8" }, "cves": [], "launchpad_bugs_fixed": [ 2084572 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 25.04 \"Plucky Puffin\" (LP: #2084572)", "" ], "package": "distro-info-data", "version": "0.52ubuntu0.8", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084572 ], "author": "Benjamin Drung ", "date": "Thu, 17 Oct 2024 12:43:19 +0200" } ], "notes": null }, { "name": "libarchive13", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.1", "version": "3.6.0-1ubuntu1.1" }, "to_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.3", "version": "3.6.0-1ubuntu1.3" }, "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" }, { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" }, { "cve": "CVE-2024-48957", "url": "https://ubuntu.com/security/CVE-2024-48957", "cve_description": "execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" }, { "cve": "CVE-2024-48958", "url": "https://ubuntu.com/security/CVE-2024-48958", "cve_description": "execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: code execution via negative copy length", " - debian/patches/CVE-2024-20696.patch: protect", " copy_from_lzss_window_to_unp() in", " libarchive/archive_read_support_format_rar.c.", " - CVE-2024-20696", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 29 Oct 2024 10:03:06 +0100" }, { "cves": [ { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" }, { "cve": "CVE-2024-48957", "url": "https://ubuntu.com/security/CVE-2024-48957", "cve_description": "execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" }, { "cve": "CVE-2024-48958", "url": "https://ubuntu.com/security/CVE-2024-48958", "cve_description": "execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference", " - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write", " functions", " - CVE-2022-36227", " * SECURITY UPDATE: Out of bounds access", " - debian/patches/CVE-2024-48957.patch: check dst isn't less than or", " equal to src in execute_filter_audio", " - CVE-2024-48957", " * SECURITY UPDATE: Out of bounds access", " - debian/patches/CVE-2024-48958.patch: check dst isn't less than or", " equal to src in execute_filter_delta", " - CVE-2024-48958", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 14 Oct 2024 12:03:12 +1100" } ], "notes": null }, { "name": "libcurl3-gnutls", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "libglib2.0-0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libmodule-scandeps-perl", "from_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.31-1", "version": "1.31-1" }, "to_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.31-1ubuntu0.1", "version": "1.31-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: parsing untrusted code", " - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a", " three-argument open() alternative", " - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval ", " with parsing the code instead", " - d/p/CVE-2024-10224/0003-fix-parsing-of-use-if.patch: fix parsing of use", " if statements", " - CVE-2024-10224", "" ], "package": "libmodule-scandeps-perl", "version": "1.31-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Mon, 18 Nov 2024 23:01:20 +0530" } ], "notes": null }, { "name": "libnetplan0", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "libpython3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "libpython3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "libpython3.10-stdlib", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.126.125", "version": "5.15.0.126.125" }, "cves": [], "launchpad_bugs_fixed": [ 2086027 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-126", "", " * jammy/linux: -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.126.125", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:48:10 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-125", "" ], "package": "linux-meta", "version": "5.15.0.125.124", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 15:24:50 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-123", "" ], "package": "linux-meta", "version": "5.15.0.123.123", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:30:58 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.126.125", "version": "5.15.0.126.125" }, "cves": [], "launchpad_bugs_fixed": [ 2086027 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-126", "", " * jammy/linux: -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.126.125", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:48:10 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-125", "" ], "package": "linux-meta", "version": "5.15.0.125.124", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 15:24:50 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-123", "" ], "package": "linux-meta", "version": "5.15.0.123.123", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:30:58 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.126.125", "version": "5.15.0.126.125" }, "cves": [], "launchpad_bugs_fixed": [ 2086027 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-126", "", " * jammy/linux: -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.126.125", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:48:10 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-125", "" ], "package": "linux-meta", "version": "5.15.0.125.124", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 15:24:50 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-123", "" ], "package": "linux-meta", "version": "5.15.0.123.123", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:30:58 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.126.125", "version": "5.15.0.126.125" }, "cves": [], "launchpad_bugs_fixed": [ 2086027 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-126", "", " * jammy/linux: -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.126.125", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:48:10 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-125", "" ], "package": "linux-meta", "version": "5.15.0.125.124", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 15:24:50 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-123", "" ], "package": "linux-meta", "version": "5.15.0.123.123", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:30:58 +0200" } ], "notes": null }, { "name": "nano", "from_version": { "source_package_name": "nano", "source_package_version": "6.2-1", "version": "6.2-1" }, "to_version": { "source_package_name": "nano", "source_package_version": "6.2-1ubuntu0.1", "version": "6.2-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Emergency file could be replaced by a malicious symlink.", " - debian/patches/CVE-2024-5742.patch: Use fchmod and fchown in write_file()", " in src/files.c instead of using chmod and chown in emergency_save() in", " src/nano.c. Add EMERGENCY write type in kind_of_writing_type enum in", " src/definitions.h. Update fd in write_file() in src/files.c. Based on", " upstream.", " - CVE-2024-5742", "" ], "package": "nano", "version": "6.2-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 10 Oct 2024 11:09:30 -0230" } ], "notes": null }, { "name": "needrestart", "from_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.1", "version": "3.5-5ubuntu2.1" }, "to_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.4", "version": "3.5-5ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2089193, 2089193 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes in LXC", " (LP: #2089193)", " - debian/patches/lp2091096/0021-fix-lxc-fp.patch: use the value of exe", " to check for obsolete processes when exec is undefined ", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Thu, 05 Dec 2024 17:28:38 +0530" }, { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes (LP: #2089193)", " - debian/patches/lp2089193/0020-fix-chroot-mountns-fp.patch: ignore check", " for obsolete processes in chrooted or containerized processes", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Tue, 26 Nov 2024 10:48:34 +0530" }, { "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable", " - debian/patches/CVE-2024-48990.patch: chdir to a clean directory ", " to avoid loading arbirary objects, sanitize PYTHONPATH before", " spawning a new python interpreter", " - CVE-2024-48990", " * SECURITY UPDATE: race condition for checking path to python", " - debian/patches/CVE-2024-48991.patch: sync path for both check", " and usage for python interpreter", " - CVE-2024-48991", " * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable", " - debian/patches/CVE-2024-48992.patch: chdir to a clean directory", " to avoid loading arbirary objects, sanitize RUBYLIB before", " spawning a new ruby interpreter", " - CVE-2024-48992", " * SECURITY UPDATE: incorrect usage of Perl ScanDeps", " - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps", " to avoid parsing arbitrary code", " - CVE-2024-11003 ", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Mon, 18 Nov 2024 13:51:23 +0530" } ], "notes": null }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "python3-twisted", "from_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.5", "version": "22.1.0-2ubuntu2.5" }, "to_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.6", "version": "22.1.0-2ubuntu2.6" }, "cves": [ { "cve": "CVE-2024-41671", "url": "https://ubuntu.com/security/CVE-2024-41671", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-41671", "url": "https://ubuntu.com/security/CVE-2024-41671", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-order HTTP request processing.", " - debian/patches/CVE-2024-41671-*.patch: Move self.allContentReceived()", " after self._dataBuffer.append(data) in src/twisted/web/http.py. Add", " tests.", " - CVE-2024-41671", "" ], "package": "twisted", "version": "22.1.0-2ubuntu2.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Fri, 22 Nov 2024 14:19:41 -0330" } ], "notes": null }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.1", "version": "1.26.5-1~exp1ubuntu0.1" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.2", "version": "1.26.5-1~exp1ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped", " when redirecting to a different host.", " - debian/patches/CVE-2024-37891.patch: Add \"Proxy-Authorization\" to", " DEFAULT_REMOVE_HEADERS_ON_REDIRECT in src/urllib3/util/retry.py. Add", " header to tests.", " - CVE-2024-37891", "" ], "package": "python-urllib3", "version": "1.26.5-1~exp1ubuntu0.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 17 Oct 2024 10:19:08 -0230" } ], "notes": null }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.63+22.04ubuntu0.1", "version": "2.63+22.04ubuntu0.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.66.1+22.04", "version": "2.66.1+22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2083490, 2083490, 2077473, 2077473, 2077473, 2077473, 2072986, 2061179 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): Fix kernel prompting support", " check", " - Allow kernel snaps to have content slots", " - Fix ignoring snaps in try mode when amending", "" ], "package": "snapd", "version": "2.66.1+22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 11 Oct 2024 10:05:46 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): expand kernel support checks", " - AppArmor prompting (experimental): consolidate error messages and", " add error kinds", " - AppArmor prompting (experimental): grant /v2/snaps/{name} via", " snap-interfaces-requests-control", " - AppArmor prompting (experimental): add checks for duplicate", " pattern variants", " - Registry views (experimental): add handlers that commit (and", " cleanup) registry transactions", " - Registry views (experimental): add a snapctl fail command for", " rejecting registry transactions", " - Registry views (experimental): allow custodian snaps to implement", " registry hooks that modify and save registry data", " - Registry views (experimental): run view-changed hooks only for", " snaps plugging views affected by modified paths", " - Registry views (experimental): make registry transactions", " serialisable", " - Snap components: handle refreshing components to revisions that", " have been on the system before", " - Snap components: enable creating Ubuntu Core images that contain", " components", " - Snap components: handle refreshing components independently of", " snaps", " - Snap components: handle removing components when refreshing a snap", " that no longer defines them", " - Snap components: extend snapd Ubuntu Core installation API to", " allow for picking optional snaps and components to install", " - Snap components: extend kernel.yaml with \"dynamic-modules\",", " allowing kernel to define a location for kmods from component", " hooks", " - Snap components: renamed component type \"test\" to \"standard\"", " - Desktop IDs: support installing desktop files with custom names", " based on desktop-file-ids desktop interface plug attr", " - Auto-install snapd on classic systems as prerequisite for any non-", " essential snap install", " - Support loading AppArmor profiles on WSL2 with non-default kernel", " and securityfs mounted", " - Debian/Fedora packaging updates", " - Add snap debug command for investigating execution aspects of the", " snap toolchain", " - Improve snap pack error for easier parsing", " - Add support for user services when refreshing snaps", " - Add snap remove --terminate flag for terminating running snap", " processes", " - Support building FIPS complaint snapd deb and snap", " - Fix to not use nss when looking up for users/groups from snapd", " snap", " - Fix ordering in which layout changes are saved", " - Patch snapd snap dynamic linker to ignore LD_LIBRARY_PATH and", " related variables", " - Fix libexec dir for openSUSE Slowroll", " - Fix handling of the shared snap directory for parallel installs", " - Allow writing to /run/systemd/journal/dev-log by default", " - Avoid state lock during snap removal to avoid delaying other snapd", " operations", " - Add nomad-support interface to enable running Hashicorp Nomad", " - Add intel-qat interface", " - u2f-devices interface: add u2f trustkey t120 product id and fx", " series fido u2f devices", " - desktop interface: improve integration with xdg-desktop-portal", " - desktop interface: add desktop-file-ids plug attr to desktop", " interface", " - unity7 interface: support desktop-file-ids in desktop files rule", " generation", " - desktop-legacy interface: support desktop-file-ids in desktop", " files rule generation", " - desktop-legacy interface: grant access to gcin socket location", " - login-session-observe interface: allow introspection", " - custom-device interface: allow to explicitly identify matching", " device in udev tagging block", " - system-packages-doc interface: allow reading /usr/share/javascript", " - modem-manager interface: add new format of WWAN ports", " - pcscd interface: allow pcscd to read opensc.conf", " - cpu-control interface: add IRQ affinity control to cpu_control", " - opengl interface: add support for cuda workloads on Tegra iGPU in", " opengl interface", "" ], "package": "snapd", "version": "2.66", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 04 Oct 2024 14:22:03 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Fix missing aux info from store on snap setup", "" ], "package": "snapd", "version": "2.65.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Thu, 12 Sep 2024 09:40:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Bump squashfuse from version 0.5.0 to 0.5.2 (used in snapd deb", " only)", "" ], "package": "snapd", "version": "2.65.2", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 06 Sep 2024 17:08:45 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix snapd riscv64 build", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Sat, 24 Aug 2024 10:31:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 23 Aug 2024 08:49:28 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2072986", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to AppArmor 4.0.1", " - AppArmor: support AppArmor snippet priorities", " - AppArmor prompting: add checks for prompting support, include", " prompting status in system key, and restart snapd if prompting", " flag changes", " - AppArmor prompting: include prompt prefix in AppArmor rules if", " prompting is supported and enabled", " - AppArmor prompting: add common types, constraints, and mappings", " from AppArmor permissions to abstract permissions", " - AppArmor prompting: add path pattern parsing and matching", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views", " using snapctl", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store (no", " REST API/CLI)", " - Snap components: support removing components (REST API, no CLI)", " - Snap components: started support for component hooks", " - Snap components: support kernel modules as components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug api command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Add registry interface that provides snaps access to a particular", " registry view", " - steam-support interface: relaxed AppArmor and seccomp restrictions", " to improve user experience", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", "" ], "package": "snapd", "version": "2.64", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2072986 ], "author": "Ernest Lotter ", "date": "Wed, 24 Jul 2024 21:11:59 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2061179", " - Support for snap services to show the current status of user", " services (experimental)", " - Refresh app awareness: record snap-run-inhibit notice when", " starting app from snap that is busy with refresh (experimental)", " - Refresh app awareness: use warnings as fallback for desktop", " notifications (experimental)", " - Aspect based configuration: make request fields in the aspect-", " bundle's rules optional (experimental)", " - Aspect based configuration: make map keys conform to the same", " format as path sub-keys (experimental)", " - Aspect based configuration: make unset and set behaviour similar", " to configuration options (experimental)", " - Aspect based configuration: limit nesting level for setting value", " (experimental)", " - Components: use symlinks to point active snap component revisions", " - Components: add model assertion support for components", " - Components: fix to ensure local component installation always gets", " a new revision number", " - Add basic support for a CIFS remote filesystem-based home", " directory", " - Add support for AppArmor profile kill mode to avoid snap-confine", " error", " - Allow more than one interface to grant access to the same API", " endpoint or notice type", " - Allow all snapd service's control group processes to send systemd", " notifications to prevent warnings flooding the log", " - Enable not preseeded single boot install", " - Update secboot to handle new sbatlevel", " - Fix to not use cgroup for non-strict confined snaps (devmode,", " classic)", " - Fix two race conditions relating to freedesktop notifications", " - Fix missing tunables in snap-update-ns AppArmor template", " - Fix rejection of snapd snap udev command line by older host snap-", " device-helper", " - Rework seccomp allow/deny list", " - Clean up files removed by gadgets", " - Remove non-viable boot chains to avoid secboot failure", " - posix_mq interface: add support for missing time64 mqueue syscalls", " mq_timedreceive_time64 and mq_timedsend_time64", " - password-manager-service interface: allow kwalletd version 6", " - kubernetes-support interface: allow SOCK_SEQPACKET sockets", " - system-observe interface: allow listing systemd units and their", " properties", " - opengl interface: enable use of nvidia container toolkit CDI", " config generation", "" ], "package": "snapd", "version": "2.63", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2061179 ], "author": "Ernest Lotter ", "date": "Wed, 24 Apr 2024 02:00:39 +0200" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.5.6-0ubuntu1~22.04.2", "version": "4.5.6-0ubuntu1~22.04.2" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~22.04.1", "version": "4.7.2-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2054395 ], "changes": [ { "cves": [], "log": [ "", " * New 4.7.2 upstream release. (LP: #2054395)", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.7.2", "", " * d/control:", " - Add 'python3-packaging' as part of the runtime depends.", " - Add 'python3-packaging' as part of the build depends:", " Use packaging for version comparison instead of pkg_resources from", " setuptools.", " - Add 'python3-yaml' as part of the build depends:", " The new saltstack collect plugin now imports the yaml module, this is", " now required to build and run the sos package", "", " * Former patches, now fixed:", " - d/p/0002-obfuscate-netplan-ssid-password.patch", "", " * Remaining patches:", " - d/p/0001-debian-change-tmp-dir-location.patch", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2054395 ], "author": "Arif Ali ", "date": "Fri, 21 Jun 2024 09:52:04 +0100" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null } ], "snap": [ { "name": "core20", "from_version": { "source_package_name": null, "source_package_version": null, "version": "2379" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "2434" } }, { "name": "snapd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "21759" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "23258" } }, { "name": "lxd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "29351" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "31333" } } ] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-126", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-126.136", "version": "5.15.0-126.136" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "launchpad_bugs_fixed": [ 2086027, 2085082, 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux", "version": "5.15.0-126.136", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027, 2085082 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:28:09 +0100" }, { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", "", " * Jammy update: v5.15.167 upstream stable release (LP: #2081279)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix out-of-bounds write warning", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - hwspinlock: Introduce hwspin_lock_bust()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - smack: tcp: ipv4, fix incorrect labeling", " - drm/meson: plane: Add error handling", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - wifi: cfg80211: make hash table duplicates more survivable", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - virtio_net: Fix napi_skb_cache_put warning", " - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow", " - ext4: reject casefold inode flag without casefold feature", " - udf: Limit file size to 4TB", " - ext4: handle redirtying in ext4_bio_write_page()", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: constify a bunch of of helpers", " - mptcp: pm: avoid possible UaF when selecting endp", " - mptcp: avoid duplicated SUB_CLOSED events", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: pm: send ACK on an active subflow", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: bcm: Remove proc entry when dev is unregistered.", " - can: m_can: Release irq on error in m_can_open", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - igc: Unlock on error in igc_io_resume()", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - bareudp: Fix device stats updates.", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers", " - fou: Fix null-ptr-deref in GRO.", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - dma-mapping: benchmark: Don't starve others when doing the test", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " - riscv: set trap vector earlier", " - PCI: Add missing bridge lock to pci_bus_lock()", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - HID: amd_sfh: free driver_data after destroying hid device", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - cifs: Check the lease context if we actually got a lease", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - perf/aux: Fix AUX buffer serialization", " - ksmbd: unset the binding mark of a reused connection", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation", " - net: change maximum number of UDP segments to 128", " - gso: fix dodgy bit handling for GSO_UDP_L4", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - x86/mm: Fix PTI for i386 some more", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - btrfs: fix race between direct IO write and fsync when using same fd", " - memcg: protect concurrent access to mem_cgroup_idr", " - udp: fix receiving fraglist GSO packets", " - Linux 5.15.167", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-40915", " - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - igc: Correct the launchtime offset", " - igc: remove I226 Qbv BaseTime restriction", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - mlxbf_gige: Remove two unused function declarations", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cfg80211: check wiphy mutex is held for wdev mutex", " - wifi: mac80211: fix BA session teardown race", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - RDMA/rtrs: Fix the problem of variable not initialized fully", " - s390/smp,mcck: fix early IPI handling", " - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out", " - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: iio: resolver: ad2s1210: fix use before initialization", " - drm/amd/display: Validate hw_points_num before using it", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - media: qcom: venus: fix incorrect return value", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - wifi: iwlwifi: fw: Fix debugfs command sending", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - hwmon: (ltc2992) Avoid division by zero", " - arm64: Fix KASAN random tag seed initialization", " - memory: tegra: Skip SID programming if SID registers aren't set", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - afs: fix __afs_break_callback() / afs_drop_open_mmap() race", " - fuse: fix UAF in rcu pathwalks", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - Bluetooth: bnep: Fix out-of-bound access", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - clocksource: Make watchdog and suspend-timing multiplication overflow safe", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - nfsd: move reply cache initialization into nfsd startup", " - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net", " - NFSD: Refactor nfsd_reply_cache_free_locked()", " - NFSD: Rename nfsd_reply_cache_alloc()", " - NFSD: Replace nfsd_prune_bucket()", " - NFSD: Refactor the duplicate reply cache shrinker", " - NFSD: Rewrite synopsis of nfsd_percpu_counters_init()", " - NFSD: Fix frame size warning in svc_export_parse()", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - sunrpc: use the struct net as the svc proc private", " - nfsd: rename NFSD_NET_* to NFSD_STATS_*", " - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces", " - nfsd: make all of the nfsd stats per-network namespace", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix ICE_LAST_OFFSET formula", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - netfilter: flowtable: validate vlan header", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - Revert \"drm/amd/display: Validate hw_points_num before using it\"", " - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()", " - ALSA: timer: Relax start tick time check for slave timer elements", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - btrfs: run delayed iputs when flushing delalloc", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: sched: check both backup in retrans", " - Revert \"MIPS: Loongson64: reset: Prioritise firmware service\"", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro", " - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros", " - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro", " - phy: xilinx: add runtime PM support", " - phy: xilinx: phy-zynqmp: dynamic clock support for power-save", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - phy: zynqmp: Enable reference clock correctly", " - igc: Fix reset adapter logics when tx mode change", " - igc: Fix qbv tx latency by setting gtxoffset", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - Linux 5.15.166", "", " * CVE-2024-26893", " - firmware: arm_scmi: Fix double free in SMC transport cleanup path", "", " * [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys", " - kernel part (LP: #1959940)", " - s390: uv: Add offset comments to UV query struct and fix naming", " - s390/uv: Add SE hdr query information", " - s390/uv: Add dump fields to query", " - KVM: s390: pv: Add query interface", " - KVM: s390: pv: Add dump support definitions", " - KVM: s390: pv: Add query dump information", " - KVM: s390: Add configuration dump functionality", " - KVM: s390: Add CPU dump functionality", " - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP", " - Documentation: KVM: add separate directories for architecture-specific", " documentation", " - Documentation: virt: Protected virtual machine dumps", " - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions", " - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery", "", " * turbostat fails with too many open files on large systems (LP: #2069961)", " - tools/power turbostat: Increase the limit for fd opened", "", " * Jammy update: v5.15.165 upstream stable release (LP: #2078428)", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: fix to don't dirty inode for readonly filesystem", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - block: refactor to use helper", " - block: cleanup bio_integrity_prep", " - block: initialize integrity buffer to zero before writing it to media", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - drm/meson: fix canvas release in bind function", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: pxa: spitz: use gpio descriptors for audio", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - tcp: annotate lockless accesses to sk->sk_err_soft", " - tcp: annotate lockless access to sk->sk_err", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more", " flexible", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - xdp: fix invalid wait context of page_pool_destroy()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - ext4: fix infinite loop when replaying fast_commit", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: return early for non-eligible fast_commit track events", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - clk: qcom: branch: Add helper functions for setting retain bits", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - RDMA/cache: Release GID table even if leak is detected", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Use ALIGN kernel macro", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Missed error return", " - landlock: Don't lose track of restrictions on cred_transfer", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - sched/fair: Use all little CPUs for CPU-bound workloads", " - apparmor: use kvfree_sensitive to free data->data", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - binder: fix hang of unregistered readers", " - dev/parport: fix the array out-of-bounds risk", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - io_uring/io-wq: limit retrying worker initialisation", " - kernel: rerun task_work while freezing in get_signal()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - spi: spidev: Make probe to fail early if a spidev compatible is used", " - spi: spidev: Replace ACPI specific code by device_get_match_data()", " - spi: spidev: Replace OF specific code by device property API", " - spidev: Add Silicon Labs EM3581 device compatible", " - spi: spidev: order compatibles alphabetically", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - nvme: split command copy into a helper", " - nvme: separate command prep and issue", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node", " - arm64: dts: qcom: msm8998: drop USB PHY clock index", " - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - sysctl: always initialize i_uid/i_gid", " - ext4: make ext4_es_insert_extent() return void", " - ext4: refactor ext4_da_map_blocks()", " - ext4: convert to exclusive lock while inserting delalloc extents", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: trigger: use RCU to protect the led_cdevs list", " - leds: trigger: Remove unused function led_trigger_rename_static()", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - leds: triggers: Flush pending brightness before activating trigger", " - irqdomain: Fixed unbalanced fwnode get and put", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - sched: act_ct: take care of padding in struct zones_ht_key", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - rtnetlink: enable alt_ifname for setlink/newlink", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - net/iucv: fix use after free in iucv_sock_close()", " - net: mvpp2: Don't re-use loop iterator", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - power: supply: bq24190_charger: replace deprecated strncpy with strscpy", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix duplicate data handling", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: fec: Stop PPS on driver remove", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: u_serial: Set start_delayed during suspend", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Reduce the default clocksource_watchdog() retries to 2", " - torture: Enable clocksource watchdog with \"tsc=watchdog\"", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - irqchip/meson-gpio: support more than 8 channels gpio irq", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - mptcp: sched: check both directions for backup", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: export local_address", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - btrfs: fix double inode unlock for direct IO sync writes", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: bail out if stateful expression provides no .clone", " - netfilter: nf_tables: allow clone callbacks to sleep", " - netfilter: nf_tables: prefer nft_chain_validate", " - net: stmmac: Enable mac_managed_pm phylink config", " - PCI: dwc: Restore MSI Receiver mask during resume", " - wifi: mac80211: check basic rates validity", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - binfmt_flat: Fix corruption when not offsetting data start", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Revert \"ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error\"", " - Linux 5.15.165", "", " * CVE-2024-26661", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", "", " * CVE-2024-25744", " - x86: Fix misspelled Kconfig symbols", " - x86: Introduce ia32_enabled()", " - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c", " - x86/coco: Disable 32-bit emulation by default on TDX and SEV", " - x86/entry: Convert INT 0x80 emulation to IDTENTRY", " - x86/entry: Do not allow external 0x80 interrupts", " - x86/entry: Add do_SYSENTER_32() prototype", " - x86/bhi: Add support for clearing branch history at syscall entry", "", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - scsi: core: Fix a use-after-free", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests/openat2: Fix build warnings on ppc64", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - nvme: avoid double free special payload", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - spi: mux: set ctlr->bits_per_word_mask", " - tracing: Define the is_signed_type() macro once", " - minmax: sanity check constant bounds when clamping", " - minmax: clamp more efficiently by avoiding extra comparison", " - minmax: fix header inclusions", " - minmax: allow min()/max()/clamp() if the arguments have the same signedness.", " - minmax: allow comparisons of 'int' against 'unsigned char/short'", " - minmax: relax check to allow comparison between unsigned arguments and", " signed constants", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - wifi: mac80211: disable softirqs for queued frame handling", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - samples: Add fs error monitoring example", " - samples: Make fs-monitor depend on libc and headers", " - docs: Fix formatting of literal sections in fanotify docs", " - Add gitignore file for samples/fanotify/ subdirectory", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Validate ff offset", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - filelock: Fix fcntl/close race recovery compat path", " - wifi: rt2x00: use explicitly signed or unsigned types", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.15.164", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "" ], "package": "linux", "version": "5.15.0-125.135", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:49:00 +0200" } ], "notes": "linux-headers-5.15.0-126 version '5.15.0-126.136' (source package linux version '5.15.0-126.136') was added. linux-headers-5.15.0-126 version '5.15.0-126.136' has the same source package name, linux, as removed package linux-headers-5.15.0-122. As such we can use the source package version of the removed package, '5.15.0-122.132', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-126-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-126.136", "version": "5.15.0-126.136" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "launchpad_bugs_fixed": [ 2086027, 2085082, 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux", "version": "5.15.0-126.136", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027, 2085082 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:28:09 +0100" }, { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", "", " * Jammy update: v5.15.167 upstream stable release (LP: #2081279)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix out-of-bounds write warning", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - hwspinlock: Introduce hwspin_lock_bust()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - smack: tcp: ipv4, fix incorrect labeling", " - drm/meson: plane: Add error handling", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - wifi: cfg80211: make hash table duplicates more survivable", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - virtio_net: Fix napi_skb_cache_put warning", " - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow", " - ext4: reject casefold inode flag without casefold feature", " - udf: Limit file size to 4TB", " - ext4: handle redirtying in ext4_bio_write_page()", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: constify a bunch of of helpers", " - mptcp: pm: avoid possible UaF when selecting endp", " - mptcp: avoid duplicated SUB_CLOSED events", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: pm: send ACK on an active subflow", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: bcm: Remove proc entry when dev is unregistered.", " - can: m_can: Release irq on error in m_can_open", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - igc: Unlock on error in igc_io_resume()", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - bareudp: Fix device stats updates.", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers", " - fou: Fix null-ptr-deref in GRO.", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - dma-mapping: benchmark: Don't starve others when doing the test", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " - riscv: set trap vector earlier", " - PCI: Add missing bridge lock to pci_bus_lock()", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - HID: amd_sfh: free driver_data after destroying hid device", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - cifs: Check the lease context if we actually got a lease", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - perf/aux: Fix AUX buffer serialization", " - ksmbd: unset the binding mark of a reused connection", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation", " - net: change maximum number of UDP segments to 128", " - gso: fix dodgy bit handling for GSO_UDP_L4", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - x86/mm: Fix PTI for i386 some more", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - btrfs: fix race between direct IO write and fsync when using same fd", " - memcg: protect concurrent access to mem_cgroup_idr", " - udp: fix receiving fraglist GSO packets", " - Linux 5.15.167", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-40915", " - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - igc: Correct the launchtime offset", " - igc: remove I226 Qbv BaseTime restriction", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - mlxbf_gige: Remove two unused function declarations", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cfg80211: check wiphy mutex is held for wdev mutex", " - wifi: mac80211: fix BA session teardown race", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - RDMA/rtrs: Fix the problem of variable not initialized fully", " - s390/smp,mcck: fix early IPI handling", " - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out", " - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: iio: resolver: ad2s1210: fix use before initialization", " - drm/amd/display: Validate hw_points_num before using it", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - media: qcom: venus: fix incorrect return value", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - wifi: iwlwifi: fw: Fix debugfs command sending", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - hwmon: (ltc2992) Avoid division by zero", " - arm64: Fix KASAN random tag seed initialization", " - memory: tegra: Skip SID programming if SID registers aren't set", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - afs: fix __afs_break_callback() / afs_drop_open_mmap() race", " - fuse: fix UAF in rcu pathwalks", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - Bluetooth: bnep: Fix out-of-bound access", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - clocksource: Make watchdog and suspend-timing multiplication overflow safe", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - nfsd: move reply cache initialization into nfsd startup", " - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net", " - NFSD: Refactor nfsd_reply_cache_free_locked()", " - NFSD: Rename nfsd_reply_cache_alloc()", " - NFSD: Replace nfsd_prune_bucket()", " - NFSD: Refactor the duplicate reply cache shrinker", " - NFSD: Rewrite synopsis of nfsd_percpu_counters_init()", " - NFSD: Fix frame size warning in svc_export_parse()", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - sunrpc: use the struct net as the svc proc private", " - nfsd: rename NFSD_NET_* to NFSD_STATS_*", " - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces", " - nfsd: make all of the nfsd stats per-network namespace", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix ICE_LAST_OFFSET formula", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - netfilter: flowtable: validate vlan header", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - Revert \"drm/amd/display: Validate hw_points_num before using it\"", " - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()", " - ALSA: timer: Relax start tick time check for slave timer elements", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - btrfs: run delayed iputs when flushing delalloc", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: sched: check both backup in retrans", " - Revert \"MIPS: Loongson64: reset: Prioritise firmware service\"", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro", " - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros", " - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro", " - phy: xilinx: add runtime PM support", " - phy: xilinx: phy-zynqmp: dynamic clock support for power-save", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - phy: zynqmp: Enable reference clock correctly", " - igc: Fix reset adapter logics when tx mode change", " - igc: Fix qbv tx latency by setting gtxoffset", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - Linux 5.15.166", "", " * CVE-2024-26893", " - firmware: arm_scmi: Fix double free in SMC transport cleanup path", "", " * [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys", " - kernel part (LP: #1959940)", " - s390: uv: Add offset comments to UV query struct and fix naming", " - s390/uv: Add SE hdr query information", " - s390/uv: Add dump fields to query", " - KVM: s390: pv: Add query interface", " - KVM: s390: pv: Add dump support definitions", " - KVM: s390: pv: Add query dump information", " - KVM: s390: Add configuration dump functionality", " - KVM: s390: Add CPU dump functionality", " - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP", " - Documentation: KVM: add separate directories for architecture-specific", " documentation", " - Documentation: virt: Protected virtual machine dumps", " - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions", " - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery", "", " * turbostat fails with too many open files on large systems (LP: #2069961)", " - tools/power turbostat: Increase the limit for fd opened", "", " * Jammy update: v5.15.165 upstream stable release (LP: #2078428)", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: fix to don't dirty inode for readonly filesystem", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - block: refactor to use helper", " - block: cleanup bio_integrity_prep", " - block: initialize integrity buffer to zero before writing it to media", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - drm/meson: fix canvas release in bind function", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: pxa: spitz: use gpio descriptors for audio", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - tcp: annotate lockless accesses to sk->sk_err_soft", " - tcp: annotate lockless access to sk->sk_err", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more", " flexible", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - xdp: fix invalid wait context of page_pool_destroy()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - ext4: fix infinite loop when replaying fast_commit", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: return early for non-eligible fast_commit track events", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - clk: qcom: branch: Add helper functions for setting retain bits", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - RDMA/cache: Release GID table even if leak is detected", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Use ALIGN kernel macro", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Missed error return", " - landlock: Don't lose track of restrictions on cred_transfer", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - sched/fair: Use all little CPUs for CPU-bound workloads", " - apparmor: use kvfree_sensitive to free data->data", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - binder: fix hang of unregistered readers", " - dev/parport: fix the array out-of-bounds risk", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - io_uring/io-wq: limit retrying worker initialisation", " - kernel: rerun task_work while freezing in get_signal()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - spi: spidev: Make probe to fail early if a spidev compatible is used", " - spi: spidev: Replace ACPI specific code by device_get_match_data()", " - spi: spidev: Replace OF specific code by device property API", " - spidev: Add Silicon Labs EM3581 device compatible", " - spi: spidev: order compatibles alphabetically", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - nvme: split command copy into a helper", " - nvme: separate command prep and issue", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node", " - arm64: dts: qcom: msm8998: drop USB PHY clock index", " - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - sysctl: always initialize i_uid/i_gid", " - ext4: make ext4_es_insert_extent() return void", " - ext4: refactor ext4_da_map_blocks()", " - ext4: convert to exclusive lock while inserting delalloc extents", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: trigger: use RCU to protect the led_cdevs list", " - leds: trigger: Remove unused function led_trigger_rename_static()", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - leds: triggers: Flush pending brightness before activating trigger", " - irqdomain: Fixed unbalanced fwnode get and put", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - sched: act_ct: take care of padding in struct zones_ht_key", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - rtnetlink: enable alt_ifname for setlink/newlink", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - net/iucv: fix use after free in iucv_sock_close()", " - net: mvpp2: Don't re-use loop iterator", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - power: supply: bq24190_charger: replace deprecated strncpy with strscpy", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix duplicate data handling", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: fec: Stop PPS on driver remove", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: u_serial: Set start_delayed during suspend", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Reduce the default clocksource_watchdog() retries to 2", " - torture: Enable clocksource watchdog with \"tsc=watchdog\"", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - irqchip/meson-gpio: support more than 8 channels gpio irq", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - mptcp: sched: check both directions for backup", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: export local_address", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - btrfs: fix double inode unlock for direct IO sync writes", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: bail out if stateful expression provides no .clone", " - netfilter: nf_tables: allow clone callbacks to sleep", " - netfilter: nf_tables: prefer nft_chain_validate", " - net: stmmac: Enable mac_managed_pm phylink config", " - PCI: dwc: Restore MSI Receiver mask during resume", " - wifi: mac80211: check basic rates validity", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - binfmt_flat: Fix corruption when not offsetting data start", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Revert \"ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error\"", " - Linux 5.15.165", "", " * CVE-2024-26661", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", "", " * CVE-2024-25744", " - x86: Fix misspelled Kconfig symbols", " - x86: Introduce ia32_enabled()", " - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c", " - x86/coco: Disable 32-bit emulation by default on TDX and SEV", " - x86/entry: Convert INT 0x80 emulation to IDTENTRY", " - x86/entry: Do not allow external 0x80 interrupts", " - x86/entry: Add do_SYSENTER_32() prototype", " - x86/bhi: Add support for clearing branch history at syscall entry", "", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - scsi: core: Fix a use-after-free", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests/openat2: Fix build warnings on ppc64", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - nvme: avoid double free special payload", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - spi: mux: set ctlr->bits_per_word_mask", " - tracing: Define the is_signed_type() macro once", " - minmax: sanity check constant bounds when clamping", " - minmax: clamp more efficiently by avoiding extra comparison", " - minmax: fix header inclusions", " - minmax: allow min()/max()/clamp() if the arguments have the same signedness.", " - minmax: allow comparisons of 'int' against 'unsigned char/short'", " - minmax: relax check to allow comparison between unsigned arguments and", " signed constants", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - wifi: mac80211: disable softirqs for queued frame handling", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - samples: Add fs error monitoring example", " - samples: Make fs-monitor depend on libc and headers", " - docs: Fix formatting of literal sections in fanotify docs", " - Add gitignore file for samples/fanotify/ subdirectory", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Validate ff offset", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - filelock: Fix fcntl/close race recovery compat path", " - wifi: rt2x00: use explicitly signed or unsigned types", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.15.164", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "" ], "package": "linux", "version": "5.15.0-125.135", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:49:00 +0200" } ], "notes": "linux-headers-5.15.0-126-generic version '5.15.0-126.136' (source package linux version '5.15.0-126.136') was added. linux-headers-5.15.0-126-generic version '5.15.0-126.136' has the same source package name, linux, as removed package linux-headers-5.15.0-122. As such we can use the source package version of the removed package, '5.15.0-122.132', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-126-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-122.132", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-126.136", "version": "5.15.0-126.136" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 2086027, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-126.136", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "", " * jammy/linux: -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-signed", "version": "5.15.0-126.136", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013, 2086027 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:47:20 +0100" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-125.135", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-125.135", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 15:23:56 +0200" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-123.133", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-123.133", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 13 Sep 2024 15:29:53 +0200" } ], "notes": "linux-image-5.15.0-126-generic version '5.15.0-126.136' (source package linux-signed version '5.15.0-126.136') was added. linux-image-5.15.0-126-generic version '5.15.0-126.136' has the same source package name, linux-signed, as removed package linux-image-5.15.0-122-generic. As such we can use the source package version of the removed package, '5.15.0-122.132', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-126-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-126.136", "version": "5.15.0-126.136" }, "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "launchpad_bugs_fixed": [ 2086027, 2085082, 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-126.136 -proposed tracker (LP: #2086027)", " - [Packaging] resync git-ubuntu-log", "", " * Cannot detect audio sinks and sources in proposed kernel (LP: #2085082)", " - soundwire: stream: Revert \"soundwire: stream: fix programming slave ports", " for non-continous port maps\"", "" ], "package": "linux", "version": "5.15.0-126.136", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2086027, 2085082 ], "author": "Stefan Bader ", "date": "Wed, 06 Nov 2024 10:28:09 +0100" }, { "cves": [ { "cve": "CVE-2024-26800", "url": "https://ubuntu.com/security/CVE-2024-26800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.", "cve_priority": "high", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-41071", "url": "https://ubuntu.com/security/CVE-2024-41071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Avoid address calculations via out of bounds array indexing req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" }, { "cve": "CVE-2024-40915", "url": "https://ubuntu.com/security/CVE-2024-40915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38611", "url": "https://ubuntu.com/security/CVE-2024-38611", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-38602", "url": "https://ubuntu.com/security/CVE-2024-38602", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object \"ax25_dev\". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object \"ax25_dev\" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26669", "url": "https://ubuntu.com/security/CVE-2024-26669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc+0x4e/0x90 [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [] ___sys_sendmsg+0x13a/0x1e0 [] __sys_sendmsg+0x11c/0x1f0 [] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] __kmem_cache_alloc_node+0x1e8/0x320 [] __kmalloc_node+0x51/0x90 [] kvmalloc_node+0xa6/0x1f0 [] bucket_table_alloc.isra.0+0x83/0x460 [] rhashtable_init+0x43b/0x7c0 [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [] mlxsw_sp_flower_tmplt_create+0x145/0x180 [] mlxsw_sp_flow_block_cb+0x1ea/0x280 [] tc_setup_cb_call+0x183/0x340 [] fl_tmplt_create+0x3da/0x4c0 [] tc_ctl_chain+0xa15/0x1170 [] rtnetlink_rcv_msg+0x3cc/0xed0 [] netlink_rcv_skb+0x170/0x440 [] netlink_unicast+0x540/0x820 [] netlink_sendmsg+0x8d8/0xda0 [] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26607", "url": "https://ubuntu.com/security/CVE-2024-26607", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe().", "cve_priority": "medium", "cve_public_date": "2024-02-29 12:15:00 UTC" }, { "cve": "CVE-2024-26893", "url": "https://ubuntu.com/security/CVE-2024-26893", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.", "cve_priority": "medium", "cve_public_date": "2024-04-17 11:15:00 UTC" }, { "cve": "CVE-2024-26661", "url": "https://ubuntu.com/security/CVE-2024-26661", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-25744", "url": "https://ubuntu.com/security/CVE-2024-25744", "cve_description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "cve_priority": "medium", "cve_public_date": "2024-02-12 05:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)", "", " * CVE-2024-26800", " - tls: rx: coalesce exit paths in tls_decrypt_sg()", " - tls: separate no-async decryption request handling from async", " - tls: fix use-after-free on failed backlog decryption", "", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", "", " * Jammy update: v5.15.167 upstream stable release (LP: #2081279)", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix out-of-bounds write warning", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " - drm/amdgpu: fix ucode out-of-bounds read warning", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - hwspinlock: Introduce hwspin_lock_bust()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - smack: tcp: ipv4, fix incorrect labeling", " - drm/meson: plane: Add error handling", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - wifi: cfg80211: make hash table duplicates more survivable", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - virtio_net: Fix napi_skb_cache_put warning", " - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow", " - ext4: reject casefold inode flag without casefold feature", " - udf: Limit file size to 4TB", " - ext4: handle redirtying in ext4_bio_write_page()", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - sch/netem: fix use after free in netem_dequeue", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - ila: call nf_unregister_net_hooks() sooner", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " - nilfs2: fix missing cleanup on rollforward recovery error", " - nilfs2: fix state management in error path of log writing function", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: constify a bunch of of helpers", " - mptcp: pm: avoid possible UaF when selecting endp", " - mptcp: avoid duplicated SUB_CLOSED events", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: pm: send ACK on an active subflow", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - smack: unix sockets: fix accept()ed socket label", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - udf: Avoid excessive partition lengths", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: bcm: Remove proc entry when dev is unregistered.", " - can: m_can: Release irq on error in m_can_open", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " - igc: Unlock on error in igc_io_resume()", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - net: usb: don't write directly to netdev->dev_addr", " - usbnet: modern method to get random MAC", " - bareudp: Fix device stats updates.", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers", " - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers", " - fou: Fix null-ptr-deref in GRO.", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - um: line: always fill *error_out in setup_one_line()", " - devres: Initialize an uninitialized struct member", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - dma-mapping: benchmark: Don't starve others when doing the test", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " - riscv: set trap vector earlier", " - PCI: Add missing bridge lock to pci_bus_lock()", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " - HID: amd_sfh: free driver_data after destroying hid device", " - Input: uinput - reject requests with unreasonable number of slots", " - usbnet: ipheth: race between ipheth_close and error handling", " - Squashfs: sanity check symbolic link size", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - cifs: Check the lease context if we actually got a lease", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - binder: fix UAF caused by offsets overwrite", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - perf/aux: Fix AUX buffer serialization", " - ksmbd: unset the binding mark of a reused connection", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - nilfs2: replace snprintf in show functions with sysfs_emit", " - nilfs2: protect references to superblock parameters exposed in sysfs", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " - nvmet-tcp: fix kernel crash if commands allocation fails", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation", " - net: change maximum number of UDP segments to 128", " - gso: fix dodgy bit handling for GSO_UDP_L4", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - x86/mm: Fix PTI for i386 some more", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - btrfs: fix race between direct IO write and fsync when using same fd", " - memcg: protect concurrent access to mem_cgroup_idr", " - udp: fix receiving fraglist GSO packets", " - Linux 5.15.167", "", " * CVE-2024-41071", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", "", " * CVE-2024-40915", " - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context", "", " * CVE-2024-38611", " - media: i2c: et8ek8: Don't strip remove function when driver is builtin", "", " * CVE-2024-38602", " - ax25: Fix reference count leak issues of ax25_dev", "", " * CVE-2024-26669", " - net/sched: flower: Fix chain template offload", "", " * CVE-2024-26607", " - drm/bridge: sii902x: Fix probing race issue", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594)", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - vfs: Don't evict inode under the inode lru traversing context", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - igc: Correct the launchtime offset", " - igc: remove I226 Qbv BaseTime restriction", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - atm: idt77252: prevent use after free in dequeue_rx()", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - mlxbf_gige: Remove two unused function declarations", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: fix a deadlock problem when config TC during resetting", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - ssb: Fix division by zero issue in ssb_calc_clock_rate", " - wifi: cfg80211: check wiphy mutex is held for wdev mutex", " - wifi: mac80211: fix BA session teardown race", " - wifi: cw1200: Avoid processing an invalid TIM IE", " - i2c: riic: avoid potential division by zero", " - RDMA/rtrs: Fix the problem of variable not initialized fully", " - s390/smp,mcck: fix early IPI handling", " - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out", " - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer", " - media: radio-isa: use dev_name to fill in bus_info", " - staging: iio: resolver: ad2s1210: fix use before initialization", " - drm/amd/display: Validate hw_points_num before using it", " - staging: ks7010: disable bh on tx_dev_lock", " - binfmt_misc: cleanup on filesystem umount", " - media: qcom: venus: fix incorrect return value", " - scsi: spi: Fix sshdr use", " - gfs2: setattr_chown: Add missing initialization", " - wifi: iwlwifi: abort scan when rfkill on but device enabled", " - wifi: iwlwifi: fw: Fix debugfs command sending", " - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock", " - hwmon: (ltc2992) Avoid division by zero", " - arm64: Fix KASAN random tag seed initialization", " - memory: tegra: Skip SID programming if SID registers aren't set", " - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu", " - nvmet-trace: avoid dereferencing pointer too early", " - ext4: do not trim the group with corrupted block bitmap", " - afs: fix __afs_break_callback() / afs_drop_open_mmap() race", " - fuse: fix UAF in rcu pathwalks", " - quota: Remove BUG_ON from dqget()", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - virtiofs: forbid newlines in tags", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - Bluetooth: bnep: Fix out-of-bound access", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - clocksource: Make watchdog and suspend-timing multiplication overflow safe", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - gtp: pull network headers in gtp_dev_xmit()", " - block: use \"unsigned long\" for blk_validate_block_size().", " - nfsd: move reply cache initialization into nfsd startup", " - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net", " - NFSD: Refactor nfsd_reply_cache_free_locked()", " - NFSD: Rename nfsd_reply_cache_alloc()", " - NFSD: Replace nfsd_prune_bucket()", " - NFSD: Refactor the duplicate reply cache shrinker", " - NFSD: Rewrite synopsis of nfsd_percpu_counters_init()", " - NFSD: Fix frame size warning in svc_export_parse()", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - sunrpc: use the struct net as the svc proc private", " - nfsd: rename NFSD_NET_* to NFSD_STATS_*", " - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces", " - nfsd: make all of the nfsd stats per-network namespace", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - tc-testing: don't access non-existent variable on exception", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix ICE_LAST_OFFSET formula", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - net: dsa: mv88e6xxx: read FID when handling ATU violations", " - net: dsa: mv88e6xxx: replace ATU violation prints with trace points", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - ipv6: prevent UAF in ip6_send_skb()", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - netfilter: flowtable: validate vlan header", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - HID: microsoft: Add rumble support to latest xbox controllers", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - Revert \"drm/amd/display: Validate hw_points_num before using it\"", " - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()", " - ALSA: timer: Relax start tick time check for slave timer elements", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - btrfs: run delayed iputs when flushing delalloc", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: sched: check both backup in retrans", " - Revert \"MIPS: Loongson64: reset: Prioritise firmware service\"", " - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages", " - ata: libata-core: Fix null pointer dereference on error", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - net:rds: Fix possible deadlock in rds_message_put", " - soundwire: stream: fix programming slave ports for non-continous port maps", " - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro", " - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros", " - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro", " - phy: xilinx: add runtime PM support", " - phy: xilinx: phy-zynqmp: dynamic clock support for power-save", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - ethtool: check device is present when getting link settings", " - gtp: fix a potential NULL pointer dereference", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - USB: serial: option: add MeiG Smart SRM825L", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - phy: zynqmp: Enable reference clock correctly", " - igc: Fix reset adapter logics when tx mode change", " - igc: Fix qbv tx latency by setting gtxoffset", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - Linux 5.15.166", "", " * CVE-2024-26893", " - firmware: arm_scmi: Fix double free in SMC transport cleanup path", "", " * [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys", " - kernel part (LP: #1959940)", " - s390: uv: Add offset comments to UV query struct and fix naming", " - s390/uv: Add SE hdr query information", " - s390/uv: Add dump fields to query", " - KVM: s390: pv: Add query interface", " - KVM: s390: pv: Add dump support definitions", " - KVM: s390: pv: Add query dump information", " - KVM: s390: Add configuration dump functionality", " - KVM: s390: Add CPU dump functionality", " - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP", " - Documentation: KVM: add separate directories for architecture-specific", " documentation", " - Documentation: virt: Protected virtual machine dumps", " - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions", " - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery", "", " * turbostat fails with too many open files on large systems (LP: #2069961)", " - tools/power turbostat: Increase the limit for fd opened", "", " * Jammy update: v5.15.165 upstream stable release (LP: #2078428)", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: fix to don't dirty inode for readonly filesystem", " - EDAC, i10nm: make skx_common.o a separate module", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - block: refactor to use helper", " - block: cleanup bio_integrity_prep", " - block: initialize integrity buffer to zero before writing it to media", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - pwm: stm32: Always do lazy disabling", " - drm/meson: fix canvas release in bind function", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - x86/xen: Convert comma to semicolon", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: pxa: spitz: use gpio descriptors for audio", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - tcp: annotate lockless accesses to sk->sk_err_soft", " - tcp: annotate lockless access to sk->sk_err", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more", " flexible", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - xdp: fix invalid wait context of page_pool_destroy()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: uvcvideo: Override default flags", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - ext4: fix infinite loop when replaying fast_commit", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: return early for non-eligible fast_commit track events", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - PCI: Fix resource double counting on remove & rescan", " - clk: qcom: branch: Add helper functions for setting retain bits", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - RDMA/cache: Release GID table even if leak is detected", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - MIPS: Octeron: remove source file executable bit", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Use ALIGN kernel macro", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: Drop if block with always false condition", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Missed error return", " - landlock: Don't lose track of restrictions on cred_transfer", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - ipv6: take care of scope when choosing the src addr", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - sched/fair: Use all little CPUs for CPU-bound workloads", " - apparmor: use kvfree_sensitive to free data->data", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - binder: fix hang of unregistered readers", " - dev/parport: fix the array out-of-bounds risk", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - nilfs2: handle inconsistent state in nilfs_btnode_create_block()", " - io_uring/io-wq: limit retrying worker initialisation", " - kernel: rerun task_work while freezing in get_signal()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - jfs: Fix array-index-out-of-bounds in diFree", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - tipc: Return non-zero value from tipc_udp_addr2str() on error", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - mISDN: Fix a use after free in hfcmulti_tx()", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - spi: spidev: Make probe to fail early if a spidev compatible is used", " - spi: spidev: Replace ACPI specific code by device_get_match_data()", " - spi: spidev: Replace OF specific code by device property API", " - spidev: Add Silicon Labs EM3581 device compatible", " - spi: spidev: order compatibles alphabetically", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - nvme: split command copy into a helper", " - nvme: separate command prep and issue", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node", " - arm64: dts: qcom: msm8998: drop USB PHY clock index", " - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - sysctl: always initialize i_uid/i_gid", " - ext4: make ext4_es_insert_extent() return void", " - ext4: refactor ext4_da_map_blocks()", " - ext4: convert to exclusive lock while inserting delalloc extents", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: trigger: use RCU to protect the led_cdevs list", " - leds: trigger: Remove unused function led_trigger_rename_static()", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - leds: triggers: Flush pending brightness before activating trigger", " - irqdomain: Fixed unbalanced fwnode get and put", " - genirq: Allow the PM device to originate from irq domain", " - irqchip/imx-irqsteer: Constify irq_chip struct", " - irqchip/imx-irqsteer: Add runtime PM support", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - sched: act_ct: take care of padding in struct zones_ht_key", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - rtnetlink: enable alt_ifname for setlink/newlink", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - net/iucv: fix use after free in iucv_sock_close()", " - net: mvpp2: Don't re-use loop iterator", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - power: supply: bq24190_charger: replace deprecated strncpy with strscpy", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix duplicate data handling", " - netfilter: ipset: Add list flush to cancel_gc", " - genirq: Allow irq_chip registration functions to take a const irq_chip", " - irqchip/mbigen: Fix mbigen node address layout", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - sctp: move hlist_node and hashent out of sctp_ep_common", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: fec: Stop PPS on driver remove", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - ext4: fix wrong unit use in ext4_mb_find_by_goal", " - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-", " space", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: u_serial: Set start_delayed during suspend", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Reduce the default clocksource_watchdog() retries to 2", " - torture: Enable clocksource watchdog with \"tsc=watchdog\"", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - irqchip/meson-gpio: support more than 8 channels gpio irq", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - driver core: Fix uevent_show() vs driver detach race", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/mgag200: Set DDC timeout in milliseconds", " - mptcp: sched: check both directions for backup", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: export local_address", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - btrfs: fix double inode unlock for direct IO sync writes", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - netfilter: nf_tables: set element extended ACK reporting support", " - netfilter: nf_tables: bail out if stateful expression provides no .clone", " - netfilter: nf_tables: allow clone callbacks to sleep", " - netfilter: nf_tables: prefer nft_chain_validate", " - net: stmmac: Enable mac_managed_pm phylink config", " - PCI: dwc: Restore MSI Receiver mask during resume", " - wifi: mac80211: check basic rates validity", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes", " - arm64: cpufeature: Fix the visibility of compat hwcaps", " - exec: Fix ToCToU between perm check and set-uid/gid usage", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - binfmt_flat: Fix corruption when not offsetting data start", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - media: Revert \"media: dvb-usb: Fix unexpected infinite loop in", " dvb_usb_read_remote_control()\"", " - Revert \"ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error\"", " - Linux 5.15.165", "", " * CVE-2024-26661", " - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", "", " * CVE-2024-25744", " - x86: Fix misspelled Kconfig symbols", " - x86: Introduce ia32_enabled()", " - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c", " - x86/coco: Disable 32-bit emulation by default on TDX and SEV", " - x86/entry: Convert INT 0x80 emulation to IDTENTRY", " - x86/entry: Do not allow external 0x80 interrupts", " - x86/entry: Add do_SYSENTER_32() prototype", " - x86/bhi: Add support for clearing branch history at syscall entry", "", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100)", " - gcc-plugins: Rename last_stmt() for GCC 14+", " - filelock: Remove locks reliably when fcntl/close race is detected", " - ARM: 9324/1: fix get_user() broken with veneer", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - scsi: core: Fix a use-after-free", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests/openat2: Fix build warnings on ppc64", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - nvme: avoid double free special payload", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - spi: mux: set ctlr->bits_per_word_mask", " - tracing: Define the is_signed_type() macro once", " - minmax: sanity check constant bounds when clamping", " - minmax: clamp more efficiently by avoiding extra comparison", " - minmax: fix header inclusions", " - minmax: allow min()/max()/clamp() if the arguments have the same signedness.", " - minmax: allow comparisons of 'int' against 'unsigned char/short'", " - minmax: relax check to allow comparison between unsigned arguments and", " signed constants", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - wifi: mac80211: disable softirqs for queued frame handling", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " - samples: Add fs error monitoring example", " - samples: Make fs-monitor depend on libc and headers", " - docs: Fix formatting of literal sections in fanotify docs", " - Add gitignore file for samples/fanotify/ subdirectory", " - net: relax socket state check at accept time.", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Validate ff offset", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - filelock: Fix fcntl/close race recovery compat path", " - wifi: rt2x00: use explicitly signed or unsigned types", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - Linux 5.15.164", "", " * Jammy update: v5.15.166 upstream stable release (LP: #2080594) //", " CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", "", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", "" ], "package": "linux", "version": "5.15.0-125.135", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2083001, 2077321, 2081279, 2080594, 1959940, 2069961, 2078428, 2074380, 2076100, 2080594 ], "author": "Stefan Bader ", "date": "Fri, 27 Sep 2024 14:49:00 +0200" } ], "notes": "linux-modules-5.15.0-126-generic version '5.15.0-126.136' (source package linux version '5.15.0-126.136') was added. linux-modules-5.15.0-126-generic version '5.15.0-126.136' has the same source package name, linux, as removed package linux-headers-5.15.0-122. As such we can use the source package version of the removed package, '5.15.0-122.132', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "python3-packaging", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python-packaging", "source_package_version": "21.3-1", "version": "21.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "21.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 27 Nov 2021 09:14:41 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "21.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 17 Nov 2021 17:51:57 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * New standards version.", "" ], "package": "python-packaging", "version": "21.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 11 Oct 2021 14:28:40 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-122", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-122-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-122-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-122-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20241004 to 20241206", "from_series": "jammy", "to_series": "jammy", "from_serial": "20241004", "to_serial": "20241206", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }